April 15, Re: Docket Number USCG Dear Captain Tucci,
|
|
- Ophelia Greene
- 8 years ago
- Views:
Transcription
1 April 15, 2015 Captain Andrew Tucci Chief, Office of Port & Facility Compliance, U.S. Coast Guard U.S. Department of Transportation, West Building Ground Floor, Room W12-140, 1200 New Jersey Avenue SE Washington, DC Re: Docket Number USCG Dear Captain Tucci, Thank you for the opportunity to submit comments pertaining to cybersecurity as the U.S. Coast Guard develops relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure. The American Association of Port Authorities (AAPA), is the unified and collective voice of the seaport industry in the Americas. AAPA empowers port authorities, maritime industry partners and service providers to serve their global customers and create economic and social value for their communities. Our activities, resources and partnerships connect, inform and unify seaport leaders and maritime professionals in all segments of the industry who deliver prosperity around the western hemisphere. Safety and security is a key priority of our member ports. These comments are on behalf of our U.S. Members. As an industry, we have concerns on how a cybersecurity policy would be implemented by the U.S. Coast Guard. Ports are unique entities that have differing governing structures as well as different business models, which change often. It has been said about ports that if you have been to one portyou have been to one port. We also have concerns on whether the Coast Guard has the needed resources, both technical expertise and funding, to oversee a cybersecurity policy. Many of our ports are landlords, meaning they lease space to terminal operators who in turn conduct the business that moves through the ports. We have ports that are operated by state authorities, operating ports that are a part of larger state and regional government infrastructure; we have small, large and medium ports as well as ports that specialize in container, energy, break bulk and Roll on/roll off cargo. At our core, ports are facilitators of partnerships that further the global, regional and national economies. At any one time our ports will be accessed by vessel, truck and rail lines, creating a complex, yet efficient center of economic activity. Ports are living and evolving entities that directly reflect the economic health of our nation. It is vital that our ports continue to have the flexibility and fluidity to meet the changing global trading trends and dynamics, while ensuring that our communities and commerce remain safe and secure. The port industry has followed Executive Order Improving Critical Infrastructure Cybersecurity, since it was released in February 2013, which calls for the voluntary cybersecurity framework. We have also tracked and commented on the February 2014 release of the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology (NIST).
2 2 AAPA Comments on Coast Guard Docket No. USCG As the Coast Guard seeks to develop best practices and guidance for a maritime cyber security policy, we believe it is important to keep in mind the following description from the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology: The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks different threats, different vulnerabilities, different risk tolerances and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks. If the Coast Guard decides to require protection of cyber assets in a facility security plan, it should adopt a flexible performance-based system like the Maritime Transportation Security Act (MTSA) and Safe Port Act regulations. It should also be risk based. A cyber threat that interferes with the delivery of bulk commodities should be addressed differently than an incident that relates to the movement of a container. Coast Guard should determine what risks warrant reporting and what to not when they clarify what a transportation security incident is. Additionally, if the Coast Guard requires maritime security plans to have a cybersecurity assessment and a plan, then the federal Port Security Grant program should help pay for these mandates and time must be awarded to carry out this plan. The current Port Security Grant program requires a cyber assessment first before grants will pay for improvements and implementation of a cyber plan. This might be a model that works, if it is flexible on how the cyber assessment is done, similar to how MTSA security assessments are completed. AAPA also encourages additional port security grant funding to help ports conduct cyber security assessments and make improvements. It is not clear that all facilities will need a comprehensive cyber plan, just as the U.S. Coast Guard has proposed that not all ports need a TWIC reader. AAPA also believes that there needs to be more clarity and communication regarding what a Transportation Security Incident (TSI) entails. There appears to be a lack of understanding within the industry regarding what constitutes a TSI in terms of cybersecurity. The following are some initial responses to questions put forth by the Coast Guard: What cyber dependent systems, commonly used in the maritime industry, could lead or contribute to a Transportation Security Incident (TSI) if they failed, or were exploited by an adversary? SECURITY 1. Digital Video Surveillance Management Systems 2. Access Control Systems (Card Reader Systems (TWIC) 3. Vehicle Registration Systems 4. Radar/Sonar Systems
