Presentation is loading. Please wait.

Presentation is loading. Please wait.

US Federal Industrial Control System (ICS) Security Standards and Guidelines Keith Stouffer National Institute of Standards and Technology (NIST) June.

Published byEthelbert Bond Modified over 8 years ago

Similar presentations

Presentation on theme: "US Federal Industrial Control System (ICS) Security Standards and Guidelines Keith Stouffer National Institute of Standards and Technology (NIST) June."— Presentation transcript:

1 US Federal Industrial Control System (ICS) Security Standards and Guidelines Keith Stouffer National Institute of Standards and Technology (NIST) June 26, 2007

2 US Federal ICS Security Standards and Guidelines Overview
FISMA NIST SP NIST SP A NIST SP

3 FISMA Legislation Overview
“Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…” -- Federal Information Security Management Act of 2002

4 US Federal Standards and Guidelines
Federal Information Processing Standards (FIPS) Special Publication (SP) 800 Series documents

5 Federal Information Standards (FIPS)
Approved by the Secretary of Commerce Compulsory and binding standards for federal agencies non-national security information systems Voluntary adoption by federal national security community and private sector

6 Special Publication (SP) 800 Series Documents
Special Publications in the 800 series are documents of general interest to the computer security community Established in 1990 to provide a separate identity for information technology security publications. Reports on guidance, research, and outreach efforts in computer security, and collaborative activities with industry, government, and academic organizations Agencies must follow NIST 800 series guidance documents; but 800 series documents generally allow agencies some latitude in their application

7 Scope of Applicability
All federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542.* State, local, and tribal governments, as well as private sector organizations that compose the critical infrastructure of the United States on a voluntary basis, as appropriate. * The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems.

8 RMF Characteristics The NIST Risk Management Framework and the associated security standards and guidance documents provide a process that is: Disciplined Flexible Extensible Repeatable Organized Structured “Building information security into the infrastructure of the organization… so that critical enterprise missions and business cases will be protected.”

9 Managing Enterprise Risk
Key activities in managing enterprise-level risk—risk to the enterprise and to other organizations resulting from the operation of an information system: Categorize the information system (criticality/sensitivity) Select and tailor baseline (minimum) security controls Supplement the security controls based on risk assessment Document security controls in system security plan Implement the security controls in the information system Assess the security controls for effectiveness Authorize information system operation based on mission risk Monitor security controls on a continuous basis

10 The Risk Management Framework
Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements) SP A Security Control Assessment Continuously track changes to the information system that may affect security controls and reassess control effectiveness SP / SP A Security Control Monitoring Document in the security plan, the security requirements for the information system and the security controls planned or in place SP Security Control Documentation SP System Authorization Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation FIPS 200 / SP / SP Security Control Refinement Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence FIPS 200 / SP Security Control Selection Select minimum (baseline) security controls to protect the information system; apply tailoring guidance as appropriate Implement security controls; apply security configuration settings Security Control Implementation SP Define criticality /sensitivity of information system according to potential impact of loss FIPS 199 / SP Security Categorization Starting Point

11 Security Categorization
Example: A Pulp and Paper Control System FIPS 199 LOW MODERATE HIGH Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories SP

12 Security Categorization
Example: A Pulp and Paper Control System FIPS 199 LOW MODERATE HIGH Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. FIPS 200 Minimum Security Controls for Moderate Impact Systems SP

13 Security Control Baselines
Minimum Security Controls Low Impact Information Systems High Impact Moderate Impact Information Systems SP ICS Master Security Control Catalog Complete Set of Security Controls and Control Enhancements Baseline #1 Selection of a subset of security controls from the master catalog—consisting of basic level controls Baseline #2 Builds on low baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements Baseline #3 Builds on moderate baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements

14 Minimum Security Controls
Minimum security controls, or baseline controls, defined for low-impact, moderate-impact, and high-impact information systems— Provide a starting point for organizations in their security control selection process Are used in conjunction with tailoring guidance that allows the baseline controls to be adjusted for specific operational environments Support the organization’s risk management process

