Safety vs. Security: What s One Without the Other?
|
|
- Jonathan Gaines
- 7 years ago
- Views:
Transcription
1 Safety vs. Security: What s One Without the Other? Executive Summary Safety systems in the industrial environment have evolved over the years to become increasingly complex and are relied upon to function to a level of adequacy to protect employees, production, and the environment surrounding a particula r facility. The investment in these systems is great, but the ramifications of their malfunction are even greater. The media has made it even easier for us to understand the impact of safety on companies and on their surrounding communities, and with incidents such as those that transpired in Texas City with a BP refinery explosion, and with the Bhopal disaster, involving a chemical leak, the potential impact of our operations has become greater than ever before. The evolution of safety systems is largely accredited to our ability to connect our systems and to automate notifications and alarm in the event of a safety breach. Safety systems have now become automated, more sophisticated, and since being connected by networks, for example being TCP/IP routable, they have also become more vulnerable to security infringements. At the same time, connecting our systems has allowed them to become more efficient, and to become a more dependable, de facto component of a facility s infrastructure. Increasing regulations and standards are a direct result of the importance being placed on safety systems, not just as a reactive alert system to crisis, but as a more proactive and predictive way of avoiding disastrous situations. Much like our telephone and internet connections, our safety systems have become something we expect to function correctly, and something that we rely on to alert us if the need arises. We cannot expect to become mindful that these systems may not be functioning correctly thanks to security issues.
2 Safety vs. Security: What s One Without the Other? 2 Table of Contents Executive Summary... 1 Why does security matter?... 4 How do we ensure our safety systems are secure... 4 System Architecture... 4 Connectivity Infrastructure... 4 Security Management... 5 Managing a Security Program... 7 Conclusion... 8
3 Safety vs. Security: What s One Without the Other? 3 Table of Figures Figure 1: Security Vulnerability Assessment...6 Figure 2: Secure Process Environment (SPE) Design...7
4 Safety vs. Security: What s One Without the Other? 4 Why does security matter? Security has moved from being a general topic of interest within the financial sector and the governmental departments, to an increasing concern within the industrial community. With the emergence of security recommendations and regulatory compliance requirements throughout different industries, people are wondering what events have sparked such an interest in security. Fai ling to maintain a particular level of security can create easy targets for a range of intentions, anywhere from international terrorism to a disgruntled former employee who wants to capitalize on access to information. Security of information is no longer the only concern security of data within an organization is now under just as much scrutiny. Studies have shown that data volumes are doubling every 18 months, and according to a study conducted by Deloitte, the averag e total cost associated with a data security breach can be anywhere from $225,000 to $35 million per reporting. Over half of the security breaches that occur, whether intentional or unintentional, result from the mishandling of sensitive business data to the wrong people, from within the organization itself. How do we ensure our safety systems are secure? Due to the connectivity of data sources to our safety systems, there are three major areas we need to focus on to ensure that our safety systems are fully secure, from all significant points of vulnerability. These three areas include your system architecture, your connectivity infrastructure, and your security management. It all comes down to ensuring that systems are plugged in together with the correct architecture, and that you have the right tools for the job both to set up your security systems, as well as to maintain them. System Architecture One of the first things to do is to find out if your system architecture itself is secure. To do this, an initial assessment would be a useful tool to figure out how your assets are configured, and how they interact with each other. This will make it easier to identify vulnerabilities and to prioritize your assets in order of criticality. If there is a security program in place, does it inclu de all of the appropriate assets and are best practices in play? Furthermore, process control environments use incredibly complex networks that are often undocumented or only partially documented. These networks have evolved over time through varied technologies and hardware as a result of multiple disparate networks being migrated into a single collection of networks, with unstructured IP addressing schemes, overlapping IP subne ts, varied cabling infrastructures and diverse operating system packages. Connectivity Infrastructure Moreover, critical infrastructures depend on control systems for their operation. Cyberspace is considered the nervous system of today s critical infrastructure, and it has become increasingly important for the process industry to address the possibi lities of growing internet threats, cyber attacks and regulatory compliance. In contrast with physical attacks, cyber attacks are not e asily identified, and may go unnoticed for long periods of time. However, the resources and tools for cyber attacks are b ecoming more commonplace and readily available. Companies have internet connections to the control systems to enable management, engineering, and others to monitor processes and progress. Vulnerability to the intrusions and attacks has increased with acc ess to the control systems through the internet. As a result, solutions such as network lockdowns are implemented to address those threats. Unfortunately, this knee-jerk reaction often conflicts with the legitimate need for access to plant data for day-to-day business decisions.