3 AAPA Comments on Coast Guard Docket No. USCG Emergency Communication Systems (radios) 6. Port wide Emergency Notification Systems 7. Maritime Domain Awareness Systems 8. Command and Control Systems 9. Physical Security Information Systems CARGO 1. Crane Control Systems 2. Manifest Control Systems 3. Miscellaneous Data Bases (Private Industry and Government) to include intelligence data bases (U.S. Intelligence Community/U.S Coast Guard-Customs and Border Protection and State fusion centers VESSEL MOVEMENTS 1. Vessel Traffic Systems or Vessel Traffic Information Systems 2. Automated Information Systems (AIS- Vessel Tracking) ENGINEERING SYSTEMS 1. GIS Management ADMINISTRATIVE 1. Accounting Systems 2. Property Management Systems What procedures or standards do vessel and facility operators employ to identify potential cyber security vulnerabilities to their operations? Private industry remains reluctant to share their cyber defense mechanisms. Private industry primarily contracts with a computer management entity to manage and/or oversee their computer systems. Over the past 20 years private industry has been extremely reluctant to report cyber breaches. Cyber risks are not inherently maritime related, however, we do know that many owners/ operators have conducted vulnerability assessments and many have employed anti-virus, antispam, anti-malware programs, and firewalls. Some owner/operators have invested in software, such as intrusion detection programs and have developed policies and procedures for requiring: the use of strong passwords, that these be changed regularly, that employees use different passwords for different systems, and that passwords are not shared. Additionally, industry regularly implements procedures to prevent users from downloading software onto company-owned devices, and some have implemented multi-factor authentication for system access to their networks. While these are all necessary initial first steps, what we hear repeatedly from members and industry partners is that the strongest cybersecurity program is creating an awareness among employees and management on what a cyberattack might look like and how to report cyber
4 4 AAPA Comments on Coast Guard Docket No. USCG breaches. Rather than mandating particular standards, we recommend DHS should strengthen existing grant programs to provide financial assistance for cybersecurity programs. Are there existing cyber security assurance programs in use by industry that the Coast Guard could recognize? If so, to what extent do these programs address vessel or facility systems that could lead to a TSI? To our knowledge there is not a single recognized program consistently implemented and/or utilized by private industry, but rather many variations of programs crafted specifically for individual needs and concerns. Industry programs typically utilize resources from many sources when crafting policy, including governmental agencies (NIST Cybersecurity Framework), and public sector recommendations given by non-profit organizations such as Information Systems Audit and Control Association (ISACA), International Information Systems Security Certification Consortium (ISC2), and National Cyber Security Alliance (NCSA) to name a few. To our knowledge these programs do not specifically address vessel or facility systems directly, but best practices can be tailored for the port industry. To what extent do current security training programs for vessel and facility personnel address cyber security risks and best practices? To our knowledge there is not a recognized facility and vessel training program that addresses cyber security risks and best practices to the port industry specifically. What factors should determine when manual backups or other non-technical approaches are sufficient to address cyber security vulnerabilities? An initial approach could be a table top exercise that could possibly highlight the pros and cons in determining the sufficiency of determining when manual or non-technical cyber vulnerability backstops. How can the Coast Guard leverage the Alternative Security Plan program to help vessel and facility operators address cyber security risks? Develop a best practices approach addressing the requirements for Cyber Security Assessments using both Penetration testing (PEN Testing) and Risk Based Assessment Approach which could be added to 33 Code Part (8) mandating procedures based on the network, communications and computer systems at each port or facility. Mandating prescriptive measures in a one size fits all approach would not be beneficial.
5 AAPA Comments on Coast Guard Docket No. USCG How can vessel and facility operators reliably demonstrate to the Coast Guard that critical cyber systems meet appropriate technical or procedural standards? Add an addendum to 33 CFR Part (c) clarifying that a cybersecurity assessment is a component of the Facility Security Assessment (FSA) which should be conducted every five years for regulated facilities. Protection of systems documentation and internal testing and oversight of social media polices would be verified during the annual audit process and 5 year Facility Security Assessment. The addition of the cyber assessment to the FSA should include both PEN testing and a risk based assessment once a standard is established under 33 CFR Part 305 (c). Additionally, annual audits are currently required, in part for, record keeping, maintenance and testing of systems in 33 CFR Part which could then include the cyber component by reference in Security systems and equipment maintenance [ (c)]. Do classification societies, protection & indemnity clubs, or insurers recognize cyber security best practices that could help the maritime industry? We are unaware of any best practices recognized by port specific classification societies, protection and indemnity clubs or insurers, however, there are many organizations that give guidance and provide standards in the information systems cyber field. Below includes a sampling, but is not limited to: The American Society for Industrial Security (ASIS), Information Systems Audit and Control Association (ISACA) International Information Systems Security Certification Consortium (ISC2) National Cyber Security Alliance (NCSA). Center for Internet Security (CIS) If you have additional questions or would like further input on AAPA members concerns, please do not hesitate to contact me directly. Sincerely yours, Kurt J. Nagle President
January 22, 2015. With this in mind, following are our responses to the questions posed in the December 18 Federal Register.
