DHS Chemical Security Program: Cyber Security Requirements

Size: px
Start display at page:

Download "DHS Chemical Security Program: Cyber Security Requirements"

Transcription

1 DHS Chemical Security Program: Cyber Security Requirements Steven Burns Energy Bar Association Electricity Regulation & Compliance Committee System Reliability, Planning & Compliance Committee October 23, 2008

2 Summary Certain energy facilities, including power plants, may be covered under the chemical security program. A covered facility must assess its vulnerability to cyber attack and develop security measures to respond to identified vulnerabilities. Special rules, including some affecting electronic communications and records management, govern Chemical-terrorism Vulnerability Information (CVI). 2

3 Outline The DHS chemical security program: Origins and potential application to electric utilities Security Vulnerability Assessment (SVA): Cyber security elements Site Security Plan (SSP): Cyber security elements Chemical-terrorism Vulnerability Information (CVI) 3

4 The DHS chemical security program Initial authorization: DHS Appropriations Act of 2007, 550 Authorized security regulations for chemical facilities that present high levels of security risk Three-year authorization; expires October 4, 2009 DHS regulations: Proposed rule (to be codified at 6 C.F.R. Part 27): December 28, 2006 Interim final rule and proposed list of chemicals of interest (Appendix A): April 9, 2007 Final rule and final Appendix A: November 20, 2007 DHS has since provided additional guidance through forms, manuals, and web-based help pages. 4

5 The DHS chemical security program Chemical facility One possessing the screening threshold quantity of any of the chemical of interest on the list Examples, depending on chemicals stored on site: Coal-fired power plant (due to chlorine, anhydrous ammonia, hydrazine, etc.) Plant under major construction Note: Additional instructions on chemical concentrations, method of storage, etc., may affect applicability. Exemptions: Several categories of facilities, including regulated nuclear facilities, are exempt from the program. Every chemical facility must submit a Top-Screen to DHS, which includes a chemical inventory. 5

6 The DHS chemical security program Covered facility One determined by DHS, based on the Top-Screen submission, to pose a high security risk, based on quantity of chemicals, method of storage, proximity to population, etc. Tiered from highest risk (Tier 1) to lowest risk (Tier 4) Covered facilities are subject to additional program elements and requirements, including Security Vulnerability Assessments (SVAs) and Site Security Plans (SSPs). Note: The regulations provide detailed instructions for what must be included in the SVA and SSP. However, a Tier 4 facility may submit an alternative SVA, and any covered facility may submit an alternative SSP, the elements of which may differ from the regulations. 6

7 Security Vulnerability Assessment (SVA) A covered facility must submit an SVA to DHS for approval. The facility submits the SVA to DHS through a series of online forms, including an extensive questionnaire. The SVA requires identification and explanation of a broad range of security issues, including: An identification and description of Cyber control system Cyber business system Various cyber security policies and practices 7

8 Security Vulnerability Assessment (SVA) Cyber control system: A system that can control the chemical process(es) of the facility and whose failure or misuse can result in the release, theft/diversion or sabotage with respect to the chemical of interest The SVA instructions provide the following examples of cyber control systems: Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), and Industrial Control Systems (ICS). 8

9 Security Vulnerability Assessment (SVA) Cyber business system: An information system intended to improve the organization s competitive position or support its corporate strategy According to the SVA instructions, Possible examples of these types of systems include business management systems like SAP TM or inventory management systems. Applicable only if the facility s primary security issue is theft or diversion 9

10 Security Vulnerability Assessment (SVA) SVA questions regarding cyber control and business systems: External access? (Internet, wireless, etc.) Limits on portable equipment such as laptops, PDAs, flash drives, smart cell phones, etc.? Have access restrictions been validated through testing by information technology (IT) security professionals? Documented cyber security policies, plans, and procedures commensurate with the IT operating environment? 10

11 Security Vulnerability Assessment (SVA) SVA questions regarding cyber control and business systems (continued): Least privilege access (based on roles and responsibilities)? Default passwords changed? Accounts locked after several unsuccessful logins? Background checks for personnel in critical or sensitive positions? Control access list that tracks personnel changes? 11