5 Safety vs. Security: What s One Without the Other? 5 A Security Vulnerability Assessment will reveal any vulnerability or weakness in your network, server and desktop infrastructure. The assessment will also establish the current state of your network infrastructure and form the foundation for the development of regulatory compliance or security/reliability and safety programs. A security vulnerability assessment is a highly detailed network audit that can be performed from a high level overview to the most in depth level of investigation and can act as a guideline to improving control of security and usage policies. Security Management When asked about cyber security, most people will think about technology such as firewalls and antivirus. Security technology is usually the primary area of money and time. But it is even more important to consider the people that use/manage the systems, and the processes that they use. It is in governance and operations that excellence is achieved. It is entirely possible to h ave the most technically secure safety system, but if the people do not participate or support the security processes it is useless. Think of security as a 3 leg table where all are required to prevent it from falling down. A security vulnerability assessmen t should approach security with these 3 distinct pillars: people, processes, and technology. This comprehensive approach delivers a thorough assessment of your initiatives including policy review, training programs and technological and physical concerns. People: In the context of security it refers to the employees, contractors and any visitor to the organization. In order for a security program to be successful, it is necessary for the participants and stakeholders to have the necessary awareness, training, documentation and roles. Everyone needs to understand appropriate system use and why it is important, and technical people also need to know how to identify and address security risks. It is recommended from an organizational perspective to have a dedicated security group with the authority and executive support to enforce security violations. But, it is more important to have a security awareness program for employees to share the importance of security and how they can participate. If organizations do not focus on their people, security policies will not be followed, staff will not understand security issues, and technical staff will not manage systems effectively. Process: When discussed in the context of security, process refers to the policies, procedures and actionplans. Regardless how hard you try, there will always be residual security risks and potential incidents. The measure of your preparedness and of the validity of your security program will determine how well you contain the incident and how quickly you recover from it. It is necessary to have documents in place like an appropriate use policy backup policy, and wireless policy to define how company assets should be used and deployed. Policies determine the rules of using a system; define procedural countermeasures for potential security risks, and any best practices. Procedures are step-by-step instructions on how to perform or execute a plan without being the expert on the system. Both policies and procedures are required for a good security program. Processes or procedures are also vital in outlining the overall security mentality and approach your organization wishes to implement. As your business evolves, so too will your environment. By having clearly defined expectations of future programs and applications you can evolve your business while maintaining the highest possible level of security. Technology: is the foundation for security and it is necessary to have the right systems installed. Companies should ensure they have good firewalls, antivirus, patch management, tape backup, remote access, authentication and physical security in place. Finally, a security vulnerability assessment should be scalable to meet specific organization requirements and should include, but not be limited to: ongoing policy reviews, exhaustive system by system site audits, frontend engineering and technical implementation, refer to figure 1.