Docket Management Facility (M 30) U.S. Department of Transportation West Building Ground Floor Room W12 140 1200 New Jersey Avenue SE Washington, DC 20590 0001 Re: Guidance on Maritime Cybersecurity Standards
More informationU.S. COAST GUARD. Request for Comments on Maritime Security
Before the U.S. COAST GUARD Washington, D.C. February 25, 2003 Request for Comments on Maritime Security Docket No. USCG-2002-14069 Comments of the American Association of Port Authorities 1010 Duke Street
More informationPort of Long Beach 1249 Pier F Avenue Long Beach, CA 90802 (562) 283-7814
The Written Statement of Randy Parsons Director of Security Services Port of Long Beach Before the House Committee on Homeland Security Subcommittee on Border and Maritime Security United States Congress
More informationSubmitted at: http://www.regulations.gov/#!submitcomment;d=nhtsa-2014-0108-0001
December 8, 2014 Docket Management Facility U.S. Department of Transportation 1200 New Jersey Avenue SE. West Building Ground Floor, Room W12-140 Washington, DC 20590-0001 Submitted at: http://www.regulations.gov/#!submitcomment;d=nhtsa-2014-0108-0001
More informationCybersecurity Enhancement Account. FY 2017 President s Budget
Cybersecurity Enhancement Account FY 2017 President s Budget February 9, 2016 Table of Contents Section 1 Purpose... 3 1A Mission Statement... 3 1.1 Appropriations Detail Table... 3 1B Vision, Priorities
More informationLiability Management Evolving Cyber and Physical Security Standards and the SAFETY Act
Liability Management Evolving Cyber and Physical Security Standards and the SAFETY Act JULY 17, 2014 2013 Venable LLP 1 Agenda 1. Security Risks affecting the Maritime Transportation System (MTS) 2. The
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationKUDELSKI SECURITY DEFENSE. www.kudelskisecurity.com
KUDELSKI SECURITY DEFENSE Cyber Defense Center connection for remote information exchange with local monitoring consoles Satellite link Secure Data Sharing, a data-centric solution protecting documents
More informationApplication of Technology to Create an Integrated, Multidisciplinary Approach to Safe and Secure Ports
2005 SRI International SRI International Company Proprietary Application of Technology to Create an Integrated, Multidisciplinary Approach to Safe and Secure Ports Presented to: 10 th Annual Harbor Safety
More informationCybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015
Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key
More informationDHS. CMSI Webinar Series
DHS CMSI Webinar Series Renee Forney Executive Director As the Executive Director for the Cyberskills Management Support Initiative (CMSI), Ms. Forney supports the Undersecretary for Management (USM) for
More informationTestimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology
Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber
More informationPriority III: A National Cyberspace Security Awareness and Training Program
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationBilling Code: 3510-EA
Billing Code: 3510-EA DEPARTMENT OF COMMERCE Office of the Secretary National Institute of Standards and Technology National Telecommunications and Information Administration [Docket Number: 130206115-3115-01]
More informationPROPOSED INTERPRETIVE NOTICE
August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC
More informationStatement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education
Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Before the U.S. House Oversight and Government Reform Committee Hearing on Agency Compliance with the Federal Information
More informationOFFICE OF ENTERPRISE TECHNOLOGY SERVICES QUARTERLY REPORT ON
OFFICE OF ENTERPRISE TECHNOLOGY SERVICES QUARTERLY REPORT ON PERIODIC INFORMATION SECURITY AND PENETRATION AUDITS OF THE EXECUTIVE BRANCH INFORMATION TECHNOLOGY SYSTEMS APRIL 1, 2016 SUBMITTED TO THE TWENTY-EIGHTH
More informationJOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationU.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems
U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)
More informationTime Is Not On Our Side!