12 Security Vulnerability Assessment (SVA) SVA questions regarding cyber control and business systems (continued): Physical access to sensitive or restricted areas restricted to those with appropriate need? Cyber security training? Logging and reporting practices for various cyber events? Business requirement for all external connections? Regular software and hardware patching, upgrade, and replacement? 12

13 Security Vulnerability Assessment (SVA) SVA questions regarding cyber control and business systems (continued): Means to identify and measure cyber security risks based on cyber security methodologies, standards, or best practices? Network and system-level security tests on a regular basis and after upgrades / patches? Vulnerability solutions appropriate for the environment (e.g., firewalls configured for minimum business or operational needs)? 13

14 Site Security Plan (SSP) A covered facility must submit an SSP to DHS for approval. SSP must: Address vulnerabilities identified in the SVA and provide security measures to address each vulnerability Explain how security measures will address the applicable risk-based performance standards (RBPS) and potential modes of terrorist attack DHS may not disapprove an SSP based on the inclusion or exclusion of any particular security measure Explain how security measures meet or exceed each applicable RBPS for the facility s risk-based tier 14

15 Site Security Plan (SSP) RBPS No. 8: Cyber. Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems 15

16 Site Security Plan (SSP) RBPS No. 8 (continued): Two primary cyber goals: Prevent attacks on cyber systems that could cause economic or strategic damage Prevent the use of a cyber system to attack the facility, its processes, or its materials RBPS 8 addresses various categories of activities, including: Security policy, access control, personnel security, training, monitoring and incident response, disaster recovery and business continuity, system development and acquisition, configuration management, audits 16

17 Site Security Plan (SSP) The chemical security program has a significant sitespecific (physical) focus, which will include site inspections. However, cyber security differs from physical security in important ways: Cyber experts, equipment, data, etc. may be off-site Cyber functions may be performed by in-house or contracted third parties Backup data may be often stored off-site and by separately owned companies Recognizing those factors, DHS has indicated it may conduct cyber inspections at headquarters in addition to physical inspections at the plant. 17

18 Chemical-terrorism Vulnerability Information (CVI) CVI includes SVAs, SSPs, audit and inspection documents, top-screen submissions, and other information CVI is accessible only by persons who: are authorized, based on completing CVI training and complying with any background check or other identification DHS may require; and have a need to know the information 18

19 Chemical-terrorism Vulnerability Information (CVI) Special rules govern CVI access, storage, transmission, and destruction, including: Transmission only to and from covered persons Document marking and identification Encrypted / no personal (such as gmail) Overwriting / degaussing of electronic storage media 19

20 References Dept. of Homeland Security Appropriations Act of 2007, 550, 120 Stat. 1355, 1388 (Oct. 4, 2006). 6 C.F.R. Part 27 Proposed Rule, 71 Fed. Reg. 78,276 (Dec. 28, 2006) Interim Final Rule, 72 Fed. Reg. 17,688 (Apr. 9, 2007) Final Rule, 72 Fed. Reg. 65,396 (Nov. 20, 2007) Critical Infrastructure: Chemical Security (DHS web page): Chemical Security Assessment Tool - Frequently Asked Questions (DHS web page):

21 Questions? Steven Burns (205)

Homeland Security Alert

Homeland Security Alert November 2007 Authors: Barry M. Hartman 202.778.9338 barry.hartman@klgates.com Sandra Y. Snyder 973.848.4018 sandra.snyder@klgates.com K&L Gates comprises approximately 1,400 lawyers in 22 offices located

More information

Ten Tips for Completing a Site Security Plan

Ten Tips for Completing a Site Security Plan TRANSPORTATION LOGISTICS PETROCHEMICal Commercial Industrial Retail Federal Systems Banking Ten Tips for Completing a Site Security Plan Introduction The Chemical Facility Anti-Terrorism Standards (CFATS)

More information

CSAT Site Security Plan

CSAT Site Security Plan CSAT Site Security Plan Instructions May 2009 Version 1.0 Version 1.0 1 Table of Contents Note to Users... 1 Introduction... 2 SSP Instructions: The SSP Process... 2 Organization of these Instructions...

More information

The Office of Infrastructure Protection

The Office of Infrastructure Protection The Office of Infrastructure Protection National Protection and Programs Directorate Department of Homeland Security What to Expect from a CFATS Authorization Inspection What is an Authorization Inspection?

