TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Transcription

1 Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security standards, as well. BR Ability to adhere to best practices as defined by PCI, NERC CIP cyber security standards Mary Zientara Robert Smith 2008/02/26 TDSP Web Portal Project Cyber Security Standards Best Practices A. Build and Maintain a Secure Network 1. PCI Requirement 1: Install and maintain a firewall configuration to protect critical data Includes the following activities: 1.1 Establish firewall configuration standards; 1.2 Build a firewall configuration that denies all traffic from untrusted networks and hosts; 1.3 Build a firewall configuration that restricts connections between publicly accessible serves and any system component storing critical data, including any connections from wireless networks; 1.4 Prohibit direct public access between external networks and any system component that stores critical data; and 1.5 Implement address translation to prevent internal addresses from being translated and revealed on the Internet. 2. PCI Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1 Always change vendor-supplied defaults before installing a system on a network. 2.2 Develop configuration standards for all system components. 2.3 Encrypt all non-console administrative access. 1

2 2.4 Hosting providers must protect each entity s hosted environment and data. 3. NERC CIP Electronic Security Perimeter(s) Page 2 of 10 Requirement 1: Electronic Security Perimeter: The responsible party shall ensure that every critical cyber asset resides within an electronic security perimeter (the logical border surrounding a network) to which critical cyber assets are connected and for which access is controlled. The responsible party shall identify and document the electronic security perimeter and access points to the perimeter. Requirement 2: Electronic Access Controls: The responsible party shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the electronic security perimeter. Requirement 3: Monitoring Electronic Access: The responsible party shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the electronic security perimeter(s) twenty-four hours a day, seven days a week. Requirement 4: Cyber Vulnerability Assessment: The responsible party shall perform a cyber vulnerability assessment of electronic access points to the electronic security perimeter(s) at least annually. Requirement 5: Documentation Review and Maintenance: The responsible party shall review, update, and maintain all documentation and support compliance with the requirements of CIP-005. B. Protect Critical data 1. PCI Requirement 3: Protect stored critical data 3.1 Keep critical data storage to a minimum. Develop a data retention and disposal policy. 3.2 Do not store sensitive authentication data subsequent to authorization even if encrypted. 3.5 Protect encryption keys used for encryption of critical data against both disclosure and misuse. 3.6 Fully document and implement all key management processes and procedures for keys used for encryption of critical data. 2

3 2. PCI Requirement 4: Encrypt transmission of critical data across open, public networks. C. Identify Critical Cyber Assets Page 3 of Use strong cryptography and security protocols to safeguard sensitive critical data during transmission over open, public networks. 1. NERC CIP Critical Cyber Asset Identification Requirement 1: The responsible party shall maintain documentation describing its risk-based assessment methodology that includes procedures and evaluation criteria. The risk-based assessment shall include all applicable assets including physical and cyber assets. Requirement 2: The responsible party shall develop a list of the identified critical physical assets determined through application of the risk-based assessment required in Requirement 1. Requirement 3: Using the list from Requirement 2, the responsible party shall develop a list of the associated critical cyber assets essential to the operation of each critical asset. The responsible party will review this list at least annually and update as necessary. Requirement 4: A senior manager of the responsible party shall annually review and approve the list of critical assets and critical cyber assets. The responsible party shall maintain a signed and dated record of the senior manager s approval of these lists. D. Maintain a Vulnerability Management Program 1. PCI Requirement 5: Use and regularly update anti-virus software 5.1 Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers). 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. 2. PCI Requirement 6: Develop and maintain secure systems and applications 3

