CYBER SECURITY POLICY REVISION: 6
|
|
- Nickolas Richard
- 7 years ago
- Views:
Transcription
1 Section I: General 1. Purpose 1.1 To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred to as Emera Maine or the Company) from malicious or unintentional attacks on the critical cyber assets used to protect and operate the BES. 1.2 To ensure the continued reliable operations of the interconnected BES, by establishing and maintaining a Cyber Security Management system that prevents a loss of control or protection of the BES, and incorrect operation resulting from security breaches. 1.3 To detail the commitment and ability of Emera Maine management to incorporate and enforce the NERC Critical Infrastructure Protection (CIP) cyber security standards (CIP-002 to CIP-009). 2. Scope 2.1 This Policy establishes the principles to be used by Emera Maine for identifying, managing, and protecting critical cyber asset information, processes and systems owned or developed by Emera Maine. 2.2 This Policy applies to Emera Maine employees, including contract staff and temporary employees, as well as vendors, and other third parties who have authorized electronic or authorized unescorted physical access to critical cyber assets and to Emera Maine employees and vendor/service contractor personnel who do not have authorized access to critical cyber assets but are responsible for actions required to achieve and maintain compliance with Version 3 of NERC Reliability Standards CIP-002 through CIP The definition of terms appearing in italics used in this Policy appears in Attachment A. 2.4 Text contained with [ ] denotes the name of an electronic file documenting an internally developed process for the purpose of complying with a specific NERC CIP requirement or set of requirements. Document No Page 1 of 20 February 14, 2014
2 3. Governing Principles 3.1 Emera Maine shall protect its critical cyber assets, such that, those assets continue to provide correct and reliable control, protection and operation of the power system during periods of normal operation and when subjected to directed intentional cyber attack or unintentional cyber attack. 3.2 Emera Maine shall protect its critical cyber assets when subjected to directed intentional cyber attack, or other emergency situation(s), for which provisional actions are detailed in various Emera Maine Internal Reliability Processes, such as [ doc], [ doc], [ doc] and others as appropriate. 3.3 This Policy shall be reviewed and authorized by the Emera Maine Senior Manager assigned with the overall responsibility for the implementation of and adherence to NERC Standards CIP-002 through CIP-009 on an annual basis and the Company shall retain documentation and records from the previous full calendar year to the present. Section II: Critical Cyber Asset Identification 1. Methodology 1.1 Emera Maine shall develop and document a risk-based methodology that it shall use to identify its Critical Assets. This document [ doc] shall be reviewed and approved annually by Emera Maine s Senior Manager assigned with overall responsibility and authority for leading the Company s implementation to, and adherence to, Standards CIP-002 through CIP Critical Asset Identification 2.1 Annually Emera Maine shall develop a list of all BES critical assets comprising its power system identified through the use the Company s Risk Based Critical Asset and Critical Cyber Asset Identification Methodology [ doc]. 3. Critical Cyber Asset Identification 3.1 Annually Emera Maine shall develop a list of all associated BES critical cyber assets comprising its power system identified through the use the Company s Risk Based Critical Asset and Critical Cyber Asset Identification Methodology [ doc]. Document No Page 2 of 20 February 14, 2014
3 4. Review & Approval 4.1 The lists of Emera Maine BES critical assets and critical cyber assets developed through its annual assessment shall be reviewed and approved by Emera Maine s CIPs Senior Manager or delegate(s) and a signed record of such review. Section III: Security Management Controls 1. Cyber Security Policy 1.1 Emera Maine shall document and implement a Cyber Security Policy [ doc] that represents Emera Maine s commitment and ability to secure its Critical Cyber Assets. 1.2 Emera Maine shall ensure that its Cyber Security Policy is available to all personnel who have access to, or are responsible for, Critical Cyber Assets. 1.3 Emera Maine s Cyber Security Policy shall be reviewed and approved annually by the Company s Senior Manager assigned to lead and manage Emera Maine s implementation and adherence to NERC Reliability Standards CIP-002 through CIP-009 and by Emera Maine s FERC Compliance Officer. 2. Senior Leadership 2.1 Emera Maine shall assign a senior manager with responsibility for leading and managing the entity's implementation and adherence of the NERC CIP-002 thru CIP-009 Standards per its internal reliability process [ doc]. 2.2 Emera Maine shall ensure that the designated senior manager shall be identified by name, title and date of designation. 2.3 Emera Maine shall document changes to the designated senior manager within 30 calendar days of the effective date. 2.4 Emera Maine shall ensure that specific actions (where allowed by Version 3 of Standards CIP-002 through CIP-009) delegated by the senior manager to a named delegate or delegates shall be documented per its reliability process [ doc]. 2.5 Emera Maine s CIPs Senior Manager, or a designated delegate(s), shall be responsible for authorizing and documenting any exception from the requirements of the Company s Cyber Security Policy. Document No Page 3 of 20 February 14, 2014