6 Safety vs. Security: What s One Without the Other? 6 Figure 1: Security Vulnerability Assessment With the integration of process control systems, and particularly, our safety systems, we also need to examine the way in which data is transferred and shared. What tools are we using to connect our systems and how is the data being pulled and combined with other sources? Certification programs, such as the Achilles Certification by Wurldtech, work with compliance organizations and standards bodies to create certification programs that encompass the necessary security requirements for all software, includ ing OPC software used to create interoperability among systems. It is important to ensure that every step of your process is secure, starting with the data that feeds the rest of your business. If your data itself is not secure, this will have a domino effec t on the rest of the process from that point onward. A Secure Process Environment (SPE) design creates a layered network that segregates all process equipment from the Business LAN, creating a network that is dedicated to Process Equipment, while allowing the movement of data that is necessary for business decision making. The design incorporates a method of rejecting all communications from the Business LAN to the Process LAN, but still allows the movement of data to exist. Problems such as Software Virus, Trojan Horses and Worms are controlled without the requirement of loading antivirus software on process systems. This provides antivirus protection for those industrial systems that are not certified for running with antivirus software. This design also removes the requirement of ensuring all systems are loaded with Security patches to remo ve vulnerabilities to attack. As always it is still recommended to load all service packs and Security patches on all systems as required but the p roblems associated with not doing so is reduced significantly. The loading of Security and Service packs on p rocess systems is often not a Process Engineers primary concern and these patches are often left till all other tasks are completed. A Security Controlled Network layer, the Process DMZ LAN, is constructed between the Business LAN and the new Process LAN. This network provides an area for security control. Both the Business LAN and the Process LAN are able to communicate with systems on the Process DMZ LAN. This design provides a security focus in a small and limited area of the networks, reducing administration costs. All security programming on the Firewall and the process LAN Router is now focused only on rejecting or authorizing communications to the Process DMZ LAN and not to Process equipment. The security focus is now directed to a limited number of s ervers and not to all equipment on the Process LAN. ication/achilles-certif ication.aspx
7 Safety vs. Security: What s One Without the Other? 7 Figure 2: Secure Process Environment (SPE) Design Managing a Security Program Once all of the security systems are in place, the next step is to determine how your security levels will be maintained. Security threats and vulnerabilities change daily, with the introduction of new worms and viruses, change in staff, etc. and it is cri tical to have a program in place that will manage your security and ensure that it remains relevant. The only way to create a solution to this problem is to look at a system that automates the security program, by way of any relevant compliance initiative or maintenan ce of any particular normal state. There are many benefits to creating an automated security management system. In terms of efficiency, the ability to orchestrate workflow and automate systems into real-time deliverables allows companies to manage their security program on an on-going basis as opposed to ensure the reliability of safety systems. On-going programs are much more secure as well. For example, if you are not using a real-time system with automatic updates the only source of information (and frequency) would be for local staff to look at the data, sort through all of the documentation, realize that there is a security problem, and then begin to address it. By this time, there is already a risk to your network, your critical assets a nd your safety systems. By moving to a real-time automated system, you can be alerted when there is a change to your protected systems and supporting systems that is misaligned with your normal expectations and then generate work processes to update and re-align your compliance program.
8 Safety vs. Security: What s One Without the Other? 8 Conclusion The overall impact of implementing a comprehensive security program in the process control environment is far reaching, and typically includes: Improving employee safety, satisfaction and morale Reducing loss of production and revenue from intrusion incidents Improving data integrity, resulting in correct operator actions Preventing unauthorized disclosure of information Preventing unauthorized denial of services Preventing regulatory fines on environmental information not being recorded and within limits Preventing loss of major tangible assets or resources Improving public opinion and investor support Protecting intellectual property and trade secrets Preventing harm to the organization s mission, reputation or interest By understanding the complexity and breadth of an effective security program in the process control environment, we can see the direct correlation between security and its role in the maintenance of appropriate safety levels. The volume of information that is moving around a facility at any given time makes it imperative that security controls are put in place and maintained. Furthermore, the traditional focus of variety of process industries has been safety and productivity. However, recent threats to North Ame rican critical infrastructure have prompted a tightening of security measures across the different industry sectors. Reducing control system vulnerabilities against physical and cyber attack is necessary to ensure the safety, reliability, integrity and availa bility of these systems. For more information: For more information about Industrial Cyber Security, visit our website or contact your Honeywell account manager. security@matrikon.com Honeywell Process Solutions 1250 West Sam Houston Parkway South Houston, TX Lovelace Road, Southern Industrial Estate Bracknell, Berkshire, England RG12 8WD Shanghai City Centre, 100 Junyi Road Shanghai, China WP 813 August Honeywell Internati onal Inc.
Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk
Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Cyber Security Risk With Today s Cyber Threats, How Secure is Your Control System? Today, industrial organizations are faced
More informationIndustrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk
Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Industrial Cyber Security Risk Industrial Attacks Continue to Increase in Frequency & Sophistication Today, industrial organizations
More informationLifecycle Solutions & Services. Managed Industrial Cyber Security Services
Lifecycle Solutions & Services Managed Industrial Cyber Security Services Around the world, industrial firms and critical infrastructure operators partner with Honeywell to address the unique requirements
More informationProcess Solutions. Staying Ahead of Today s Cyber Threats. White Paper
Process Solutions White Paper Staying Ahead of Today s Cyber Threats Executive Summary In an age where ubiquitous flash drives can become precision-guided munitions and a serious security breach is a single,
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationImplementing Decision-Support Portals based on Data Visualization Best Practices
Implementing Decision-Support Portals based on Data Visualization Best Practices Valuable information is hidden in the vast amounts of data being collected at today s process industry facilities. Finding
More informationCollaborative Production Management in the Process Industries: From KPIs to Workflows
Collaborative Production Management in the Process Industries: From KPIs to Workflows The Call to Action We need to make better use of data We need easier access to the data We need to get the right data
More informationMaximize Production Efficiency through Downtime and Production Reporting Solution
Maximize Production Efficiency through Downtime and Production Reporting Solution In today s competitive market, every mineral processing facility is striving to operate their plant assets at a maximum
More informationSecurity in the smart grid
Security in the smart grid Security in the smart grid It s hard to avoid news reports about the smart grid, and one of the media s favorite topics is security, cyber security in particular. It s understandable
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationIndustrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities
Industrial Cyber Security Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities WE HEAR ABOUT CYBER INCIDENTS EVERY DAY IN THE NEWS, BUT JUST HOW RELEVANT ARE THESE
More informationCyber Security in Manufacturing & Production
Cyber Security in Manufacturing & Production Cyber Security in Manufacturing & Production In today's competitive market, manufacturing and production facilities must improve the timeliness and effectiveness
More informationWhite Paper. April 2006. Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks
White Paper April 2006 Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks According to a recent Harris Interactive survey, the country s leading business executives consider
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationDelivering operations integrity through better plant safety, availability and compliance across your entire enterprise
Product Information Note DynAMo Alarm & Operations Management Delivering operations integrity through better plant safety, availability and compliance across your entire enterprise Control Magazine Readers
More informationHoneywell HPS Virtualization FAQ
Honeywell HPS Virtualization FAQ Frequently Asked Questions What are the benefits of virtualization? In Honeywell we talk about the following benefits of Virtualization, Lower the quantity of PC hardware
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationAlarm Management What, Why, Who and How?
Alarm Management What, Why, Who and How? Executive Summary The introduction of the DCS has made it possible to create alarms more easily and at a lower cost. Although software alarms are convenient, the
More informationProcess Solutions. DynAMo Alarm & Operations Management. Solution Note
Process Solutions Solution Note DynAMo Alarm & Operations Management Delivering operations integrity through better plant safety, availability and compliance across your entire enterprise Control Magazine
More informationInjazat s Managed Services Portfolio
Injazat s Managed Services Portfolio Overview Premium Managed Services to Transform Your IT Environment Injazat s Premier Tier IV Data Center is built to offer the highest level of security and reliability.
More informationIndustrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1
Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3
More informationWhite Paper. Five Steps to Firewall Planning and Design
Five Steps to Firewall Planning and Design 1 Table of Contents Executive Summary... 3 Introduction... 3 Firewall Planning and Design Processes... 3 Step 1. Identify Security Requirements for Your Organization...
