Designing Compliant and Sustainable Security Programs 1 Introduction



Similar documents
Top 10 Compliance Issues for Implementing Security Programs

Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Standard CIP Cyber Security Security Management Controls

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

ICBA Summary of FFIEC Cybersecurity Assessment Tool

NERC CIP Compliance with Security Professional Services

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Vendor Risk Management Financial Organizations

NERC CIP VERSION 5 COMPLIANCE

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Cyber Security and Privacy - Program 183

Regulatory Compliance Management for Energy and Utilities

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Fusion Center Technology Resources Road Map: Elements of an Enterprise Architecture for State and Major Urban Area Fusion Centers

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

NRC Cyber Security Policy &

NERC-CIP S MOST WANTED

SOLUTION WHITE PAPER. Remedyforce Powerful Platform

TRIPWIRE NERC SOLUTION SUITE

CIP Physical Security. Nate Roberts CIP Security Auditor I

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

FFIEC Cybersecurity Assessment Tool

How To Evaluate A Cooperative For Safety

Why you should adopt the NIST Cybersecurity Framework

CIP Cyber Security Security Management Controls

Panel Session: Lessons Learned in Smart Grid Cybersecurity

Office of Inspector General

Building Insecurity Lisa Kaiser

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

IT-CNP, Inc. Capability Statement

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

North American Electric Reliability Corporation (NERC) Cyber Security Standard

WHITE PAPER APRIL Leading an Implementation Campaign to Address the Convergence of Healthcare Reform Initiatives

Verve Security Center

Driving Business Value. A closer look at ERP consolidations and upgrades

Compliance, audit, risk, security what s the difference and why do we need it?

Why you should adopt the NIST Cybersecurity Framework

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Enterprise Security Tactical Plan

Summary of CIP Version 5 Standards

Seeing Though the Clouds

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Options for Cyber Security. Reactors. April 9, 2015

BPA Policy Cyber Security Program

Project, Program & Portfolio Management Help Leading Firms Deliver Value

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

IEEE-Northwest Energy Systems Symposium (NWESS)

Services. Hospital Solutions: Integrated Healthcare IT and Business Process Solutions that Achieve Breakthrough Results

2014 Audit of the Board s Information Security Program

Based on 2008 Survey of 255 Non-IT CEOs/Executives

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Symantec Control Compliance Suite. Overview

How To Transform It Risk Management

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Managing Risk at Bank of America Corporation. Overview

Standard CIP Cyber Security Systems Security Management

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Response to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity

Roadmaps to Securing Industrial Control Systems

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

FERC, NERC and Emerging CIP Standards

PUB (MPI) 1-62 Reference: Gartner Scorecard

Information Systems Security Line of Business (ISS LoB)

Brochure. Update your Windows. HP Technology Services for Microsoft Windows 2003 End of Support (EOS) and Microsoft Migrations

Department of Management Services. Request for Information

FISMA Cloud GovDataHosting Service Portfolio

NERC Cyber Security Standards

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions August 10, Electric Grid Operations

Standard CIP 007 3a Cyber Security Systems Security Management

Transcription:

Designing Compliant and Sustainable Security Programs 1 Introduction The subject of this White Paper addresses several methods that have been successfully employed by DYONYX to efficiently design, and more importantly can be used to sustain, compliant Security Programs. Security Programs, in the context of this discussion, include the underlying policies, procedures, processes, instructions, controls, metrics, and evidentiary documentation required to comply with the requisite standards and, of course, to secure protected infrastructures and related sensitive information. While cyber security is the predominant focus of most Security Program discussions, physical security is an equally integral component of Security Programs and is applicable to the discussions herein. DYONYX has a great track record in applying these methods in designing Security Programs to protect critical infrastructures and sensitive documents in nuclear and fossil generation facilities, electric transmission infrastructures, oil storage facilities, public health facilities, federal agencies, and the financial services industry. A number of our comprehensive Security Program designs have received zero deficiency audit reports from regulatory agencies. 2 Background Security continues to be an ever increasing critical function in a multitude of industries towards assuring operations are reliable and information is secure. For example, the North American Electric Reliability Corporation (NERC 1 ) has been given the authority to develop and enforce mandatory standards (including cyber and physical security) for the reliable operation of the bulk electric systems 2 throughout North America. For nuclear facilities, the Nuclear Regulatory Commission (NRC) will enforce a set of complex new standards 3 to ensure that digital computer and communication systems and networks are adequately protected against cyber-attacks. In the federal space, the Federal Information Security Management Act (FISMA), through the 1 NERC develops and enforces reliability standards; assesses adequacy annually via a 10-year forecast, and summer and winter forecasts; monitors the bulk power system; and educates, trains and certifies industry personnel. 2 The Bulk Electric System is generally defined as the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, operated at voltages of 100 kv or higher. 3 In January 2010, the NRC staff issued RG 5.71, "Cyber Security Programs for Nuclear Facilities". This guidance provides an approach that the NRC staff deemed acceptable for complying with the Commission's regulations regarding the protection of digital computers, communications systems, and networks from a cyber-security attack. Subsequently the Nuclear Energy Institute (NEI) issued a new guideline NEI 08-09 Revision 6 which the NRC has approved for use to comply with the requirements of 10 CFR 73.54.

Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) publications, is triggering the need for comprehensive Security Programs to protect sensitive information and secure information systems. A long list of other security standards applicable to health information, financial information, and privacy concerns are also increasingly being applied to every day operations in many organizations. Accordingly, it is more important than ever to design and implement sustainable Security Programs that intrinsically add value and operational resiliency without burdening the impacted organizations. 3 Methods The focus of this document is to describe several methods that can be employed to accelerate the design and implementation of a customized and sustainable Security Program. It is important to note that while designing a compliant Security Program is a sizable task, the task of implementing the program can be equally significant, the effort for which is frequently underestimated. In this regard, while some of the methods may appear to be too time consuming, we believe the baseline framework and level of documentation will ultimately prove to be robust, reusable, and essential for implementing and sustaining the Security Program. In addition, the methods described herein can also be employed to evolve and optimize the initial Security Program design in response to implementation issues, changing standards, and configuration modifications of the infrastructures. With this understanding, three specific methods are discussed in the following subsections as follows: Application of business process reengineering concepts; Utilization of structured logic in constructing self-documenting processes and procedures; and Utilization of a functional framework for use in organizing the Security Program architecture. 3.1 Business Process Reengineering A compliant Security Program contains a number of components as illustrated in Figure 1. Requirements are derived from a variety of security standards as discussed in Section 2.0. Functions provide a framework to organize the Security Program for design, implementation, and sustainment (more about Functions in Section 3.3). Policies define what / shall be done in addressing the requirements. Processes, on the other hand, delineate a clear understanding of the Who, How, When, Where, Why the work control actions must flow to complete the requirements, ensure the Figure 1 Security Program Components integrity of the Security Program, and document all actions taken. Processes may be supplemented with instructions and detailed procedures. The important evidentiary documentation and metrics are generated from the

processes and procedures. In designing a Security Program, the development of the core components, specifically the processes, procedures, and instructions, represents the most time consuming task of the endeavor. Recognizing the complexities of the requirements and the multiple organizations involved in sustaining a Security Program, we believe industry proven business process reengineering techniques are especially relevant in designing compliant processes and appropriately incorporating procedures and instructions. Generically, business process re-engineering techniques were developed years ago by Michael Hammer 4, H. James Harrington 5, and others. Their application is applicable to changing existing processes to incorporate more efficient and effective methods to accomplish the underlying functional objectives. In terms of Security Program upgrades, we believe the same methods can be carried forward to develop processes that are compliant with the new requirements while leveraging existing processes and procedures. In summary, these proven process design oriented techniques are the most effective means for integrating the components of existing Security Programs with the requirements of new standards. Figure 2 represents a simplified example of a generic business process map associated with a security incident. The process includes multiple Tasks, Triggers, Decisions, and Results along with the roles and responsibilities 6 for carrying out the processes and making the decisions. The approach is to leverage the use of visual maps in the design of the process. Visual process maps can effectively delineate a clear understanding of the who, where, why, when, and how the work control actions flow and responsibilities for the same. They also provide a means to: Efficiently, through table top discussion sessions, develop customized processes commensurate with the operations and organizational responsibilities of the specific entity; Document the specific tasks that need to be completed setting up the requirements for creation of the evidentiary documentation; Provide a means to subsequently train users in the processes; and Provide a means to effectively document the baseline process for use in evolving or enhancing the process with future operational or requirement changes 7. In the generation of a process, a representative trial / strawman process is first produced for use in discussion sessions with the process owner and relevant subject matter experts, process users, and stakeholders to critique and refine the process. Subsequently, through appropriate table top review sessions, assurance can be provided that the resulting Security Program is 4 Michael Hammer, Reengineering the Corporation, 1993 5 H. James Harrington, Business Process Improvement, 1991 6 Roles and responsibilities are visually represented within Swim Lanes and may represent a single individual or a group of individuals. 7 DYONYX maintains process templates and customized processes in a commercially available process mapping tool facilitating the ability to easily modify the process as standards or other requirements change. More than 60 generic functionally organized (See Section 3.3) process maps and 100+ documents have been developed by DYONYX to facilitate the creation of custom Security Programs.