4 3. Exceptions 3.1 All exceptions to Emera Maine s Cyber Security Policy shall be reviewed, approved and documented per its internal reliability process [ doc] by the Senior Manager (with responsibility for leading and managing the Company s implementation and adherence of the NERC CIP-002 thru CIP-009 Standards) or an authorized delegate to ensure that the intent of this Policy is met. 3.2 Exceptions to the cyber security policy shall be reviewed and approved annually by the senior manager responsible for adherence to NERC Standards CIP-002 to CIP-009 to ensure that any and all past and present day exceptions are still required and valid. 3.3 Documented exceptions to the aforementioned cyber security policy must include an explanation as to why the exception is necessary and any compensating measures. 3.4 Authorized exceptions to the Cyber Security Policy must be reviewed and approved annually by the Emera Maine CIPs Senior Manager or delegate(s) to ensure the exceptions are still required and valid. Such a review and approval shall be documented. 4. Information Protection 4.1 Emera Maine shall document and implement a program to identify, classify, and protect information relating to Critical Cyber Assets [ doc]. 4.2 The Critical Cyber Asset information to be protected shall include, at a minimum, operational procedures, lists as required in Standard CIP-002, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts, disaster recovery plans, incident response plans, and security configuration information. 4.3 Classify information related to Critical Cyber Assets based upon sensitivity. 4.4 At least annually, assess adherence to its Critical Cyber Asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment. Document No Page 4 of 20 February 14, 2014
5 5. Access Control 5.1 Emera Maine shall develop, document and implement a program [ doc] for managing access (both logical and physical) to protected Critical Cyber Asset associated information identified for protection under Emera Maine process [ doc]. 5.2 Emera Maine shall maintain a list of personnel who are responsible for authorizing access (both logical and physical) to protected Critical Cyber Asset information. Personnel comprising this list shall be identified by name, title, business phone and along with a listing of the information for which they are allowed to authorize access to and the list shall be reviewed at least annually to ensure its validity. 5.3 Emera Maine shall review at least annually the access privileges to protected Critical Cyber Asset information to confirm that the access privileges are correct and that they correspond with the Company s needs and the appropriate personnel roles and responsibilities. 5.4 Emera Maine shall review and document at least annually the processes for controlling access privileges to protected information. 6. Change Control & Management 6.1 Emera Maine shall establish and document methods [ doc] and controls governing the modification or replacement of Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all changes to hardware and software components of Critical Cyber Assets. Section IV: Personnel & Training 1. Awareness 1.1 Emera Maine shall establish, maintain and document its security awareness program [ doc] to ensure personnel having authorized cyber or authorized unescorted physical access receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as: direct communications; indirect communications; and management support. Document No Page 5 of 20 February 14, 2014
6 2. Training 2.1 Emera Maine shall establish, maintain and document a cyber security training program [ doc] and shall ensure that all personnel having authorized access to Critical Cyber Assets, including contractors and service vendors are trained prior to being granted access except in an emergency (as detailed in document [ doc]). 2.2 Emera Maine s training program [ doc] shall cover the policies, access controls and procedures as developed for the Critical Cyber Assets covered by this standard, and include (at a minimum): (1) the proper use of Critical Cyber Assets, (2) physical and electronic access controls to Critical Cyber Assets, (3) the proper handling of Critical Cyber Asset information and (4) action plans and procedures to recover or re-establish Critical Cyber Assets and access thereto following a Cyber Security Incident. 2.3 After initial training of personnel having granted authorized access to Critical Cyber Assets, the Company shall ensure that follow-up training is provided annually to persons with such access and that this activity shall be conducted and documented per its reliability process [ doc]. 2.4 Emera Maine shall ensure that its cyber security training program [ doc] is reviewed at least annually and updated as necessary. 3. Personnel Risk Assessment 3.1 Emera Maine shall develop and document a personnel risk assessment program [ doc], in accordance with federal, state and local laws, and (subject to existing collective bargaining unit agreements), for personnel having authorized cyber or authorized unescorted physical access. 3.2 Emera Maine shall ensure that its personnel risk assessment program [ doc] includes (at a minimum) the following: (1) that risk assessments are conducted prior to such personnel being granted authorized cyber or authorized unescorted physical access to Critical Cyber Assets except in response to an emergency (see [ doc for details]), (2) each assessment conducted shall include (at least) identity verification and a seven year criminal check, and (3) each personnel risk assessment is updated at least every seven years after the initial personnel risk assessment or for cause. Document No Page 6 of 20 February 14, 2014
