1 ISASecure ISASecure Device Test Development and Execution ISA99 Standards Committee Other Standards Organizations Marketplace Donors ISA Security Compliance.

Slides:



Advertisements
Similar presentations
1 Introducing the Specifications of the Metro Ethernet Forum.
Advertisements

Program Management Office (PMO) Design
Security Monitoring & Management Security Control Panel Sensors & Detection Devices $ $ $ $ $ $ Physical Security Monitoring.
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
1 Miami-Dade County Public Schools. 2 From the Data Center to the Cloud: Manny Castañeda Miami-Dade County Public Schools.
Top-Down Network Design Chapter Fourteen Documenting Your Network Design Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Information Security Policies and Standards
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Software Testing. Overview Definition of Software Testing Problems with Testing Benefits of Testing Effective Methods for Testing.
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Stephen S. Yau CSE , Fall Security Strategies.
Certification Test Tool Update Toby Nixon Program Manager Microsoft Corporation.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Corporate Governance: Beyond Compliance at a time of Recession Prof. Ashley G. Frank BA(Econ)[Magna Cum Laude], MDPA (Cum Laude], MBA, MCom [Cum Laude],
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Internal Auditing and Outsourcing
1 Next Generation ISO Susan LK Briggs Presented to EFCOG/DOE EMS Implementation, Lessons Learned & Best Practices Training Workshop, 3/05.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Staff Structure Support HCCA Special Interest Group New Regulations: A Strategy for Implementation Sharon Schmid Vice President, Compliance and.
1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.
SNIA/SSIF KMIP Interoperability Proposal. What is the proposal? Host a KMIP interoperability program which includes: – Publishing a set of interoperability.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
VeriFlow: Verifying Network-Wide Invariants in Real Time
Implementing and Auditing Ethics Programs
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Module 14: Configuring Server Security Compliance
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Windows 7 Firewall.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Certification Test Tool Sarat Manni Test Lead Microsoft Corporation.
STANDARDS OVERVIEW Wednesday, April 30, 2015 KAREN RECZEK, STANDARDS COORDINATION OFFICE, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
ONC FACA HIT Standards Committee Clinical Operations Workgroup Hearing on Barriers & Enablers for Medical Device Interoperability March 28, 2011 ~ Washington,
OpenSG Conformity IPRM Overview July 20, ITCA goals under the IPRM at a high level and in outline form these include: Organize the Test and Certification.
1 Interaction between SAIs and PACs. Presentation to SADCOPAC.
Smart Grid Interoperability Panel & ISO / RTO Council Smart Grid Projects David Forfia SGIP Governing Board Member – Stakeholder Category 21 ISO/RTO Sponsor.
ISA Setting the Standard for Automation ™ Automation Standards Compliance Institute ISA Security Compliance Institute (ISCI) Prepared by: Andre Ristaino,
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
NETE Computer Network Analysis and DesignSlide 1 Documenting Network Design NETE-4635 Computer Network Analysis and Design.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Protocol Lifecycles.  At their meeting in May, the GSA Board approved a new policy that establishes a well-defined three-year lifecycle for GSA protocols.
1 Open Systems Defined. 2 Some Definitions Open device - a control device with local intelligence which leverages the use of a standard, common protocol.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Managing Change 1. Why Do Requirements Change?  External Factors – those change agents over which the project team has little or no control.  Internal.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Introduction to Information Security
ISPE Cyber Security S99 Update December 08, 2009.
5/18/2006 Department of Technology Services Security Architecture.
Interoperability Testing. Work done so far WSDL subgroup Generated Web Service Description with aim for maximum interoperability between various SOAP.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
Web Security Firewalls, Buffer overflows and proxy servers.
User and Device Management
Information Security tools for records managers Frank Rankin.
IT Audit and Penetration Testing What’s the difference and why should I care?
Internal Audit Quality Assessment Guide
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
CSCE 548 Secure Software Development Penetration Testing.
Team 1 – Incident Response
Overview of IT Auditing
Critical Security Controls
Introduction to OPNFV CVP
Leverage What’s Out There
ONAP Security Sub-committee Update
RealProct: Reliable Protocol Conformance Testing with Real Nodes for Wireless Sensor Networks Junjie Xiong
Chapter 5 Corporate Governance.
CORE Security Technologies
IS4680 Security Auditing for Compliance
Presentation transcript:

1 ISASecure ISASecure Device Test Development and Execution ISA99 Standards Committee Other Standards Organizations Marketplace Donors ISA Security Compliance Institute Test Execution ISA99 Security Standards Other Standards, Regulations Market Donated IP Feedback on Gaps and Clarifications from Test Development and Execution (missing requirements) ISASecure Test Specifications and Profiles Feedback to ISA Security Compliance Institute ISASecure Compliant Products Feedback to Supplier Supplier Enhances Products/Systems Pass Fail (See details)

2 ISASecure ISASecure Device Conformance Test Development Path ISA99 Standards ISA100 Standards IEC Standards DHS Requirements NERC Standards FERC Standards Other ISASecure Conformance Requirements ISASecure Test Kit Specification (includes test plan) ISASecure Test Kit (Test cases, procedures, tools) Testing Profiles DeviceSystemDevice & System Testing Profiles DeviceSystemDevice & System Testing Profiles DeviceSystemDevice & System Standards Organizations ISA Security Compliance Institute WHAT HOW with tools and procedures defined Tools and procedures

3 ISASecure Harmonizing Market Supplied (Donated) IAC Security Conformance Requirements ISCI TSC Issues a public call for input on ISASecure Conformance requirements (example: network attacks) Donated conformance requirements are entered into a spreadsheet to identify duplications and gaps for analysis by TSC. TSC reviews Conformance requirements and gains consensus on requirements to include in ISASecure through a vetting process (2/3 majority). Formally approved conformance requirements from TSC are sent to Governing Board for formal approval based on 2/3 majority of ALL voting Board Members. Donated conformance requirements are evaluated for quality, format, completeness. Reject poorly constructed/ unusable requirements. The harmonization process should follow the Conformance Test Development path with the benefit that specific work products should already exist as part of the donated IP; specifically the Conformance Requirements Document and the corresponding Test Kit TSC evaluates test kits against conformance requirements for approval as ISASecure test vendor. Forwards Recommendation to Governing Board. Test vendors update tests based on approved conformance requirements. Approved conformance requirements submitted to ISA SP99 for consideration in standard. Governing board votes to approve test vendor for ISASecure (2/3 majority of all board members).

4 ISASecure Harmonizing Market Supplied IAC Security Test Specifications For Example Network Attack Testing Mu Security Wurldtech Codenomicon Other ISASecure Conformance Requirements ISASecure Test Kit Specification (includes test plan) ISASecure Test Kit (Test cases, procedures, tools) Testing Profiles DeviceSystemDevice & System Testing Profiles DeviceSystemDevice & System Testing Profiles DeviceSystemDevice & System Donor Organizations ISA Security Compliance Institute WHAT HOW with tools and procedures defined Tools and procedures Evaluate whether the donated specifications include well-written Conformance Requirements (the ‘how’), Test Kit Specification and, the Test Kit

5 ISASecure ISASecure Logo Considerations What does compliance mean? –Compliance by testing? –Compliance by verifiable/auditable process? –Other forms of compliance Do we start with one with intent to evolve to something else?

6 ISASecure ISASecure Compliance by Testing Compliance Testing Approach –Works well for standard protocols Fieldbus, OPC, TCP/IP –Can work for devices Network connected only? What about proprietary protocols? –What about open systems nodes? –What about systems?

7 ISASecure ISASecure Compliance by Testing Open systems node compliance –Testing for OS configuration –Testing for enabled services What about systems that leverage additional services? –Testing OS security configuration –For Windows Systems Compliance to Windows LOGO? –Which LOGO Standard? –Does this mean using VeriTest?

8 ISASecure ISASecure Compliance by Testing System Compliance –Network Infrastructure Firewalls, routers, switches –Compartmentalization –Least privilege security configuration –Transferred risks –Role based security configurations –Application level security –…..

9 ISASecure Conformance Testing Challenges Approximately 50% of security issues are code bugs. Compliance testing will uncover a majority of those bugs, but not all –Will also only find ones in 1 st layer code not multiple layers down Testing catches problems too late in the lifecycle –OK to start there but should drive behavioral change

10 ISASecure Conformance Requirements An additional area that causes security vulnerabilities is deployment errors –30-40% of security compromises Difficult to test deployment Better to define deployment process and validate

11 ISASecure Conformance Requirements Process driven conformance –Similar to DO-178B for avionics products Process conformance requirements External audits for process conformance –IEC and also contain process conformance

12 ISASecure Conformance by process Conformance to Security standards –ISA SP99, others Conformance for Security Assurance Levels –More objectives for higher assurance levels DO-178B like –More objectives requiring independence DO-178B like Vendors must prove through evidence that required objectives have been met.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.