More information

CSAT Security Vulnerability Assessment

CSAT Security Vulnerability Assessment CSAT Security Vulnerability Assessment Instructions June 2008 Version 1.0 Version 1.0 1 Table of Contents Note to Users... 1 Introduction... 2 SVA Instructions: The SVA Process...2 Organization of these

More information

Chemical Security Assessment Tool (CSAT)

Chemical Security Assessment Tool (CSAT) for the Chemical Security Assessment Tool (CSAT) May 25, 2007 Contact Point Matt Bettridge Infrastructure Partnership Division 703-235-5495 Reviewing Official Hugo Teufel, III Chief Privacy Officer Department

More information

CSAT Top-Screen Survey Application

CSAT Top-Screen Survey Application CSAT Top-Screen Survey Application User Guide September 2010 Version 1.99 Table of Contents 1. Introduction... 1 1.1 Chemical Facility Anti-Terrorism Standards... 1 1.2 The Top-Screen Process... 2 1.2.1

More information

CRITICAL INFRASTRUCTURE PROTECTION. DHS Action Needed to Verify Some Chemical Facility Information and Manage Compliance Process

CRITICAL INFRASTRUCTURE PROTECTION. DHS Action Needed to Verify Some Chemical Facility Information and Manage Compliance Process United States Government Accountability Office Report to Congressional Requesters July 2015 CRITICAL INFRASTRUCTURE PROTECTION DHS Action Needed to Verify Some Chemical Facility Information and Manage

More information

Risk-Based Performance Standards Guidance Chemical Facility Anti-Terrorism Standards. May 2009

Risk-Based Performance Standards Guidance Chemical Facility Anti-Terrorism Standards. May 2009 Risk-Based Performance Standards Guidance Chemical Facility Anti-Terrorism Standards May 2009 Department of Homeland Security Office of Infrastructure Protection Infrastructure Security Compliance Division

More information

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process. CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

SOCMA Frequently Asked Questions on CFATS and Appendix A

SOCMA Frequently Asked Questions on CFATS and Appendix A Facility Coverage/Exemptions Q: Research and development labs will from time to time have chemicals on site which exceed an STQ. Some chemicals will be used and never be used again. Other chemicals currently

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

Guide to Vulnerability Management for Small Companies

Guide to Vulnerability Management for Small Companies University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...

More information

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008 U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

8/27/2015. Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354. Don t Wait Another Day

8/27/2015. Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354. Don t Wait Another Day Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354 2015 FRWA Annual Conference Don t Wait Another Day 1 SCADA Subsystems Management Physical Connectivity Configuration Mgmt.

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE

GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE (CLAIMS MADE BASIS) APPLICANT S INSTRUCTIONS: 1. Answer all questions. If the answer requires detail, please attach a separate

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

OCIE CYBERSECURITY INITIATIVE

OCIE CYBERSECURITY INITIATIVE Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Instructions for Completing the Information Technology Examination Officer s Questionnaire

Instructions for Completing the Information Technology Examination Officer s Questionnaire Instructions for Completing the Information Technology Examination Officer s Questionnaire Please answer the following information security program questions as of the examination date pre-determined by

More information

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Security for. Industrial. Automation. Considering the PROFINET Security Guideline Security for Industrial Considering the PROFINET Security Guideline Automation Industrial IT Security 2 Plant Security Physical Security Physical access to facilities and equipment Policies & Procedures

More information

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services Cyber Risk Mitigation via Security Monitoring Enhanced by Managed Services Focus: Up to But Not Including Corporate and 3 rd Party Networks Level 4 Corporate and 3 rd Party/Vendor/Contractor/Maintenance

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP Today s Topics SCADA Overview SCADA System vs. IT Systems Risk Factors Threats Potential Vulnerabilities Specific Considerations

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

IT Security for Process Control

IT Security for Process Control IT Security for Process Control Field Devices, Services and Maintenance INTERKAMA Forum, April 13 th, 2005 Slide 1 IT Security in Process Automation Content Why is this important? Security Measures in

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

Computer Security Policy (Interim)

Computer Security Policy (Interim) Computer Security Policy (Interim) Updated May, 2001 Department of Information Systems & Telecommunications Table of Contents 1. SCOPE...1 2. OVERVIEW...1 3. RESPONSIBILITIES...3 4. PHYSICAL SECURITY...4