7 3.3 Emera Maine shall ensure that the results of personnel risk assessments of its personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets is documented and that personnel risk assessments of contractor and service vendor personnel with such access are conducted pursuant to Standard CIP Lists, Review & Revocation 4.1 Emera Maine shall maintain lists of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic (a.k.a. logical) and physical access rights to Critical Cyber Assets following its internal reliability process [ doc]. 4.2 Emera Maine shall ensure that maintained lists of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets are reviewed quarterly and updated within seven calendar days of any change of personnel with such access to Critical Cyber Assets or any change in the access rights of such personnel. BHE shall ensure access list(s) with names of Emera Maine employees, contractors and service vendors are properly maintained. 4.3 Emera Maine shall revoke authorized cyber or authorized unescorted physical access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets. Section V: Electronic Security Perimeters 1. Identification 1.1 Emera Maine shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter [ doc] and that it shall identify and document the Electronic Security Perimeter(s) and all access points to these perimeter(s). 2. Electronic Access Controls 2.1 Emera Maine shall implement and document organizational processes [ doc] and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s). These processes and mechanisms shall use an access control model that denies access by default, such that explicit access permissions must be specified. Document No Page 7 of 20 February 14, 2014
8 2.2 At all access points to the Electronic Security Perimeter(s), Emera Maine shall enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services. 2.3 Emera Maine shall maintain and implement a procedure [ doc] for securing dial-up access to the Electronic Security Perimeter(s) and where external interactive access into the Electronic Security Perimeter has been enabled, Emera Maine shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible. 2.4 Where technically feasible, Emera Maine shall ensure that electronic access control devices display an appropriate use banner upon interactive access attempts and that it shall maintain a document identifying the content of the banner. 3. Monitoring Electronic Access 3.1 Emera Maine shall implement and document an electronic or manual process [ doc] for monitoring and logging access at access points to all Electronic Security Perimeters twenty-four hours a day, seven days a week. 3.2 For dial-up accessible Critical Cyber Assets that use non-routable protocols, Emera Maine shall implement and document a monitoring process at each access point to the dial-up device, where technically feasible. 3.3 Where technically feasible, Emera Maine shall ensure that the security monitoring process detects and alerts for attempts at or actual unauthorized accesses and that these alerts shall provide for appropriate notification to designated response personnel. Where alerting is not technically feasible, Emera Maine shall ensure review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every 90 calendar days. 4. Cyber Vulnerability Assessment 4.1 Emera Maine shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually [ doc]. The vulnerability assessment shall include (at a minimum): (1) a document identifying the vulnerability assessment process, (2) a review to verify that only ports and services required for operations at these access points are Document No Page 8 of 20 February 14, 2014
9 enabled, (3) the discovery of all access points to the Electronic Security Perimeter(s), (4) a review of controls for default accounts, passwords and network management community strings; and (5) documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan. 5. Document Review & Maintenance 5.1 Emera Maine shall review at least annually all Electronic Security Perimeter documentation to ensure that it reflects the current configurations and processes in use and that it shall update the appropriate document to reflect any modification of the network or controls within 90 calendar days of the change. 5.2 Emera Maine shall retain electronic access logs for at least 90 calendar days and logs related to reportable incidents shall be kept for the previous full calendar year, at a minimum. Section VI: Physical Security of Critical Cyber Assets 1. Physical Security Plan 1.1 Emera Maine shall document, maintain and implement a physical security plan [ doc] to restrict physical access to its critical cyber assets. The plan shall ensure all cyber assets within an electronic security perimeter also reside within a defined 6-wall physical security perimeter and, where a 6-wall border can not be established, Emera Maine shall deploy and document alternative measures to control physical access to the Critical Cyber Assets. 1.2 Emera Maine shall also ensure that its Physical Security Plan [ doc] contains the following attributes: a. identification of all access points through each Physical Security Perimeter and measures to control entry at those access points, b. processes and tools to be used to monitor physical access, c. appropriate use of physical access controls, response to loss, and prohibition of inappropriate use of physical access controls, d. review of access authorization requests and revocation of access authorization, and f. requirement for continuous escorted access within the physical security perimeter of personnel not authorized for unescorted access. Document No Page 9 of 20 February 14, 2014
