Tyson Jarrett CIP Enforcement Analyst. Best Practices for Security Patch Management October 24, 2013 Anaheim, CA
|
|
- Gwen Atkinson
- 8 years ago
- Views:
Transcription
1 Tyson Jarrett CIP Enforcement Analyst Best Practices for Security Patch Management October 24, 2013 Anaheim, CA
2 A little about me Graduated from the University of Utah with a Masters in Information Systems Have been with WECC for 2 years 11 months Reviewed 1,407 CIP items Ran my first Marathon this Month 2
3 Wrong reasons to Patch
4 Why Patch Management Cyber Security Patches are key to avert many known vulnerabilities to Cyber Assets and the environment Identified by ICS Cert as one of the top security challenges within Industrial Control Systems Most importantly Requested by YOU!! 4
5 Intent of CIP 007 R3 The intent of R3 is to know, track, and mitigate known software vulnerabilities associated with BPS Cyber Assets. It is not intended as an install every security patch requirement; instead it should be considered more of a be aware of in a timely manner, and manage all known vulnerabilities requirement. 5
6 CIP R3 Security Patch Management The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP Requirement R6, shall establish, document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). o o R3.1. The Responsible Entity shall document the assessment of security patches and security upgrades for applicability within thirty calendar days of availability of the patches or upgrades. R3.2. The Responsible Entity shall document the implementation of security patches. In any case where the patch is not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure. 6
7 Agenda Tracking, Evaluating, Testing, and Installing applicable cyber security software patches o Common Pitfalls o Best Practices o Audit/Enforcement Approach 7
8 Tracking
9 Tracking Common Pitfall #1 Only tracking patches available at the Operating System level Entity only tracks patches with Windows Server Update Service (WSUS) o WSUS does not actively identify or track other applications and/or software running on the Windows box o Thus all third-party applications on the device are not being actively tracked 9
10 Tracking Common Pitfall #2 Not maintaining appropriate documentation Including: o Incomplete or inaccurate list of devices and applications running on those devices o Not knowing or documenting where patch releases are located. Leads to systems not getting patched for known security vulnerabilities 10
11 Tracking Best Practices Patch and Upgrade identification Asset identification Patch and Upgrade source identification Patch Tracking Process
12 Tracking Best Practices 12 Asset Identification o Ensure all applicable cyber assets are documented Leverage other CIP requirements (CIP 002 R3 and CIP 005 R1.6) when identifying assets. Include step to periodically verify accuracy of list o Use combination of automated tools and manual walkthroughs/ verifications to ensure list is accurate Patch and Asset Upgrade identification identificat ion Patch and Upgrade source identification
13 Tracking Best Practices Patch/Upgrade Identification o Identify and document all applications, Operating Systems, s and firmware on cyber assets Minimize applications on CIP 007 applicable devices to only what is necessary Include steps to periodically verify accuracy of list Asset Patch and Identifica Upgrade tion identification Patch and Upgrade source identification 13
14 Tracking Best Practices Patch/Upgrade Source identification and notification o Where are the patches located? o How will you get notified of a new patch? Vendor Manually visiting webpage Automated scanner (WSUS, patch management software) o Implement periodic manual checks to verify automated solutions are functioning properly Patch and Asset Upgrade Identific source ation identification n Patch and Upgrade identification 14
15 Tracking Best Practices Patch Management tools o Commercial Software o Database o Spreadsheet o Paper Don t do this!! o Brain Don t do this!! 15
16 Tracking Best Practices Commercial Vendor Pros Cons Built with the intent to track and manage patches and upgrades Evidence presentation and retention may need additional planning Vendor support can reduce need for in-house expertise Can come with useful features Asset identification, automated notifications, baseline creation and update, vulnerability scanning Research needs to be done ahead of time to ensure the right product is chosen See SANS A Practical Methodology for Implementing a Patch management Process for 9 items to consider when picking an automated solution. (PG. 7)