compliant and commensurate with current operations. Utilizing these business process re-engineering techniques, DYONYX has developed a set of generic compliant process templates (including rules and notations), evidentiary documentation, record layouts, and logical process matrices heretofore not available in the industry. The templates, organized into a functional framework 8, which represent strategic intellectual property for DYONYX, provide our clients with significant advantages in designing, from the ground up, custom Security Programs in an efficient manner. 3.2 Self Documenting Processes Figure 2 - Customizable Process The creation of evidentiary documentation and performance metrics is essential in evaluating the effectiveness of the Security Program, ensuring all relevant processes have indeed been completed, and supporting subsequent audit initiatives. Ideally the evidentiary documentation should be created during, not after, the execution of the processes. DYONYX has created a method whereby each Task within a defined process is documented in a document called the Traveler. Each time a process similar to the one in Figure 2 is completed, a new Traveler document is created. Depending upon the decisions made during the process, different sections of the Traveler document will have been completed. Two unique concepts are employed in this methodology: Creation of evidentiary documents during the execution of the underlying process 8 As discussed in Section 3.3.

ensuring the relevant documents and performance metrics are indeed completed; and Where appropriate (especially suitable for complex or critical processes), incorporation of our highly efficient ExPerT 9 methodology to ensure accurate execution and documentation of the process is achieved in an efficient manner. The Traveler document may be a hard copy document or electronic document embedded in an automated work flow implementation of the process depending upon the degree of automation and repeatability nature of the process. In summary, the timely generation and documentation of Travelers or other evidentiary documentation is critical to the integrity of the Security Program. 3.3 Functional Framework It is important that a Security Program, including the policies, procedures, instructions, controls, metrics, and evidentiary documentation, be organized in a meaningful and sustainable manner. The organization of requisite standards does not necessarily provide an appropriate structure for the organization of a Security Program. For example, in the design of NERC CIP Reliability Standard (CIP Standard) compliant Security Programs, one might envision that the requirements can be addressed through a straight-forward standard-by-standard set of policies, processes, etc. However, a more detailed analysis of the specific requirements of this particular CIP Standard revealed that a complex array of dependencies and interrelationships existed between the forty-three (43) high-level requirements distributed across eight (8) topical areas of the CIP Standard. This irregularity is apparent in many security standards. Organizations and standards have unfortunately been frequently used to frame a Security Program design neither of which offers a stable structure. In the worst case, if the organization changes or the structure of the standard changes (which is forthcoming for the CIP Standard), an inappropriately designed Security Program may require a complete redesign. In addressing this confusion and mitigating the risks of a redesign effort, DYONYX developed the highly- praised functional framework 10 concept for functionally organizing the Security Program components (policies, processes, plans, programs, procedures, evidentiary records). Functions represent what the organization does to accomplish the stated mission, goal and objectives of the underlying entity. As such, unlike organization structures or standards, functions do not frequently change. The functional framework provides the most effective program framework to design, implement, and most importantly sustain the operations of a Security Program. While the initial functional framework (15 functions) was developed for the NERC CIP Reliability Standard compliant Security Programs (see Figure 3), the concepts can be equally applied to other standards, albeit many are more aligned with the functional framework concept. For example, for the more complex nuclear Security Programs, nineteen (19) functions were defined. 9 ExPerT Performance Transfer methodology is a proprietary procedure documentation methodology licensed by DYONYX from CATADR. A detailed White Paper is available that describes this methodology in more detail. 10 Concept was published in Public Utilities Fortnightly, September 2006.

Figure 3 - NERC CIP Reliability Standard Security Program Functional Framework In summary, we highly recommend that the architecture of a sustainable Security Program needs to be structured around a stable functional framework. For more information: Nick Nelson Sales & Marketing Director 713-485-7145 Nick.Nelson@dyonyx.com DYONYX LP, is an award winning information technology consulting, outsourcing and IT services firm dedicated to helping clients across the globe. Consulting services include regulatory compliance, security assessments, risk assessments, gap analysis, business process optimization and high level IT strategy. Managed Services include Virtual Cloud Services, ITILv3-aligned Service Desk (Help Desk), managed network and security, disaster recovery, and hosted Exchange. Learn more: www.dyonyx.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information