4 Page 4 of Ensure that all system components and software have the latest vendor-supplied security patches installed. 6.2 Establish a process to identify newly discovered security vulnerabilities and update standards to address new vulnerability issues. 6.3 Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle. 6.4 Follow change control procedures for all system and software configuration changes. 6.5 Develop all web applications based on secure coding guidelines. Review custom application code to identify coding vulnerabilities. 6.6 Ensure that all web-facing applications are protected against known attacks. 3. NERC CIP Systems Security Management Requirement 1: Test Procedures: The responsible party shall ensure that new cyber assets and significant changes to existing cyber assets within the electronic security perimeter do not adversely affect existing cyber security controls. Requirement 2: Ports and Services: The responsible party shall establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled. Requirement 3: Security Patch Management: The responsible party, either separately or as a component of the documented configuration management process specified in CIP-003 Requirement 6, shall establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all cyber assets within the electronic security perimeter(s). Requirement 4: Malicious Software Prevention: The responsible party shall use anti-virus software and other malicious software ( malware ) prevention tools, where technically feasible to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all cyber assets within the electronic security perimeter. Requirement 5: Account Management: The responsible party shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access. 4

5 Page 5 of 10 Requirement 6: Security Status Monitoring: The responsible party shall ensure that all cyber assets within the electronic security perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. Requirement 7: Disposal or Redeployment: The responsible party shall establish formal methods, processes, and procedures for disposal or redeployment of cyber assets within the electronic security perimeter(s) as identified in CIP-005. Requirement 8: Cyber Vulnerability Assessment: The responsible party shall perform a cyber vulnerability assessment of all cyber assets within the electronic security perimeter at least annually E. Implement Strong Access Control Measures 1. PCI Requirement 7: Restrict access to critical data by business need-to-know 7.1 Limit access to computing resources and user information only to those individuals show job requires access. 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed. 2. PCI Requirement 8: Assign a unique ID to each person with computer access 8.1 Identify all users with a unique user name before allowing them to access system components or critical data. 8.2 Employ at least one of the following methods to authenticate all users: password, token devices, and/or biometrics 8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. 8.4 Encrypt all passwords during transmission and storage on all system components. 8.5 Ensure proper user authentication and password management on all system components. 3. PCI Requirement 9: Restrict physical access to critical data 5

6 Page 6 of Use appropriate facility entry controls to limit and monitor physical access to systems that store, process or transmit critical data. 9.2 Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where critical data is accessible. 9.3 Make sure all visitors are authorized before entering areas where critical data is processed or maintained. Make sure they are identified and monitored during their visit and that their departure is noted. 9.4 Use a visitor log to maintain a physical audit trail of visitor activity and maintain for three months. 9.5 Store media back-ups in a secure location, preferably in an off-site facility. 9.6 Physically secure all paper and electronic media that contain critical data. 9.7 Maintain strict control over the internal or external distribution of any kind of media that contains critical data. 9.8 Ensure management approves any and all media that is moved from a secure area. 9.9 Maintain strict control over the storage and accessibility of media that contains critical data Destroy media containing critical data when it is no longer needed. 4. NERC CIP Physical Security of Critical Cyber Assets Requirement 1: Physical Security Plan: The responsible party shall create and maintain a physical security plan that is approved by senior management or delegate(s). Requirement 2: Physical Access Controls: The responsible party shall document and implement the operational and procedural controls to manage physical access at all access points to the physical security perimeter(s) twenty-four hours a day, seven days a week. Requirement 3: Monitoring Physical Access: The responsible party shall document and implement the technical and procedural controls for monitoring physical access to all access points to the physical access perimeter(s) twenty-four hours a day, seven days a week. Requirement 4: Logging Physical Access: Logging shall record sufficient information to uniquely identify individuals and the time of access twenty-four hours a day, seven days a week. 6

7 Page 7 of 10 Requirement 5: Access Log Retention: The responsible party shall retain physical access logs for at least ninety (90) calendar days. Logs related to incidents shall be kept in accordance with CIP-008. Requirement 6: Maintenance and Testing: The responsible party shall implement a maintenance and testing program to ensure that all physical security systems under Requirements 2, 3 and 4 function properly. F. Regularly Monitor and Test Networks 1. PCI Requirement 10: Track and monitor all access to network resources and critical data 10.1 Establish a process for linking all access to system components to each individual user Implement automated audit trails for all system components to reconstruct events Record the following audit trail entries for all system components for each event: a) user identification; b) type of event; c) date and time; d) success or failure indication; e) origination of event and f) name of affected data, system component, or resource Synchronize all critical system clocks and times Secure audit trails so they cannot be altered Review log for all system components at least daily Retain audit trail history for at least one year, with a minimum of three months on-line availability. 2. PCI Requirement 11: Regularly test security systems and processes 11.1 Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts Run internal and external network vulnerability scans at least quarterly and after any significant change in the network Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. 7