An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting
More informationAbout the Port Authority
Thomas Belfiore, Chief Security Officer The Port Authority of New York and New Jersey Testimony for the House Emergency Preparedness, Response and Communications Subcommittee on Protecting our Passengers:
More informationUnited States Coast Guard Cyber Command. Achieving Cyber Security Together. Homeland Security
United States Coast Guard Cyber Command Achieving Cyber Together Brett Rouzer Chief of MCIKR Protection U.S. Coast Guard Cyber Command DHS NCCIC Liaison Officer (202) 372-3113 Brett.R.Rouzer@uscg.mil Vision
More informationA MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS
A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS CYBER ATTACKS INFILTRATE CRITICAL INFRASTRUCTURE SECTORS Government and enterprise critical infrastructure sectors such as energy, communications
More informationMicrosoft s cybersecurity commitment
Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationMaritime Security Regulations
Maritime Institute of Technology Graduate Studies & Conference Center Maritime Security Regulations Maritime Institute of Technology (MITAGS) & Pacific Maritime Institute (PMI) 1 MITAGS Facility Linthicum
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationDepartment of Homeland Security
Department of Homeland Security Cybersecurity Awareness for Colleges and Universities EDUCAUSE Live! July 24, 2014 Overview Dramatic increase in cyber intrusions, data breaches, and attacks at institutions
More informationIntroduction to NICE Cybersecurity Workforce Framework
Introduction to NICE Cybersecurity Workforce Framework Jane Homeyer, Ph.D., Deputy ADNI/HC for Skills and Human Capital Data, ODNI Margaret Maxson, Director, National Cybersecurity Education Strategy,
More informationWritten Statement of Richard Dewey Executive Vice President New York Independent System Operator
Written Statement of Richard Dewey Executive Vice President New York Independent System Operator Senate Standing Committee on Veterans, Homeland Security and Military Affairs Senator Thomas D. Croci, Chairman
More informationCyber Security Risk Management
Our Ref.: B1/15C B9/29C 15 September 2015 The Chief Executive All Authorized Institutions Dear Sir/Madam, Cyber Security Risk Management I am writing to draw your attention to the growing importance of
More informationMSC Security Program Security in the Logistics Supply Chain
Maritime Security Council L MSC Security Program Security in the Logistics Supply Chain First Hemispheric Convention on Port Logistics and Competitiveness Ixtapa-Zihuatanejo November 3-5, 2010 Talking
More informationDelving Into FCC's 'Damn Important' Cybersecurity Report
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com Delving Into FCC's 'Damn Important' Cybersecurity
More informationNIST Cybersecurity Initiatives. ARC World Industry Forum 2014
NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL National Institute of Standards and Technology (NIST) NIST s mission
More informationDEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C. 20301-6000
DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C. 20301-6000 CHIEF INFORMATION OFFICER December 9, 2015 MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS CHAIRMAN OF THE JOINT CHIEFS OF
More informationLegislative Council Panel on Information Technology and Broadcasting. Information Security
For Information on 8 July 2013 LC Paper No. CB(4)834/12-13(05) Legislative Council Panel on Information Technology and Broadcasting Information Security Purpose This paper updates Members on the latest
More informationCybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response
Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary
More informationUtility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security
Boeing Defense, Space & Security Ventures Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security Tristan Glenwright - Boeing BOEING is a trademark of Boeing Management Company. The
More informationH. R. 3878. To enhance cybersecurity information sharing and coordination at ports in the United States, and for other purposes.
I TH CONGRESS 1ST SESSION H. R. To enhance cybersecurity information sharing and coordination at ports in the United States, and for other purposes. IN THE HOUSE OF REPRESENTATIVES NOVEMBER, 01 Mrs. TORRES
More informationRealityVision & The Port of Los Angeles Improving Security Responsiveness at the Nation s Busiest Cargo Port
Reality Mobile Customer Case Study May 2010 RealityVision & The Port of Los Angeles Improving Security Responsiveness at the Nation s Busiest Cargo Port RealityMobile 13921 Park Center Road, Suite 400
More informationCybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org
Cybersecurity Inherent Risks and Preparedness Regional and Community Banks www.bostonfed.org Disclaimer The opinions expressed in this presentation are intended for informational purposes, and are not
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationDEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
More informationStatement of James Sheaffer, President North American Public Sector, CSC
Statement of James Sheaffer, President North American Public Sector, CSC United States House of Representatives Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection,
More informationHearing before the House Permanent Select Committee on Intelligence. Homeland Security and Intelligence: Next Steps in Evolving the Mission
Hearing before the House Permanent Select Committee on Intelligence Homeland Security and Intelligence: Next Steps in Evolving the Mission 18 January 2012 American expectations of how their government
More informationSITUATIONAL AWARENESS MITIGATE CYBERTHREATS
Gaining the SITUATIONAL AWARENESS needed to MITIGATE CYBERTHREATS Industry Perspective EXECUTIVE SUMMARY To become more resilient against cyberthreats, agencies must improve visibility and understand events