17 Tracking Best Practices Some Commercial Vendors 17
18 Tracking Best Practices Database Pros Cons Reduces redundancy Can be complex and difficult to implement Reporting features allow for evidence retrieval Not always practical to build from scratch Can reduce data entry, storage, and retrieval costs May need new personnel familiar with creating and maintaining a database Personnel may need additional training
19 Tracking Best Practices Spreadsheet Pros Easy to implement Low cost Cons Updating data can be difficult and often requires creating a new spreadsheet to maintain historical evidence Can require repetition with other processes for updating data Current patch version, work orders, etc Useful information usually needs to be stored on another spreadsheet. What devices have what applications/os/firmware Where patches are located How are notifications being received
20 Tracking Audit Approach Maintain documented procedures for tracking patches and updates Evidence of actively monitoring all available software and firmware o Develop a list of all monitored applications/os/firmware o Identify and document process and location for notifications of updates o All applications/operating Systems/firmware that MAY receive security patches must be accounted for in Patch Management tracking procedures. 20
21 21 Evaluating
22 Evaluating Common Pitfall #1 Relying on Industrial Control System (ICS) vendor to evaluate applicability of patches o Due to fear of voiding warranty with ICS vendor entity leaves all patch management responsibilities to the ICS vendor o Entity does not have procedures or timeline in place for evaluating patch applicability 22
23 Evaluating Common Pitfall #2 Not consistently evaluating patches within 30 days of availability o Entity tracks patches once a month Thus entity continuously misses 30 day deadline as it does not have enough time to evaluate patches o SMEs mis-read documentation and didn t verify if all software had patches available 23
24 Evaluating Best Practice Identify o How assessment will be documented o Specific personnel responsible for assessing the patches and upgrades Should have collaboration with both IT and operations staff 24
25 Evaluating Best Practice Implement a peer review process to verify evaluations are done correctly and necessary documentation is maintained Conduct periodic training on evaluation procedures and required documentation 25
26 Evaluating Best Practice Plan ahead o Track patches at least every two weeks to ensure enough time is available to evaluate patches within the required 30 days of availability 26
27 Evaluating Best Practice Don t rely on ICS vendor to evaluate patches o Determining a patch is applicable will not void a warranty Entity s may still elect to wait for ICS vendor approval prior to installing a patch o ICS vendors are not required by CIP to assess patches immediately, YOU are! 27
28 Evaluating Audit Approach Documented process for determining if patches and upgrades are applicable o An assessment should consist of determination of the applicability of each patch to the entity s specific environment and systems. Applicability determination is based primarily on whether the patch applies to a specific software or hardware component that the entity does have installed in an applicable Cyber Asset. 28
29 Evaluating Audit Approach Must maintain evidence of identification and evaluation of applicability within 30 days of availability o Evidence should include date patch or upgrade was made available, date it was evaluated, and evidence the documented evaluation process was followed 29
30 30 Testing
31 Testing Common Pitfall #1 Patches are automatically installed, and thus not tested prior to installation o Entity was unaware device was configured for automated updating 31
32 Testing Common Pitfall #2 Conducted functional testing only o Entity s testing procedures required security patches be installed in test system for 1 week then deployed to production if nothing broke Entity does not identify or document security controls impacted by the patch being installed 32
33 Testing Best Practices Use existing CIP R1 Test Procedures o Don t re-invent the wheel!! 33 Specific Documentation o Identify what tests are performed when and why? o Who is responsible for conducting the testing? Who is responsible for approving the test? o What do the results of the testing mean? What is a pass or fail?