10 1.3. Emera Maine shall implement a visitor control program [ doc] for visitors (personnel without authorized unescorted access to a Physical Security Perimeter) that shall contain logs to document the date and time of entry and exit of visitors to and from Physical Security Perimeters (PSP) and that visitors within a PSP shall be continuously escorted by a person granted authorized unescorted access to the specific PSP. 1.4 Emera Maine shall ensure that its Physical Security Plan shall be updated within 30 days of the completion of any physical security perimeter redesign or reconfiguration, including (but not limited to) addition or removal of access points through the Physical Security Perimeter, physical access controls, monitoring controls, or logging controls. Additionally, at a minimum, this plan shall be reviewed annually by the Company s facilities personnel. 2. Protection of Physical Access Control Systems 2.1. Emera Maine shall ensure that cyber systems that authorize and/or log access to the Physical Security Perimeter(s), exclusive of hardware at the Physical Security Perimeter access point such as electronic lock control mechanisms and badge readers are protected from unauthorized physical access and be afforded the protective measures specified in Standard CIP-003, CIP-004 Requirement R3, CIP-005 Requirement R2 and R3, CIP-006 Requirements R4 and R5, CIP-007, CIP-008 and CIP Protection of Electronic Access Control Systems 3.1. Emera Maine shall ensure that cyber systems used in the access control and/or monitoring of the Electronic Security Perimeter(s) shall reside within an identified Physical Security Perimeter. 4. Physical Access Controls 4.1. Emera Maine shall develop, document and implement the operational and procedural controls [ doc] to manage physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day seven days a week. 5. Monitoring Physical Access 5.1 Emera Maine shall develop, document and implement the technical and procedural controls [ doc] necessary to monitor physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. It shall also ensure that all unauthorized access attempts are reviewed immediately and handled in accordance with the procedures Document No Page 10 of 20 February 14, 2014
11 specified in the Company s Incident Response Plan. 6. Logging Physical Access 6.1 Emera Maine shall record sufficient information to uniquely identify individuals and the time of access twenty-four hours a day seven days a week. 7. Access Log Retention & Review 7.1 Access Log Retention and Review - Retain physical access logs for at least 90 calendar days. Logs related to reportable incidents shall be kept in accordance with its Cyber Incident Response Plan. 8. Maintenance & Testing 8.1 Emera Maine shall implement a maintenance and testing program [ doc] to ensure that all physical security systems implemented to control, monitor and log physical access to Critical Cyber Assets. At a minimum, the Company shall ensure that its maintenance and testing program includes: (1) testing and maintenance of all physical security mechanisms on a cycle no longer than three years, (2) retention of testing and maintenance records and (3) retention of outage records regarding access controls, logging and monitoring for a minimum of one calendar year. Section VII: Systems Security Management 1. Test Procedures 1.1 Emera Maine shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. 1.2 Emera Maine shall create, implement, and maintain cyber security test procedures [ doc] in a manner that minimizes adverse effects on the production system or its operation and shall document that testing is performed in a manner that reflects the production environment. 2. Ports & Services 2.1 Emera Maine shall establish, document and implement a process [ doc] to ensure that only those ports and services required for normal and emergency operations are enabled and shall disable other ports and services (including those used for testing purposes) prior to production use of all Cyber Assets inside the Electronic Security Perimeter(s). In the case where unused ports and Document No Page 11 of 20 February 14, 2014
12 services cannot be disabled due to technical limitations, Emera Maine shall document compensating measure(s) applied to mitigate risk exposure. 3. Security Patch Management 3.1 Emera Maine shall establish, document and implement a security patch management program [ doc] for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). 3.2 Emera Maine shall document the assessment of security patches and security upgrades for applicability within 30 calendar days of their availability to the Company. 3.3 Emera Maine shall document the implementation of patches and, in any case where a patch was not installed, it shall document compensating measure(s) applied to mitigate risk exposure. 4. Malicious Software Prevention 4.1 Emera Maine shall use anti-virus software or other malicious software (malware) prevention tolls, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeters [ doc]. 4.2 Emera Maine shall document the use of such anti-virus and malware prevention tools and, in the case where anti-virus software and malware prevention tools are not applied, BHE shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. 4.3 Emera Maine shall document and implement a process for the update of antivirus and malware prevention "signature". 5. Account Management 5.1 Emera Maine shall establish, implement and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access [ doc]. 5.2 Emera Maine shall ensure that individual and shared accounts and authorized access permissions are consistent with the concept of need to know with respect to work functions performed. Document No Page 12 of 20 February 14, 2014