More information

Protecting Organizations from Cyber Attack

Protecting Organizations from Cyber Attack Protecting Organizations from Cyber Attack Cliff Glantz and Guy Landine Pacific Northwest National Laboratory (PNNL) PO Box 999 Richland, WA 99352 cliff.glantz@pnnl.gov guy.landine@pnnl.gov 1 Key Topics

More information

Office of Infrastructure Protection Infrastructure Security Compliance Division

Office of Infrastructure Protection Infrastructure Security Compliance Division Office of Infrastructure Protection Infrastructure Security Compliance Division Helpful Tips for Completing a Chemical Facility Anti-Terrorism Standards (CFATS) Site Security Plan Pursuant to the Chemical

More information

Building Insecurity Lisa Kaiser

Building Insecurity Lisa Kaiser Building Insecurity Lisa Kaiser Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Insecurity How do I Specify it Buy it Test it Deploy it Regret it Apologize for it Specifying Insecurity

More information

Network and Security Controls

Network and Security Controls Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI Office of Regulatory Compliance 13001 E. 17 th Place, Suite W1124 Mail Stop F497 Aurora, CO 80045 Main Office: 303-724-1010 Main Fax: 303-724-1019 HIPAA Policy 7.1 Title: Source: Prepared by: Approved

More information

Re: Docket No. DHS-2014-0016, Advanced Notice of Proposed Rulemaking on the Chemical Facility Anti-Terrorism Standards

Re: Docket No. DHS-2014-0016, Advanced Notice of Proposed Rulemaking on the Chemical Facility Anti-Terrorism Standards October 15, 2014 U.S. Department of Homeland Security National Protection and Programs Directorate Office of Infrastructure Protection Infrastructure Security Compliance Division 245 Murray Lane, Mail

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

CYBER SECURITY POLICY For Managers of Drinking Water Systems

CYBER SECURITY POLICY For Managers of Drinking Water Systems CYBER SECURITY POLICY For Managers of Drinking Water Systems Excerpt from Cyber Security Assessment and Recommended Approach, Final Report STATE OF DELAWARE DRINKING WATER SYSTEMS February 206 Kash Srinivasan

More information

NETWORK INFRASTRUCTURE USE

NETWORK INFRASTRUCTURE USE NETWORK INFRASTRUCTURE USE Information Technology Responsible Office: Information Security Office http://ooc.usc.edu infosec@usc.edu (213) 743-4900 1.0 Purpose The (USC) provides its faculty, staff and

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

SCREENING FACILITIES FOR CYBER SECURITY RISK ANALYSIS. by Paul Baybutt Primatech Inc. paulb@primatech.com 614-841-9800 www.primatech.com.

SCREENING FACILITIES FOR CYBER SECURITY RISK ANALYSIS. by Paul Baybutt Primatech Inc. paulb@primatech.com 614-841-9800 www.primatech.com. SCREENING FACILITIES FOR CYBER SECURITY RISK ANALYSIS by Paul Baybutt Primatech Inc. paulb@primatech.com 614-841-9800 www.primatech.com Abstract Many chemical companies have performed security vulnerability

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS Introduction Massachusetts regulations set forth minimum requirements for both the protection of personal information and the electronic storage or

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Procedure Title: TennDent HIPAA Security Awareness and Training

Procedure Title: TennDent HIPAA Security Awareness and Training Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014 Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security

More information

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

Department of Homeland Security

Department of Homeland Security Effectiveness of the Infrastructure Security Compliance Division's Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program OIG-13-55 March 2013 OFFICE OF INSPECTOR GENERAL

More information

Instructions for Completing the Information Technology Officer s Questionnaire

Instructions for Completing the Information Technology Officer s Questionnaire Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND

More information

Code of Practice for Cyber Security in the Built Environment

Code of Practice for Cyber Security in the Built Environment Brochure More information from http://www.researchandmarkets.com/reports/3085299/ Code of Practice for Cyber Security in the Built Environment Description: This code of practice explains why and how cyber

More information

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Cyber Security for NEI 08-09 GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4

More information

Information Shield Solution Matrix for CIP Security Standards

Information Shield Solution Matrix for CIP Security Standards Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