34 Testing Best Practices Implement peer review process to verify testing was done per procedures Implement periodic follow-up testing to validate current testing procedures are capturing data needed to make installation decision 34
35 Testing Best Practice Disable automatic updates o Configure software to notify but not install o Implement verification process to periodically check for any cases where patches aren t being tested 35
36 Testing Audit Approach At minimum must be compliant with CIP 007 R1 testing procedures o From CIP R1 a significant change shall, at minimum, include implementation of security patches o Technical narrative describing testing environment(s) Include how is test environment similar/ dissimilar to production environment 36
37 Testing Audit Approach 37 Documented testing procedures for each cyber asset (or asset type) within the ESP At minimum testing needs to ensure existing security controls are not adversely affected o Before and after the test identify and document ports and services, user accounts, Logging/Alerting functionality, and anti-virus. Controls should be in place to protect production environment o Separate test environment o Back out plan
38 Installing
39 Installing - Common Pitfalls Not updating baseline after the change is made o Personnel were unaware who was supposed to update the baseline documentation o Procedures didn t explicitly call out updating documentation 39
40 Installing Best Practice Leverage CIP 003 R6 Change Control and Configuration Management procedures o When installing a security patch o Following procedures during install o Updating baseline after the change Identify who is responsible for installing the patch or upgrade and updating documentation afterwards 40
41 Installing Best Practice 41 Use checklists to help SMEs easily identify all that is required as part of the installation Procedures should identify an acceptable time frame to install an applicable patch o Note: Requirement does not specify a required time to install a patch or upgrade Create a back-out plan o Ensure backups and recovery plan are up to date and tested
42 Installing - Audit Approach Documented procedures for installing security patches and upgrades o Evidence of installation of patches as defined in documented procedures Evidence Documentation o Cyber Assets patch/upgrade was installed on Who installed the patch o Updated device baseline after installation o Date of installation 42
43 Installing Audit Approach If patch or upgrade is applicable but not installed, must implement and document Compensating Measures o Additionally a Technical Feasibility Exception (TFE) may need to be submitted if the device will not be installing any new patches. 43
44 Summary 44 Procedures must include methods for Tracking, Evaluating, Testing, and Installing security patches Take extra time planning how patches will be tracked and documented to lessen burden of patch management further down the road Entity s are responsible for compliance, not the entity s ICS vendor
45 References Ben Christensen's Root Cause Analysis for Commonly Violated Requirements Sans Practical Methodology for Implementing a Patch management Process ICS CERT Improving Inductrial Control Systems Cybersecurity with Defense-In- Depth Strategies 45
46 Questions? Tyson Jarrett CIP Enforcement Analyst
Standard CIP 007 3 Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing
More information2012 CIP Spring Compliance Workshop May 7-11. Testing, Ports & Services and Patch Management
2012 CIP Spring Compliance Workshop May 7-11 Testing, Ports & Services and Patch Management Purpose This presentation provides an overview of the CIP-007-3 R1 Test Procedures which includes a discussion
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationInternal Controls And Good Utility Practices. Ruchi Ankleshwaria Manager, Compliance Risk Analysis
Internal Controls And Good Utility Practices Ruchi Ankleshwaria Manager, Compliance Risk Analysis 2 Introduction Joined WECC in March 2013 6 years of industry experience prior to joining WECC 4 years at
More informationKeshav Sarin CIP Enforcement Analyst. BURP (Best User Reporting Practices) February 11, 2011 Marina del Rey, California
Keshav Sarin CIP Enforcement Analyst BURP (Best User Reporting Practices) February 11, 2011 Marina del Rey, California Quiz How to review CIP items in the most effective manner? o Get the necessary information
More informationBest Practices for Cyber Security Testing. Tyson Jarrett Compliance Risk Analyst, Cyber Security