15 Tailoring Security Controls Scoping, Parameterization, and Compensating Controls
Minimum Security Controls Low Impact Information Systems High Impact Moderate Impact Information Systems Tailored Security Controls Low Baseline Moderate Baseline High Baseline Enterprise #1 Operational Environment #1 Enterprise #2 Operational Environment #2 Enterprise #3 Operational Environment #3 Cost effective, risk-based approach to achieving information security…

16 Categorization Issues
Currently, categorization of Federal systems is mostly based on the information that is used within the information system, rather the information system itself Categorization workshop at NIST, September 5-6, 2007 to discuss categorization methodologies for ICS

17 Low Impact System

18 Moderate Impact Systems

19 High Impact System

20 High Impact System !!!

21 More High Impact Systems 

22 NIST SP NIST SP Recommended Security Controls for Federal Information Systems, which was developed for traditional IT systems, contains mandatory information security requirements for all non-national security information and information systems that are owned, operated, or controlled by federal agencies. NIST SP provides the security controls that need to be applied to secure the system. It does now specify how the controls need to be implemented.

23 NIST SP 800-53 ICS Structure 17 Control Families 171 Controls (Requirements)
Access Control Awareness and Training Audit and Accountability Certification, Accreditation, and Security Assessments Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Planning Personnel Security Risk Assessment Systems and Services Acquisition System and Communications Protection System and Information

24 Technical Control Families Possible Reference for Part 4
Access Control (20 requirements) Audit and Accountability (11 requirements) Identification and Authentication (7 requirements) System and Communications Protection (23 requirements) TOTAL (61 requirements)

25 Operational Control Families Possible Reference for Part 2 and/or Part 3
Awareness and Training (5 requirements) Configuration Management (8 requirements) Contingency Planning (10 requirements) Incident Response (7 requirements) Maintenance (6 requirements) Media Protection (6 requirements) Physical and Environmental Protection (19 requirements) Personnel Security (8 requirements) System and Information Integrity (12 requirements) TOTAL (81 requirements)

26 Management Control Families Possible Reference for Part 2 and/or Part 3
Certification, Accreditation, (7 requirements) and Security Assessments Planning (6 requirements) Risk Assessment (5 requirements) System and Services Acquisition (11 requirements) TOTAL (29 requirements)

27 Control Structure The security control structure consists of three key components: (i) a control section (ii) a supplemental guidance section – there may also be an ICS supplemental guidance section (iii) a control enhancements section

28 Control Example AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. Control Enhancements: (1) The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. (2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts]. LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)

29 Control Example AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. Control Enhancements: (1) The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. (2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts]. LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)

30 Control The control section provides a concise statement of the specific security capability needed to protect a particular aspect of an information system. The control statement describes specific security-related activities or actions to be carried out by the organization or by the information system. For some controls in the control catalog, a degree of flexibility is provided by allowing organizations to selectively define input values for certain parameters associated with the controls.

31 Control Example AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. Control Enhancements: (1) The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. (2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts]. LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)

32 Supplemental Guidance
The supplemental guidance section provides additional information related to a specific security control. Organizations should consider supplemental guidance when defining, developing, and implementing security controls.

33 ICS Supplemental Guidance
ICS Supplemental Guidance provides additional guidance on how to apply the control, or provides guidance as to why the control may not be applicable in ICS environments.

34 Control Example AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. Control Enhancements: (1) The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. (2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts]. LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)

35 Control Enhancement The control enhancements section provides statements of security capability to: (i) build in additional, but related, functionality to a basic control; and/or (ii) increase the strength of a basic control. In both cases, the control enhancements are used in an information system requiring greater protection due to the potential impact of loss or when organizations seek additions to a basic control’s functionality based on the results of a risk assessment. Control enhancements are numbered sequentially within each control so the enhancements can be easily identified when selected to supplement the basic control.