More informationApril 28, 2009. Dear Mr. Chairman:
April 28, 2009 The Honorable Edward J. Markey Chairman Subcommittee on Energy and Environment Committee on Energy and Commerce U.S. House of Representatives Washington, D.C. 20515 Dear Mr. Chairman: I
More informationHow To Audit Telecommunication Services And Enterprise Security
EXECUTIVE DIGEST TELECOMMUNICATION SERVICES AND ENTERPRISE SECURITY INTRODUCTION This report, issued in March 2002, contains the results of our performance audit* of Telecommunication Services and Enterprise
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Enhanced Configuration Controls and Management Policies Can Improve USCG Network Security (Redacted) Notice: The Department of Homeland Security,
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationNIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo
2014 Morrison & Foerster LLP All Rights Reserved mofo.com NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin,
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationCYBER SECURITY A L E G A L P E R S P E C T I V E
A L E G A L P E R S P E C T I V E T H O M A S G. S C H R O E T E R A S S O C I A T E G E N E R A L C O U N S E L P O R T O F H O U S T O N A U T H O R I T Y DISCLAIMER! This presentation: does not include
More informationCascading Risk. Tom Kellermann, CISM VP of Security Awareness. Core Security Technologies www.coresecurity.com
Cascading Risk Tom Kellermann, CISM VP of Security Awareness Core Security Technologies www.coresecurity.com The Evolution of the Threat Syndicates and the business model Internet Arms Bizarre Online fraud
More informationGAO. TRANSPORTATION SECURITY TSA Has Made Progress in Implementing the Transportation Worker Identification Credential Program, but Challenges Remain
GAO United States Government Accountability Office Testimony before the Committee on Commerce, Science, and Transportation, U.S. Senate For Release on Delivery Expected at 10:00 a.m. EDT Thursday, April
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationJay Grant AAPA Federal Lobbyist Director, Port Security Council
AAPA Security & Safety Seminar Jay Grant AAPA Federal Lobbyist Director, Port Security Council July 28, 2005 Port Security Council A legislative coalition established to serve as a single voice for the
More informationKEY TRENDS AND DRIVERS OF SECURITY
CYBERSECURITY: ISSUES AND ISACA S RESPONSE Speaker: Renato Burazer, CISA,CISM,CRISC,CGEIT,CISSP KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures
More informationUpdate on U.S. Critical Infrastructure and Cybersecurity Initiatives
Update on U.S. Critical Infrastructure and Cybersecurity Initiatives Presented to Information Security Now! Seminar Helsinki, Finland May 8, 2013 MARK E. SMITH Assistant Director International Security
More informationDiane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Submitted via email: cyberframework@nist.gov April 8, 2013 Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Developing a Framework
More informationADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B2490021-2015.
ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B2490021-2015. This addendum is applicable to each purchase order that is subject to the State of Maryland s contract number 060B2490021-2015.
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationPersonal Security Practices of the CAO
Personal Security Practices of the CAO 1. Do you forward your government email to your personal email account? 2. When is the last time you changed your Enterprise password? Within the last 60 days Within
More informationChairman Johnson, Ranking Member Carper, and Members of the committee:
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT STATEMENT OF THE HONORABLE KATHERINE ARCHULETA DIRECTOR U.S. OFFICE OF PERSONNEL MANAGEMENT before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
More informationThis policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.
- 1. Policy Statement All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationClient Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs
1 Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs NEW YORK Byungkwon Lim blim@debevoise.com Gary E. Murphy gemurphy@debevoise.com Michael J. Decker mdecker@debevoise.com
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationRE: Notice of Proposed Rulemaking, Request for Comments: Operation and Certification of Small Unmanned Aircraft Systems [Docket No.
April 24, 2015 Docket Management Facility (M-30) U. S. Department of Transportation West Building Ground Floor Room W12-140 1200 New Jersey Ave. Washington, DC 20590-0001 RE: Notice of Proposed Rulemaking,
More informationAuditing emerging cyber threats and IT controls
Auditing emerging cyber threats and IT controls Robert Baldi Director of IT Audit, ACI Worldwide Warren Fish Manager of IT Audit, ACI Worldwide Competency The trouble with competence is that it is always
More informationAn Overview of Large US Military Cybersecurity Organizations
An Overview of Large US Military Cybersecurity Organizations Colonel Bruce D. Caulkins, Ph.D. Chief, Cyber Strategy, Plans, Policy, and Exercises Division United States Pacific Command 2 Agenda United
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationThe Dow Chemical Company. statement for the record. David E. Kepler. before
The Dow Chemical Company statement for the record of David E. Kepler Chief Sustainability Officer, Chief Information Officer, Business Services and Executive Vice President before The Senate Committee
More informationCustoms-Trade Partnership against Terrorism Supply Chain Security Profile
Customs-Trade Partnership against Terrorism Supply Chain Security Profile Service Provider Assessment (Trucker) Please answer the following questions about your company s cargo security processes and participation
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationOver 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.