Best Practices for Cyber Security Testing Tyson Jarrett Compliance Risk Analyst, Cyber Security 2 About Me Master s Degree Information Systems Cyber Security Reviewed 1562 CIP CMEP items CIP Analyst 4
More informationCompleted. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method
NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method R2 Critical Asset Identification R3 Critical Cyber Asset Identification Procedures and Evaluation
More informationPatching & Malicious Software Prevention CIP-007 R3 & R4
Patching & Malicious Software Prevention CIP-007 R3 & R4 Scope Compliance Assessment Summary Introspection & Analysis Program-In Review Maturity Model review Control Design review Process Components of
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationNorth American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)
Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a
More informationSummary of CIP Version 5 Standards
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
More informationJenifer Vallace Associate Cyber Security Analyst. Best User Reporting Practices September 24, 2013 CIP 101
Jenifer Vallace Associate Cyber Security Analyst Best User Reporting Practices September 24, 2013 CIP 101 Agenda What s needed when filling out: Self Reports (SR) Self Certifications (SC) Mitigation Plans
More informationCIP-010-1 R1 & R2: Configuration Change Management
CIP-010-1 R1 & R2: Configuration Change Management June 3, 2014 Steven Keller Lead Compliance Specialist - CIP skeller.re@spp.org 501.688.1633 Outline What is CIP-010-1? How it is different from CIP-003-3
More informationReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE
R1 Provide Risk Based Assessment Methodology (RBAM) R1.1 Provide evidence that the RBAM includes both procedures and evaluation criteria, and that the evaluation criteria are riskbased R1.2 Provide evidence
More informationAlberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1
A. Introduction 1. Title: 2. Number: 3. Purpose: To prevent and detect unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements
More informationBSM for IT Governance, Risk and Compliance: NERC CIP
BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................
More informationLessons Learned CIP Reliability Standards
Evidence for a requirement was not usable due to a lack of identifying information on the document. An entity should set and enforce a "quality of evidence" standard for its compliance documentation. A
More informationSCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards
SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationThe first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.
CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with
More informationTechnology Solutions for NERC CIP Compliance June 25, 2015
Technology Solutions for NERC CIP Compliance June 25, 2015 2 Encari s Focus is providing NERC CIP Compliance Products and Services for Generation and Transmission Utilities, Municipalities and Cooperatives
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationThe North American Electric Reliability Corporation ( NERC ) hereby submits
December 8, 2009 VIA ELECTRONIC FILING Kirsten Walli, Board Secretary Ontario Energy Board P.O Box 2319 2300 Yonge Street Toronto, Ontario, Canada M4P 1E4 Re: North American Electric Reliability Corporation
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationNotable Changes to NERC Reliability Standard CIP-010-3
C L AR I T Y AS S U R AN C E R E S U LT S M I D W E S T R E LIAB I L I T Y ORGAN I Z AT I ON Notable Changes to NERC Reliability Standard CIP-010-3 Cyber Security Configuration Change Management and Vulnerability
More informationNERC CIP Whitepaper How Endian Solutions Can Help With Compliance
NERC CIP Whitepaper How Endian Solutions Can Help With Compliance Introduction Critical infrastructure is the backbone of any nations fundamental economic and societal well being. Like any business, in
More informationVendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
More informationCIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationSupporting our customers with NERC CIP compliance. James McQuiggan, CISSP
Supporting our customers with NERC CIP compliance James, CISSP Siemens Energy Sector Energy products and solutions - in 6 Divisions Oil & Gas Fossil Power Generation Renewable Energy Service Rotating Equipment
More informationReclamation Manual Directives and Standards
Vulnerability Assessment Requirements 1. Introduction. Vulnerability assessment testing is required for all access points into an electronic security perimeter (ESP), all cyber assets within the ESP, and
More informationABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?
ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security? Agenda Threats Risk Assessment Implementation Validation Advanced Security Implementation Strategy
More informationChange and Configuration Management
Change and Configuration Management for CIP Compliance OCTOBER 21, 2009 Developed with: Presenters Bart Thielbar, CISA Senior Research hanalyst Sierra Energy Group, a Division of Energy Central CIP-003,
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationGE Measurement & Control. Cyber Security for NERC CIP Compliance
GE Measurement & Control Cyber Security for NERC CIP Compliance GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used for purposes
More informationMuscle to Protect Your Grid July 2009. Sustainable and Cost-effective Muscle to Protect Your Grid
July 2009 Sustainable and Cost-effective Muscle to Protect Your Grid Page 2 Ensuring the reliability of the North American power grid is no small task and one that continues to grow in complexity on a
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationInformation Technology General Controls (ITGCs) 101
Information Technology General Controls (ITGCs) 101 Presented by Sugako Amasaki (Principal Auditor) University of California, San Francisco December 3, 2015 Internal Audit Webinar Series Webinar Agenda
More informationCyber Security & Instrumentation and Controls. Bill May Executive, Global Strategic Projects PAS, Inc. Houston, TX
Cyber Security & Instrumentation and Controls Bill May Executive, Global Strategic Projects PAS, Inc. Houston, TX Introductions PAS, Inc. Founded in 1993 as Plant Automation Services Global Provider of
More informationBest Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper
Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationTackling Medical Device Cybersecurity
Tackling Medical Device Cybersecurity Anthony J. Coronado Methodist Hospital of Southern California Biomedical Engineering Manager Overview of Initiative With the advancement of technology in the design
More informationPlans for CIP Compliance
Testing Procedures & Recovery Plans for CIP Compliance DECEMBER 16, 2009 Developed with: Presenters Bart Thielbar, CISA Senior Research hanalyst Sierra Energy Group, a Division of Energy Central Primer
More informationPATCH MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
PATCH MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationInformation Shield Solution Matrix for CIP Security Standards
Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability
More informationManaging and Maintaining Windows Server 2008 Servers
Managing and Maintaining Windows Server 2008 Servers Course Number: 6430A Length: 5 Day(s) Certification Exam There are no exams associated with this course. Course Overview This five day instructor led
More informationNYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011
NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011 Executive Summary BACKGROUND The NYS Local Government Vulnerability Scanning Project was funded by a U.S. Department of Homeland Security
More informationCIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments
CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationNERC CIP Ports & Services. Part 2: Complying With NERC CIP Documentation Requirements
NERC CIP Ports & Services Part 2: Complying With NERC CIP Documentation Requirements White Paper FoxGuard Solutions, Inc. November 2014 Defining Ports And Services In part 2 of our Ports and Services white
More informationIntroduction. Special thanks to the following individuals who were instrumental in the development of the toolkits:
Introduction In this digital age, we rely on our computers and devices for so many aspects of our lives that the need to be proactive and vigilant to protect against cyber threats has never been greater.
More informationSpooks in the Machine
A Higher Education Services Company Spooks in the Machine Proactive Strategies for Securing the Network Steven M. Helwig, CISSP Technical Director shelwig@sungardcollegis.com Contents of Presentation Aligning
More informationCalifornia Department of Technology, Office of Technology Services WINDOWS SERVER GUIDELINE
Table of Contents 1.0 GENERAL... 2 1.1 SUMMARY...2 1.2 REFERENCES...2 1.3 SUBMITTALS...2 1.3.1 General...2 1.3.2 Service Request...3 1.4 EXPECTATIONS...3 1.4.1 OTech...3 1.4.2 Customer...3 1.5 SCHEDULING...4