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationManagement of Change: Addressing Today s Challenge on Documenting the Changes
White Paper Management of Change: Addressing Today s Challenge on Documenting the Changes Executive Summary Our industry is facing the challenge of ever increasing system complexity with large systems
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationRemote Services. Managing Open Systems with Remote Services
Remote Services Managing Open Systems with Remote Services Reduce costs and mitigate risk with secure remote services As control systems move from proprietary technology to open systems, there is greater
More informationManaged Security Services for Data
A v a y a G l o b a l S e r v i c e s Managed Security Services for Data P r o a c t i v e l y M a n a g i n g Y o u r N e t w o r k S e c u r i t y 2 4 x 7 x 3 6 5 IP Telephony Contact Centers Unified
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationBUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports
BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports Building a Security Operation Center Agenda: Auditing Your Network Environment Selecting Effective Security
More informationInformation Security: A Perspective for Higher Education
Information Security: A Perspective for Higher Education A By Introduction On a well-known hacker website, individuals charged students $2,100 to hack into university and college computers for the purpose
More informationManaging internet security
Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further
More informationApproved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2
Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls
More informationInformation Technology General Controls And Best Practices
Paul M. Perry, FHFMA, CITP, CPA Alabama CyberNow Conference April 5, 2016 Information Technology General Controls And Best Practices 1. IT General Controls - Why? 2. IT General Control Objectives 3. Documentation
More informationAre you prepared to be next? Invensys Cyber Security
Defense In Depth Are you prepared to be next? Invensys Cyber Security Sven Grone Critical Controls Solutions Consultant Presenting on behalf of Glen Bounds Global Modernization Consultant Agenda Cyber
More informationProtect the data that drives our customers business. Data Security. Imperva s mission is simple:
The Imperva Story Who We Are Imperva is the global leader in data security. Thousands of the world s leading businesses, government organizations, and service providers rely on Imperva solutions to prevent
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationAudit Capabilities: Beyond the Checklist. Niall Haddow, Business Leader Philip Young, Sr. IT Auditor Professional Strategies - Session S32
Audit Capabilities: Beyond the Checklist Niall Haddow, Business Leader Philip Young, Sr. IT Auditor Professional Strategies - Session S32 Agenda Beyond the Checklist Visa Overview Visa Internal Audit Overview
More informationINFORMATION S ECURI T Y
INFORMATION S ECURI T Y T U R N KEY IN FORM ATION SECU RITY SO L U TION S A G L O B A L R I S K M A N A G E M E N T C O M P A N Y PRESENCE PROWESS PARTNERSHIP PERFORMANCE Effective IT security requires
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationInnovative Defense Strategies for Securing SCADA & Control Systems
1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: info@plantdata.com Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationProduction Optimization through Advanced Condition Monitoring of Upstream Oil and Gas Assets
Production Optimization through Advanced Condition Monitoring of Upstream Oil and Gas Assets On and offshore development projects are extremely capital-intensive investments for any oil and gas organization.
More informationEndpoint Security More secure. Less complex. Less costs... More control.
Endpoint Security More secure. Less complex. Less costs... More control. Symantec Endpoint Security Today s complex threat landscape constantly shifts and changes to accomplish its ultimate goal to reap
More informationTaking a Proactive Approach to Patch Management. B e s t P r a c t i c e s G u i d e
B e s t P r a c t i c e s G u i d e It s a fact of business today: because of the economy, most organizations are asking everyone, including the IT staff, to do more with less. But tight budgets and the
More informationAre You Prepared for a HIPAA Audit? 7 Steps to Security Readiness GUIDE BOOK
Are You Prepared for a HIPAA Audit? 7 Steps to Security Readiness GUIDE BOOK Are You Ready? For nearly four years, official HIPAA compliance audits have been on hold. The Department of Human Services (HHS)
More information2 0 1 4 F G F O A A N N U A L C O N F E R E N C E
I T G OV E R NANCE 2 0 1 4 F G F O A A N N U A L C O N F E R E N C E RAJ PATEL Plante Moran 248.223.3428 raj.patel@plantemoran.com This presentation will discuss current threats faced by public institutions,
More informationIs Penetration Testing recommended for Industrial Control Systems?