How Much Do I Need To Do to Comply? Vice president SystemExperts Corporation

How Much Do I Need To Do to Comply? Vice president SystemExperts Corporation How Much Do I Need To Do to Comply? Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda Background Requirements and you Risk language Risk Factors Assessing risk Program elements and

More information

HIPAA RISK ASSESSMENT

HIPAA RISK ASSESSMENT HIPAA RISK ASSESSMENT PRACTICE INFORMATION (FILL OUT ONE OF THESE FORMS FOR EACH LOCATION) Practice Name: Address: City, State, Zip: Phone: E-mail: We anticipate that your Meaningful Use training and implementation

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Best Practices: Meeting CFATS Performance Requirements A Town Hall Meeting

Best Practices: Meeting CFATS Performance Requirements A Town Hall Meeting Best Practices: Meeting CFATS Performance Requirements A Town Hall Meeting Thursday, January 27, 2011 Education Government Relations Research & Technology Standards 635 Slaters Lane Suite 110 Alexandria,

More information

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups

More information

CSU, Chico Credit Card PCI-DSS Risk Assessment

CSU, Chico Credit Card PCI-DSS Risk Assessment CSU, Chico Credit Card PCI-DSS Risk Assessment Division/ Department Name: Merchant ID Financial Account Location (University, Auxiliary Organization) Business unit functional contact: : Title: Telephone:

More information

Resilient and Secure Solutions for the Water/Wastewater Industry

Resilient and Secure Solutions for the Water/Wastewater Industry Insert Photo Here Resilient and Secure Solutions for the Water/Wastewater Industry Ron Allen DA/Central and Steve Liebrecht Rockwell Automation Detroit W/WW Team Leader Your slides here Copyright 2011

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP

More information

Decrease your HMI/SCADA risk

Decrease your HMI/SCADA risk Decrease your HMI/SCADA risk Key steps to minimize unplanned downtime and protect your organization. Are you running your plant operations with serious risk? Most industrial applications lack recommended

More information

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013 An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing

More information

SCOPE. September 25, 2014, 0930 EDT

SCOPE. September 25, 2014, 0930 EDT National Protection and Programs Directorate Office of Cyber and Infrastructure Analysis (OCIA) Critical Infrastructure Security and Resilience Note Critical Infrastructure Security and Resilience Note:

More information

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry Self-Assessment Questionnaire How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy

More information

Appendix VIII SAS 70 Examinations of EBT Service Organizations

Appendix VIII SAS 70 Examinations of EBT Service Organizations Appendix VIII SAS 70 Examinations of EBT Service Organizations Background States must obtain an examination by an independent auditor of the State electronic benefits transfer (EBT) service providers (service

More information

NARUC. Cyber Security Risk Assessment & Risk Mitigation Plan Review for the Kentucky Public Service Commission. NARUC Grants & Research

NARUC. Cyber Security Risk Assessment & Risk Mitigation Plan Review for the Kentucky Public Service Commission. NARUC Grants & Research NARUC 2013 Cyber Security Risk Assessment & Risk Mitigation Plan Review for the Kentucky Public Service Commission NARUC Grants & Research December 2013 The National Association of Regulatory Utility Commissioners

More information

Cyber Security Compliance (NERC CIP V5)

Cyber Security Compliance (NERC CIP V5) Cyber Security Compliance (NERC CIP V5) Ray Wright NovaTech, LLC Abstract: In December 2013, the Federal Energy Regulatory Commission (FERC) issued Order No. 791 which approved the Version 5 CIP Reliability

More information

Navigating the New MA Data Security Regulations

Navigating the New MA Data Security Regulations Navigating the New MA Data Security Regulations Robert A. Fisher, Esq. 2009 Foley Hoag LLP. All Rights Reserved. Presentation Title Data Security Law Chapter 93H Enacted after the TJX data breach became

More information

IT Security Standard: Computing Devices

IT Security Standard: Computing Devices IT Security Standard: Computing Devices Revision History: Date By Action Pages 09/30/10 ITS Release of New Document Initial Draft Review Frequency: Annually Responsible Office: ITS Responsible Officer:

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

Cybersecurity Health Check At A Glance

Cybersecurity Health Check At A Glance This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not

More information