More informationNERC Cyber Security Standards
SANS January, 2008 Stan Johnson Manager of Situation Awareness and Infrastructure Security Stan.johnson@NERC.net 609-452-8060 Agenda History and Status of Applicable Entities Definitions High Level of
More informationNERC CIP-007 v. 5 Patch Management: Factors for Success
Cyber Security Compliance Industrial Computing NERC CIP-007 v. 5 Patch Management: Factors for Success A Presentation By: EnergySec FoxGuard Solutions NRG It s Interactive Please submit your questions
More informationSecurity Patch Management
The knowledge behind the network. Security Patch Management By Felicia M. Nicastro Senior Network Systems Consultant International Network Services Security Patch Management March 2003 INS Whitepaper 1
More informationNERC CIP Tools and Techniques
NERC CIP Tools and Techniques Supplemental Project - Introduction Webcast Scott Sternfeld, Project Manager Smart Grid Substation & Cyber Security Research Labs ssternfeld@epri.com (843) 619-0050 October
More informationNERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice
NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationSupplemental IT Solutions: More Reliable Networks Are Our Business
Supplemental IT Solutions Logo Supplemental IT Solutions: More Reliable Networks Are Our Business Copyright 2005 Primetime, Inc. All rights reserved. Catalin Ursu info@catcomcomputers.com 973-233-1888
More informationProduct comparison. GFI LanGuard 2014 vs. Microsoft Windows Server Update Services 3.0 SP2
Product comparison GFI LanGuard 2014 vs. Microsoft Windows Server Update Services 3.0 SP2 General features GFI LanGuard 2014 Microsoft WSUS 3.0 SP2 Scheduled scans Agent-less r Agent-based Integration
More informationNERC Audit Definition
Utilities & Energy Compliance & Ethics Conference NERC Audit Definition An engagement that provides assurance or conclusions on an evaluation of sufficient, appropriate evidence against stated criteria,
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationStandard CIP 003 1 Cyber Security Security Management Controls
A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-1 3. Purpose: Standard CIP-003 requires that Responsible Entities have minimum security management controls in place
More informationNovaTech NERC CIP Compliance Document and Product Description Updated June 2015
NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC
More informationVirtual Private Networks (VPN) Connectivity and Management Policy
Connectivity and Management Policy VPN Policy for Connectivity into the State of Idaho s Wide Area Network (WAN) 02 September 2005, v1.9 (Previous revision: 14 December, v1.8) Applicability: All VPN connections
More informationCourse: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationGOALS. Server Management Program Review / Training. To Review SMP structure, requirements, logistics. To increase quality and benefit of documentation
Server Management Program Review / Training GOALS To Review SMP structure, requirements, logistics To increase quality and benefit of documentation Provide/review examples and upgraded templates Unit IT
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationAutomating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference
Automating NERC CIP Compliance for EMS Walter Sikora 2010 EMS Users Conference What do we fear? Thieves / Extortionists Enemies/Terrorists Stuxnet Malware Hacker 2025 Accidents / Mistakes 9/21/2010 # 2
More informationNERC CIP Compliance Gaining Oversight with ConsoleWorks
NERC CIP Compliance Gaining Oversight with ConsoleWorks The current challenge for many Utility companies is finding efficient ways to gain oversight and control over NERC CIP regulation compliance. NERC
More informationOlav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord
Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord Implementation of Cyber Security for Yara Glomfjord Speaker profile Olav Mo ABB
More informationPatch Management Procedure. Andrew Marriott andrew.marriott@fylde.gov.uk 01253 658578 PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1
Title: Patch Management Andrew Marriott andrew.marriott@fylde.gov.uk 01253 658578 PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1 Contents 1. Introduction... 4 2. Objectives... 4 3. Context... 4 4. Responsibility...