CYBERSECURITY: ISSUES AND ISACA S RESPONSE June 2014 BILL S BIO Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit. Vice President Controls
More informationCyber Security. John Leek Chief Strategist
Cyber Security John Leek Chief Strategist AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity
More informationThe. Who, What, When, Where, of Port Security. A Resource Guide for Your Use Today and In the Future. by Thomas O Brien, Ph.D.
The Who, What, When, Where, and Why of Port Security A Resource Guide for Your Use Today and In the Future by Thomas O Brien, Ph.D. In the wake of 9/11 the security landscape changed. New agencies were
More informationMichigan Cyber Disruption Response Strategy
S DEPARTMENT OF MILITARY AND VETERAN Michigan Cyber Disruption Response Strategy Protecting Michigan s Critical Infrastructure and Systems AFFAIRS MICHIGAN Version 1.0 September 16, 2013 S DEPARTMENT
More informationUniversity System of Maryland University of Maryland, College Park Division of Information Technology
Audit Report University System of Maryland University of Maryland, College Park Division of Information Technology December 2014 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND
More informationNASA OFFICE OF INSPECTOR GENERAL
NASA OFFICE OF INSPECTOR GENERAL OFFICE OF AUDITS SUITE 8U71, 300 E ST SW WASHINGTON, D.C. 20546-0001 April 14, 2016 TO: SUBJECT: Renee P. Wynn Chief Information Officer Final Memorandum, Review of NASA
More information2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy
2015 Michigan NASCIO Award Nomination Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy Sponsor: David Behen, DTMB Director and Chief Information Officer Program Manager: Rod Davenport,
More informationCybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015
Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission June 25, 2015 1 Your Panelists Kenneth L. Chernof Partner, Litigation, Arnold & Porter LLP Nicholas
More informationCOUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide
COUNTERINTELLIGENCE O F F I C E O F T H E N A T I O N A L C O U N T E R I N T E L L I G E N C E Protecting Key Assets: A Corporate Counterintelligence Guide E X E C U T I V E Counterintelligence for the
More informationHow To Audit The Mint'S Information Technology
Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit
More informationManaging Business Risk
Managing Business Risk With Assurance Report Cards April 7, 2015 Table of Contents Introduction... 3 Cybersecurity is a Business Issue... 3 Standards, Control Objectives and Controls... 5 Standards and
More informationThe Comprehensive National Cybersecurity Initiative
The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we
More informationBellevue University Cybersecurity Programs & Courses
Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320
More informationCyberSecurity Solutions. Delivering
CyberSecurity Solutions Delivering Confidence Staying One Step Ahead Cyber attacks pose a real and growing threat to nations, corporations and individuals globally. As a trusted leader in cyber solutions
More informationPort Security Grant Program (PSGP) Fiscal Year (FY) 2015 Notice of Funding Opportunity (NOFO) Outreach Calls Frequently Asked Questions (FAQs)
1) If we operate facilities in 2 ports and they are located 100 Miles apart do we submit one application or two? Two applications must be submitted, one for each entity within each port. See NOFO pg. 4
More informationcarahsoft Florida Department of Management Services CARAHSOFT S RESPONSE TO THE REQUEST FOR INFORMATION
carahsoft CARAHSOFT S RESPONSE TO THE Florida Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
More informationNo. 33 February 19, 2013. The President
Vol. 78 Tuesday, No. 33 February 19, 2013 Part III The President Executive Order 13636 Improving Critical Infrastructure Cybersecurity VerDate Mar2010 17:57 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00001
More informationJOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
More informationGAO INFORMATION SECURITY. Fundamental Weaknesses Place EPA Data and Operations at Risk. Testimony
GAO United States General Accounting Office Testimony INFORMATION SECURITY Fundamental Weaknesses Place EPA Data and Operations at Risk Statement of David L. McClure Associate Director, Governmentwide
More information