Is Penetration Testing recommended for Industrial Control Systems? By Ngai Chee Ban, CISSP, Honeywell Process Solutions, Asia Pacific Cyber Security Assessment for Industrial Automation Conducting a cyber-security
More informationSmall Business Protection Guide. Don t Leave Your Business at Risk Protect it Completely
Small Business Protection Guide Don t Leave Your Business at Risk Protect it Completely Changing risks, rising costs Information is fundamental to your business: You and your employees constantly exchange,
More informationDefense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks
Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks A look at multi-vendor access strategies Joel Langill TÜV FSEng ID-1772/09, CEH, CPT, CCNA Security Consultant / Staff
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationSafeguarding Company IT Assets through Vulnerability Management
A Guidance Consulting White Paper P.O. Box 3322 Suwanee, GA 30024 678-528-2681 http://www.guidance-consulting.com Safeguarding Company IT Assets through Vulnerability Management By Guidance Consulting,
More informationApplication Whitelisting
White Paper Application Whitelisting Executive Summary The increasing complexity and volume of applications, and the issues stemming from threats to these applications, is resulting in the requirement
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationAUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationHelping Corporations Defend Enterprise Attacks through Security Awareness & Desktop Security
Helping Corporations Defend Enterprise Attacks through Security Awareness & Desktop Security The Problem Statement Increasing incidents of crime & attacks (including cyber) with Potential to cause severe
More informationMobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall
Mobile security and your EMR Presented by: Shawn Tester & Allen Cornwall Date: October 14, 2011 Overview General Security Challenges & best practices Mobile EMR interfaces - EMR Access - Today & Future
More informationIT INFRASTRUCTURE MANAGEMENT SERVICE ADDING POWER TO YOUR NETWORKS
IT INFRASTRUCTURE MANAGEMENT SERVICE ADDING POWER TO YOUR NETWORKS IT INFRASTRUCTURE MANAGEMENT SERVICES Nortech Remote management IT security Services provide around clock remote Management, real time
More informationG DATA TechPaper #0275. G DATA Network Monitoring
G DATA TechPaper #0275 G DATA Network Monitoring G DATA Software AG Application Development May 2016 Contents Introduction... 3 1. The benefits of network monitoring... 3 1.1. Availability... 3 1.2. Migration
More informationStay ahead of insiderthreats with predictive,intelligent security
Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationFundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals
Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals Learning Objective Explain the concepts of information systems security (ISS) as applied to an IT infrastructure.
More informationState of Security Survey GLOBAL FINDINGS
2011 State of Security Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationBest Practices for DanPac Express Cyber Security
March 2015 - Page 1 Best Practices for This whitepaper describes best practices that will help you maintain a cyber-secure DanPac Express system. www.daniel.com March 2015 - Page 2 Table of Content 1 Introduction
More informationInformation Security Policy
Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current
More informationManaging business risk
Managing business risk What senior managers need to know about business continuity bell.ca/businesscontinuity Information and Communications Technology (ICT) has become more vital than ever to the success
More informationDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...