13 5.3 Emera Maine shall implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges including factory default accounts. 5.4 At a minimum, Emera Maine shall use passwords to manage accounts and ensure access authenticity. 6. Security Status Monitoring 6.1 Emera Maine shall develop, document and deploy organizational processes [ doc] and the technical and procedural mechanisms necessary to monitor and detect security events on all cyber assets within the Electronic Security Perimeter. Such mechanisms shall alert appropriate staff of detected cyber security incidents in a timely manner so their impact may be assessed and the appropriate response action implemented. 6.2 Emera Maine shall maintain logs of detected system events related to cyber security, where technically feasible, to support incident response. These logs shall be retained for at least 90 calendar days and the Company shall maintain records documenting review of these event logs. 7. Disposal & Redeployment 7.1 Emera Maine shall establish and implement formal methods, processes, and procedures [ doc] for the disposal or redeployment of Critical Cyber Assets within its Electronic Security Perimeter(s). It shall ensure that prior to the disposal of such assets that it shall destroy or erase the data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data and prior to the redeployment of such assets, (at a minimum) it shall erase the data storage media prior to prevent unauthorized retrieval of sensitive cyber security or reliability data. 7.2 Emera Maine shall maintain records that such assets were disposed of or redeployed in accordance with its documented procedures. 8. Cyber Vulnerability Assessment 8.1 Emera Maine shall ensure that a Cyber Vulnerability Assessment of the Cyber Assets within the Electronic Security Perimeter is performed at least annually [ doc]. At a minimum, the Company shall ensure that this vulnerability assessment shall include (at a minimum) the following: a. a document identifying the vulnerability assessment process; b. a review to verify that only ports and services required for operation of Document No Page 13 of 20 February 14, 2014
14 Cyber Assets within the Electronic Security Perimeter are enabled; c. a review of controls for default accounts; and d. documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan. 9. Documentation & Review 9.1 Emera Maine shall ensure that all System Security Management documents are reviewed and update at least annually and that changes resulting from modifications to the system or its controls shall be documented within 30 calendar days of the change being completed. Section VIII: Incident Reporting & Response Planning 1. Cyber Security Incident Response Plan 1.1 Emera Maine shall develop and maintain a Cyber Security Incident Response Plan [ doc] and implement the plan in response to Cyber Security Incidents. The Company s Cyber Security Incident Response Plan shall address, at a minimum: Procedures to characterize and classify events as reportable Cyber Security Incidents; Response actions to Cyber Security Incidents; Process for reporting Cyber Security Incidents to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC). Process for updating the Cyber Security Incident Response Plan within 30 calendar days of any changes; Process for ensuring that the Cyber Security Incident Response Plan is reviewed at least annually, and Process for ensuring that the Cyber Security Incident response Plan is tested at least annually. 2. Cyber Incident Documentation 2.1 Emera Maine shall keep relevant documentation related to reportable Cyber Security Incidents for three calendar years. Document No Page 14 of 20 February 14, 2014
15 Section IX: Recovery Plans 1. Creation & Review 1.1 Emera Maine shall develop and document recovery plans for its critical cyber assets so that essential functions are reestablished within an acceptable period of time following an emergency or other unexpected event. These recovery plans shall define the roles and specify the required actions of responders in response to events or conditions of varying duration and severity that would activate the recovery plans [ doc]. Further, Emera Maine shall ensure that during these events access (both physical and/or electronic) to Critical Cyber Assets from outside established electronic and/or physical perimeters are denied until service is reestablished or controlled using an acceptable alternative method. 1.2 Emera Maine shall ensure that these recovery plans are reviewed at least annually. 2. Exercises 2.1 Emera Maine shall ensure that recovery plans are exercised at least annually. 3. Change Control 3.1 Emera Maine shall ensure that recovery plans [ doc] shall be updated to reflect changes or lessons learned as a result of an exercise or recovery from an actual incident and that any and all updates shall be communicated to personnel responsible for the activation and implementation of the recovery plan within 30 calendar days of the change being completed. 4. Backup & Restore 4.1 Emera Maine shall develop and implement a recovery plan [ doc] that shall include processes and procedures for the backup and secure storage of information required to successfully restore Critical Cyber Assets. 5. Testing Backup Media 5.1 Emera Maine shall ensure that information essential to recovery that is stored on backup media is tested at least annually to ensure that the information is available. Document No Page 15 of 20 February 14, 2014