8 Page 8 of Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files; and configure the software to perform critical file comparisons at least weekly. G. Maintain an Information Security Policy 1. PCI Requirement 12: Maintain a policy that addresses information security 12.1 Establish, publish, maintain and disseminate a security policy Develop daily operational security procedures that are consistent with the PCI specifications Develop usage policies for critical employee-facing technologies to define proper use of these technologies for all employees and contractors Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors Assign to an individual or team security management responsibilities Implement a formal security awareness program to make all employees aware of the importance of critical data security Screen potential employees to minimize the risk of attacks from internal sources N/A 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach All processors and service providers must maintain and implement policies and procedures to manage connected entities. 2. NERC CIP Security Management Controls Requirement 1: Cyber Security Policy: The responsible party shall document and implement a cyber security policy that represents management s commitment and ability to secure its critical cyber assets. Requirement 2: Leadership: The responsible party shall assign a senior manager with overall responsibility for leading and managing the implementation and adherence to cyber security requirements. 8

9 Requirement 3: Exceptions: Instances where the responsible party cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate. Page 9 of 10 Requirement 4: Information Protection: The responsible party shall implement and document a program to identify, classify, and protect information associated with critical cyber assets. Requirement 5: Access Control: The responsible party shall document and implement a program for managing access to protected critical cyber asset information. Requirement 6: Change Control and Configuration Management: The responsible party shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing critical cyber asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity or vendor-related changes to hardware and software components of critical cyber assets pursuant to the change control process. H. Conduct Cyber Security Awareness and Training Programs 1. NERC CIP Personnel & Training Requirement 1: Awareness: The responsible party shall establish, maintain, and document a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on a least a quarterly basis. Requirement 2: Training: The responsible party shall establish, maintain, and document an annual cyber security training program for personnel having authorized cyber or authorized unescorted physical access to critical cyber assets. The program shall be reviewed annually and updated as necessary. Requirement 3: Personnel Risk Assessment: The responsible party shall have a documented personnel risk assessment program, in accordance with federal, state, provincial, and local laws, and subject to existing collective bargaining unit agreements, for personnel having authorized cyber or authorized unescorted physical assess. Requirement 4: Access: The responsible party shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to 9

10 critical cyber assets, including their specific electronic and physical access rights to critical cyber assets. Page 10 of 10 I. Preparation for and Recovery from Cyber Incidents 1. NERC CIP Incident Reporting and Response Planning Requirement 1: Cyber Security Incident Response Plan: The responsible party shall develop and maintain a Cyber Security Incident Response Plan. Requirement 2: Cyber Security Incident Documentation: The responsible party shall keep relevant documentation related to Cyber Security Incidents for three calendar years. 2. NERC CIP Recovery Plans for Critical Cyber Assets Requirement 1: Recovery Plans: The responsible party shall create and annually review recovery plan(s) for critical cyber assets. Requirement 2: Exercises: The recovery plan(s) shall be exercised at least annually through various mechanisms including a paper drill, a full operational exercise or recovery from an actual event. Requirement 3: Change Control: Recovery plan(s) shall be updated to reflect any changes or lessons learned as a result of an exercise or the recovery from an actual incident. Changes shall be communicated to those responsible for implementation and activation within ninety (90) calendar days of a change. Requirement 4: Backup and Restore: The recovery plan(s) shall include processes and procedures for the backup and storage of information required to successfully restore critical cyber assets. Requirement 5: Testing Backup Media: Information essential to recovery that is stored on backup media shall be tested at least annually to ensure that the information is available. 10