More informationInternet Safety and Security: Strategies for Building an Internet Safety Wall
Internet Safety and Security: Strategies for Building an Internet Safety Wall Sylvanus A. EHIKIOYA, PhD Director, New Media & Information Security Nigerian Communications Commission Abuja, NIGERIA Internet
More informationThe Four-Step Guide to Understanding Cyber Risk
Lifecycle Solutions & Services The Four-Step Guide to Understanding Cyber Risk Identifying Cyber Risks and Addressing the Cyber Security Gap TABLE OF CONTENTS Introduction: A Real Danger It is estimated
More informationEffective Use of Assessments for Cyber Security Risk Mitigation
White Paper Effective Use of Assessments for Cyber Security Risk Mitigation Executive Summary Managing risk related to cyber security vulnerabilities is a requirement for today s modern systems that use
More informationOCR LEVEL 3 CAMBRIDGE TECHNICAL
Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY
More information1.1.1 Introduction to Cloud Computing
1 CHAPTER 1 INTRODUCTION 1.1 CLOUD COMPUTING 1.1.1 Introduction to Cloud Computing Computing as a service has seen a phenomenal growth in recent years. The primary motivation for this growth has been the
More informationPerformance Evaluation of Intrusion Detection Systems
Performance Evaluation of Intrusion Detection Systems Waleed Farag & Sanwar Ali Department of Computer Science at Indiana University of Pennsylvania ABIT 2006 Outline Introduction: Intrusion Detection
More informationAdvanced Solutions. Uniformance Suite. Real-time Digital Intelligence Through Unified Data, Analytics and Visualization
Advanced Solutions Uniformance Suite Real-time Digital Intelligence Through Unified Data, Analytics and Visualization What is Uniformance? Honeywell s Uniformance Suite provides real-time digital intelligence
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationISACA Kampala Chapter Feb 2011. Bernard Wanyama Syntech Associates Limited
ISACA Kampala Chapter Feb 2011 Bernard Wanyama Syntech Associates Limited Agenda 1. ERP: What is it? 2. ERP: Examples 3. Security: Definitions, Triads & Frameworks 4. Security: Control Framework 5. Traditional
More informationDoes it state the management commitment and set out the organizational approach to managing information security?
Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationProcess Solutions. Uniformance Process History Database (PHD) Product Information Note
Process Solutions Product Information Note Uniformance Process History Database (PHD) Uniformance PHD enables you to make sense of all the data in your plant to help you make the right decision and optimize
More informationSecurity Basics: A Whitepaper
Security Basics: A Whitepaper Todd Feinman, David Goldman, Ricky Wong and Neil Cooper PricewaterhouseCoopers LLP Resource Protection Services Introduction This paper will provide the reader with an overview
More informationi-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
More informationMOST FRAUD CASES INVOLVE SENIOR MANAGEMENT. HOW TO PREVENT THEM FROM MISUSING THEIR POWER?
1 www.e-safecompliance.com MOST FRAUD CASES INVOLVE SENIOR MANAGEMENT. HOW TO PREVENT THEM FROM MISUSING THEIR POWER? Based on Gartner Worldwide spending on information security will reach $71.1 billion
More informationNetwork Security Administrator
Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationCYBER SECURITY, A GROWING CIO PRIORITY
www.wipro.com CYBER SECURITY, A GROWING CIO PRIORITY Bivin John Verghese, Practitioner - Managed Security Services, Wipro Ltd. Contents 03 ------------------------------------- Abstract 03 -------------------------------------
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationNetwork System Design Lesson Objectives
Network System Design Lesson Unit 1: INTRODUCTION TO NETWORK DESIGN Assignment Customer Needs and Goals Identify the purpose and parts of a good customer needs report. Gather information to identify network
More informationCapabilities for Cybersecurity Resilience
Capabilities for Cybersecurity Resilience In the Homeland Security Enterprise May 2012 DHS Cybersecurity Strategy A cyberspace that: Is Secure and Resilient Enables Innovation Protects Public Advances
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationCisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media
January 2012 Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media January 2012 All contents are Copyright 1992 2012 Cisco Systems, Inc. All rights reserved. This document
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationPlanning Your Safety Instrumented System
Planning Your Safety Instrumented System Executive Summary Industrial processes today involve innate risks due to the presence of gases, chemicals and other dangerous materials. Each year catastrophes
More information