16 Section X: Definitions The definitions provided in this section are used by the NERC CIP Standards and are included in the NERC Glossary of Terms for Reliability Standards. Annually: Once each calendar year. Critical Assets: Facilities, systems and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System. Cyber Assets: Programmable electronic devices and communication networks including hardware, software, and data. Critical Cyber Assets: Cyber assets essential to the reliable operation of critical assets. Cyber Security Incident: Any malicious act or suspicious event that: Compromises, or was an attempt to compromise, the electronic security perimeter or physical security perimeter of a critical cyber asset, or, Disrupts, or was an attempt to disrupt, the operation of a critical cyber asset. Electronic Security Perimeter: The logical border surrounding a network to which critical cyber assets are connected and for which access is controlled. Electronic Security Perimeter: The logical border surrounding a network to which critical cyber assets are connected and for which access is controlled. Physical Security Perimeter: The physical, completely enclosed ( six-wall ) border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which critical cyber assets are housed, and for which access is controlled. Document No Page 16 of 20 February 14, 2014
17 Related Documents: o o o o o o o o o o o o o o o o o o o o o o o Critical Cyber Asset Identification Cyber Security Policy & Exceptions Leadership Assignment & Authority Delegation Information Protection Access Control to Protected Information Change Control & Configuration Management Security Awareness Reinforcement & Training Personal Risk Assessments Access Control to Critical Cyber Assets Electronic Security Perimeters Cyber Security Vulnerability Assessment Physical Security Perimeters Physical Security System Maintenance & Testing Test Procedures Ports & Services Security Patch Management Malicious Software Prevention Account Management Security Status Monitoring Disposal & Redeployment Incident Reporting & Response Planning Recovery Plans for Critical Cyber Assets Cyber Security Incident Response Plan Document No Page 17 of 20 February 14, 2014
18 Version History Version Action Date 1 Original June 29, Corrected document references Section I item 3.2 July 9, 2009 Added language Section IX item 1.1 further specifying Emera Maine actions regarding access to CCAs during emergencies. Added document to Related Document List 3 Change 2.2 to define applicability of policy to Emera Maine and non-emera Maine personnel. December 30, 2009 Define the term annually as meaning once each calendar year Clarification of commitment and ability of Emera Maine to protect Critical Cyber Assets during emergency situations. Minor grammatical edits Classification level changed from Proprietary to Unrestricted Signatory page changes 4 Signatory page change, Gerry Chasse appointed as BHE new President & COO February 23, 2010 Incorporate Version 3 changes into policy as appropriate Change all references of BHEC to Emera Document No Page 18 of 20 February 14, 2014
19 Maine 5 Change various references of Version 2 to Version 3 October 25, 2010 Added Visitor Control program to Physical Security Perimeter Plan (Section VI) per new requirement of CIP Added Matt Allen to signatory page and corrected name of Company s President to full name 6 Changed all references from Bangor Hydro to Emera Maine February 14, 2014 Updated titles on Signatory Page Document No Page 19 of 20 February 14, 2014
20 Approvals - Signatures APPROVED: Date: Matt Allen Compliance, Security & Environmental Supervisor Emera Maine APPROVED: Date: Kim Wadleigh Vice President, T & D Operations Emera Maine APPROVED: Date: Karen Redford VP, Corporate & Legal Affairs (FERC Compliance Officer) Emera Maine APPROVED: Date: Gerard R. Chasse President and Chief Operating Officer Emera Maine Document No Page 20 of 20 February 14, 2014
ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE
R1 Provide Risk Based Assessment Methodology (RBAM) R1.1 Provide evidence that the RBAM includes both procedures and evaluation criteria, and that the evaluation criteria are riskbased R1.2 Provide evidence
More informationCompleted. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method
NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method R2 Critical Asset Identification R3 Critical Cyber Asset Identification Procedures and Evaluation
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationInformation Shield Solution Matrix for CIP Security Standards
Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability
More informationThe first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.
CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationSummary of CIP Version 5 Standards
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
More informationStandard CIP 007 3 Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing
More informationNorth American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)
Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationNERC Cyber Security Standards
SANS January, 2008 Stan Johnson Manager of Situation Awareness and Infrastructure Security Stan.johnson@NERC.net 609-452-8060 Agenda History and Status of Applicable Entities Definitions High Level of
More informationStandard CIP 003 1 Cyber Security Security Management Controls
A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-1 3. Purpose: Standard CIP-003 requires that Responsible Entities have minimum security management controls in place
More informationNovaTech NERC CIP Compliance Document and Product Description Updated June 2015
NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC
More informationReclamation Manual Directives and Standards
Vulnerability Assessment Requirements 1. Introduction. Vulnerability assessment testing is required for all access points into an electronic security perimeter (ESP), all cyber assets within the ESP, and
More informationBSM for IT Governance, Risk and Compliance: NERC CIP
BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................
More informationThe North American Electric Reliability Corporation ( NERC ) hereby submits
December 8, 2009 VIA ELECTRONIC FILING Kirsten Walli, Board Secretary Ontario Energy Board P.O Box 2319 2300 Yonge Street Toronto, Ontario, Canada M4P 1E4 Re: North American Electric Reliability Corporation
More informationE-Commerce Security Perimeter (ESP) Identification and Access Control Process
Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American
More informationAlberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1
Alberta Reliability Stard A. Introduction 1. Title: 2. Number: 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the bulk electric system from individuals
More informationAlberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5
A. Introduction 1. Title: 2. Number: 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES cyber systems against compromise
More informationCIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationNERC CIP Compliance with Security Professional Services
NERC CIP Compliance with Professional Services The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is
More informationNB Appendix CIP-004-5.1-NB-1 - Cyber Security Personnel & Training
This appendix establishes modifications to the FERC approved NERC standard CIP-004-5.1 for its specific application in New Brunswick. This appendix must be read with CIP-004-5.1 to determine a full understanding
More informationStandard CIP 004 3a Cyber Security Personnel and Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-3a 3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access
More informationCIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments
CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationNERC CIP Compliance. Dave Powell Plant Engineering and Environmental Performance. Presentation to 2009 BRO Forum
NERC CIP Compliance Dave Powell Plant Engineering and Environmental Performance Presentation to 2009 BRO Forum August 12, 2009 1 NERC CIP 101 What is NERC CIP? CIP Terminology CIP compliance overview CIP
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationCyber Security Compliance (NERC CIP V5)
Cyber Security Compliance (NERC CIP V5) Ray Wright NovaTech, LLC Abstract: In December 2013, the Federal Energy Regulatory Commission (FERC) issued Order No. 791 which approved the Version 5 CIP Reliability
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationIT Security Standard: Computing Devices
IT Security Standard: Computing Devices Revision History: Date By Action Pages 09/30/10 ITS Release of New Document Initial Draft Review Frequency: Annually Responsible Office: ITS Responsible Officer:
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationCYBER SECURITY POLICY For Managers of Drinking Water Systems
CYBER SECURITY POLICY For Managers of Drinking Water Systems Excerpt from Cyber Security Assessment and Recommended Approach, Final Report STATE OF DELAWARE DRINKING WATER SYSTEMS February 206 Kash Srinivasan
More informationCIP-003-5 Cyber Security Security Management Controls
A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-5 3. Purpose: To specify consistent and sustainable security management controls that establish responsibility and
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationNERC CIP Tools and Techniques
NERC CIP Tools and Techniques Supplemental Project - Introduction Webcast Scott Sternfeld, Project Manager Smart Grid Substation & Cyber Security Research Labs ssternfeld@epri.com (843) 619-0050 October
More informationSCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards
SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationNetwork & Information Security Policy
Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk
More informationPlans for CIP Compliance
Testing Procedures & Recovery Plans for CIP Compliance DECEMBER 16, 2009 Developed with: Presenters Bart Thielbar, CISA Senior Research hanalyst Sierra Energy Group, a Division of Energy Central Primer
More informationLessons Learned CIP Reliability Standards
Evidence for a requirement was not usable due to a lack of identifying information on the document. An entity should set and enforce a "quality of evidence" standard for its compliance documentation. A
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationNERC CIP Whitepaper How Endian Solutions Can Help With Compliance
NERC CIP Whitepaper How Endian Solutions Can Help With Compliance Introduction Critical infrastructure is the backbone of any nations fundamental economic and societal well being. Like any business, in
More informationVoluntary Cyber Security Standards for Industrial Control Systems v.1.0 www.gcsb.govt.nz www.ncsc.govt.nz