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationHP Data Replication Solution Service for 3PAR Virtual Copy
HP Data Replication Solution Service for 3PAR Virtual Copy HP Care Pack Services Technical data HP Data Replication Solution Service for 3PAR Virtual Copy provides implementation of the HP 3PAR Storage
More informationUMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director
More informationSIMPLIFYING THE PATCH MANAGEMENT PROCESS
SIMPLIFYING THE PATCH MANAGEMENT PROCESS www.icsupdate.com Monta Elkins Security Architect FoxGuard Solutions melkins@foxguardsolutions.com SIMPLIFYING THE PATCH MANAGEMENT PROCESS 2 SIMPLIFYING THE PATCH
More informationThe Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach
The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach by Philippe Courtot, Chairman and CEO, Qualys Inc. Information Age Security Conference - London - September 25
More informationCyber security tackling the risks with new solutions and co-operation Miikka Pönniö 22.9.2015
Siemens Osakeyhtiö Cyber security tackling the risks with new solutions and co-operation Miikka Pönniö 22.9.2015 Restricted Siemens Osakeyhtiö 2015. All Rights Reserved. siemens.fi/answers Cyber security
More informationA Tactical Approach to Continuous Compliance. Walt Sikora, Vice President Security Solutions EMMOS 2013
A Tactical Approach to Continuous Compliance Walt Sikora, Vice President Security Solutions EMMOS 2013 Abstract NERC has moved quickly to address shortcomings and lack of clarity in previous versions of
More informationAutomated Patch Management Service
Service Data Sheet Automated Patch Management Service Establishes elements for successful and proactive Automated Patch Management strategy for anti-virus signature screens, OS security patching and DeltaV
More informationSimply Sophisticated. Information Security and Compliance
Simply Sophisticated Information Security and Compliance Simple Sophistication Welcome to Your New Strategic Advantage As technology evolves at an accelerating rate, risk-based information security concerns
More informationGE Measurement & Control. Cyber Security for Industrial Controls
GE Measurement & Control Cyber Security for Industrial Controls Contents Overview...3 Cyber Asset Protection (CAP) Software Update Subscription....4 SecurityST Solution Options...5 Centralized Account
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationCyber Security Compliance (NERC CIP V5)
Cyber Security Compliance (NERC CIP V5) Ray Wright NovaTech, LLC Abstract: In December 2013, the Federal Energy Regulatory Commission (FERC) issued Order No. 791 which approved the Version 5 CIP Reliability
More informationTesting Control Systems
Testing Control Systems with Microsoft s Attack Surface Analyzer { Digital Bond, Inc Michael Toecker, PE ddddddddd ICSJWG October 15 th 18 th Track III { { Michael Toecker, PE Professional Engineer 8 Years
More informationIntroduction to Cloud Computing What is SaaS? Conventional vs. SaaS Methodologies Validation Requirements Change Management Q&A
Best Practices for Validation of a Software as a Service (SaaS) Customer Relationship Management (CRM) Solution Presented By: Gregg Mauriello Validation Manager Elise Miner Associate Validation Manager
More informationPatch Management Policy
Patch Management Policy L2-POL-12 Version No :1.0 Revision History REVISION DATE PREPARED BY APPROVED BY DESCRIPTION Original 1.0 2-Apr-2015 Process Owner Management Representative Initial Version No.:
More informationHow to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework
How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework Jacques Benoit, Cooper Power Systems Inc., Energy Automations Solutions - Cybectec Robert O Reilly, Cooper
More informationSECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES
REQUIREMENT 6.1 TO 6.2 SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES 6.1 TO 6.2 OVERVIEW In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company
More informationKevin Staggs - CISSP February 2, 2009. Patch Management
Kevin Staggs - CISSP February 2, 2009 Patch Management Topics Our philosophy Advice to our customers Patch qualification and management How we support our customers Industry needs Resources Summary 2 Our
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationValidating Enterprise Systems: A Practical Guide
Table of Contents Validating Enterprise Systems: A Practical Guide Foreword 1 Introduction The Need for Guidance on Compliant Enterprise Systems What is an Enterprise System The Need to Validate Enterprise
More informationNavigate Your Way to NERC Compliance
Navigate Your Way to NERC Compliance NERC, the North American Electric Reliability Corporation, is tasked with ensuring the reliability and safety of the bulk power system in North America. As of 2010,
More informationIRA Risk Factors Update for CIP. Ben Christensen Senior Compliance Risk Analyst, Cyber Security October 14, 2015
IRA Risk Factors Update for CIP Ben Christensen Senior Compliance Risk Analyst, Cyber Security October 14, 2015 2 Agenda Why the changes? What s new? Example of a Risk Factor How does this effect CIP V5?
More informationNERC CIP Compliance with Security Professional Services
NERC CIP Compliance with Professional Services The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is
More informationUniversity of Central Florida Class Specification Administrative and Professional. Director Enterprise Application Development
Director Enterprise Application Development Job Code: 2511 Report to the University Chief Technology Officer. Serve as the top technical administrator for enterprise computer programs and data processing
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More information