National Cyber Security Centre Voluntary Cyber Security Standards for Industrial Control Systems v.1.0 www.gcsb.govt.nz www.ncsc.govt.nz Foreword The national and economic security of New Zealand depends
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationCIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System
CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationNERC CIP Compliance Gaining Oversight with ConsoleWorks
NERC CIP Compliance Gaining Oversight with ConsoleWorks The current challenge for many Utility companies is finding efficient ways to gain oversight and control over NERC CIP regulation compliance. NERC
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
More informationGE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance
GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationRUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology
RUTGERS POLICY Section: 70.2.20 Section Title: Legacy UMDNJ policies associated with Information Technology Policy Name: Information Security: Incident Management Formerly Book: 95-01-09-02:00 Approval
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationHow To Protect Your School From A Breach Of Security
SECURITY MANAGEMENT IT Security Policy (ITSP- 1) 1A Policy Statement District management and IT staff will plan, deploy, and monitor IT security mechanisms, policies, procedures, and technologies necessary
More informationTechnical Standards for Information Security Measures for the Central Government Computer Systems
Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationFORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More information1B1 SECURITY RESPONSIBILITY
(ITSP-1) SECURITY MANAGEMENT 1A. Policy Statement District management and IT staff will plan, deploy and monitor IT security mechanisms, policies, procedures, and technologies necessary to prevent disclosure,
More informationM E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General
M E M O R A N D U M To: From: IT Steering Committee Brian Cohen Date: March 26, 2009 Subject: Revised Information Technology Security Procedures The following is a revised version of the Information Technology
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationImplementation Plan for Version 5 CIP Cyber Security Standards
Implementation Plan for Version 5 CIP Cyber Security Standards April 10September 11, 2012 Prerequisite Approvals All Version 5 CIP Cyber Security Standards and the proposed additions, modifications, and
More informationE-mail Policy Of Government of India
E-mail Policy Of Government of India October 2014 Version 1.0 Department of Electronics and Information Technology Ministry of Communications and Information Technology Government of India New Delhi -
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationNew River Community College. Information Technology Policy and Procedure Manual
New River Community College Information Technology Policy and Procedure Manual 1 Table of Contents Asset Management Policy... 3 Authentication Policy... 4 Breach Notification Policy... 6 Change Management
More informationAlberta Reliability Standard Cyber Security Physical Security of BES Cyber Systems CIP-006-AB-5
Alberta Reliability Stard Final Proposed Draft Version 2.0 September 9, 2014 A. Introduction 1. Title: 2. Number: 3. Purpose: To manage physical access to BES cyber systems by specifying a physical security
More informationCyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
More informationTechnology Solutions for NERC CIP Compliance June 25, 2015
Technology Solutions for NERC CIP Compliance June 25, 2015 2 Encari s Focus is providing NERC CIP Compliance Products and Services for Generation and Transmission Utilities, Municipalities and Cooperatives
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationGE Measurement & Control. Cyber Security for NERC CIP Compliance
GE Measurement & Control Cyber Security for NERC CIP Compliance GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used for purposes
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationOhio Supercomputer Center
Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationUCLA Policy 401 Minimum Security Standards for Network Devices
UCLA Policy 401 Minimum Security Standards for Network Devices Issuing Officer: Associate Vice Chancellor, Information Technology Responsible Dept: Office of Information Technology Effective Date: November
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationAlberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1
A. Introduction 1. Title: 2. Number: 3. Purpose: To prevent and detect unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements
More informationIT Security Incident Management Policies and Practices
IT Security Incident Management Policies and Practices Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Feb 6, 2015 i Document Control Document
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More informationAUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
More informationNERC CIP Compliance 10/11/2011
NERC CIP Compliance 10/11/2011 Authored by Dan Barker, American Transmission Co. Ron Bender, Nebraska Public Power District Richard Burt, Minnkota Power Cooperative, Inc. Marc Child, Great River Energy
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationOhio Supercomputer Center
Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationCyber Security Standards Update: Version 5
Cyber Security Standards Update: Version 5 January 17, 2013 Scott Mix, CISSP CIP Technical Manager Agenda Version 5 Impact Levels Format Features 2 RELIABILITY ACCOUNTABILITY CIP Standards Version 5 CIP
More informationSAMPLE TEMPLATE. Massachusetts Written Information Security Plan
SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More information¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India
CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationDraft Information Technology Policy
Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More information