36 Control Example AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. Control Enhancements: (1) The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. (2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts]. LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)

37 Baselines LOW Baseline - Selection of a subset of security controls from the master catalog consisting of basic level controls MOD Baseline - Builds on LOW baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements HIGH Baseline - Builds on MOD baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements Question: How are the three SP baselines and the three ISA 99 security levels related? Can these be used as a reference for 99.04?

38 Key Question #1 What security controls are needed to adequately protect an information system that supports the operations and assets of the organization? FIPS Pub 199, FIPS Pub 200, NIST Special Publication , and NIST Special Publication guide actions. Decisions result in an agreed upon set of security controls and acceptance of any residual risk documented in the information system security plan and approved by organizational officials.

39 Control Example AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. Control Enhancements: (1) The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. (2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts]. LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)

40 Key Question #2 To what extent are the security controls implemented correctly, operating as intended, and producing the desired outcome with respect to meeting information security requirements? NIST Special Publications and A guide actions. Decisions result in determination of security control effectiveness and acceptance of mission/business function risk to the organization.

41 Compliance (800-53A) AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. ASSESSMENT OBJECTIVE: Determine if: (i) the organization regularly reviews/analyzes audit records for indications of inappropriate or unusual activity; (ii) the organization investigates suspicious activity or suspected violations; (iii) the organization reports findings of inappropriate/usual activities, suspicious behavior, or suspected violations to appropriate officials; and (iv) the organization takes necessary actions in response to the reviews/analyses of audit records. ASSESSMENT METHODS AND OBJECTS: Examine (DEPTH, COVERAGE): Audit and accountability policy; procedures addressing audit monitoring, analysis, and reporting; reports of audit findings; records of actions taken in response to reviews/analyses of audit records; other relevant documents or records. Test (DEPTH, COVERAGE): Information system audit monitoring, analysis, and reporting capability.

42 Federal Agency Challenges
Federal agencies required to apply NIST SP Recommended Security Controls for Federal Information Systems (general IT security requirements) to their ICSs Federal agencies that own/operate electric power-related ICSs could potentially have to meet 2 standards (FIPS 200/NIST SP and FERC standards*) * Most mature industry candidate is the NERC CIPs

43 NIST Industrial Control System Security Project
Joint MEL/ITL project, in collaboration with federal and industry stakeholders, to develop standards, guidelines and test methods to help secure these critical control systems in harmony with their demanding safety and reliability requirements.

44 ICS Security Project Strategy
Work with government and industry ICS community to foster convergence of ICS security requirements DHS, DoE, FERC, DoI, ICS agencies (BPA, SWPA, WAPA) Industry standards groups ISA SP99 Industrial Automation and Control System Security standard IEC Security for industrial process measurement and control –Network and system security standard

45 Federal ICS Workshops Workshop April 19-20, 2006 at NIST to discuss the development of security requirements and baseline security controls for federally owned/operated ICS based on NIST SP Workshop March 27-28, 2007 at NIST to discuss and vet draft security requirements and baseline security controls for federally owned/operated ICS based on NIST SP Initial public draft scheduled for release summer 2007

46 Federal ICS Workshops Attended by Federal stakeholders
Bonneville Power Administration (BPA) Southwestern Power Administration (SWPA) Tennessee Valley Authority (TVA) Western Area Power Administration (WAPA) Federal Aviation Administration (FAA) Department of the Interior, Bureau of Reclamation Department of Energy (DOE) DOE Labs (Argonne, Idaho, Pacific Northwest, Sandia) Federal Energy Regulatory Commission (FERC) Department of Homeland Security (DHS)

47 NIST SP 800-53 ICS Draft NIST SP 800-53 ICS:
Draft NIST SP ICS Baselines: First Public Draft of these documents scheduled for release summer 2007

48 NIST Workshop on Applying NIST SP 800-53 to ICS
NIST Workshop on Applying NIST SP ICS, August 16 – 17, following the Control System Cyber Security Conference, Knoxville, TN NIST will host a workshop for representatives from national and international industrial control system (ICS) communities (e.g. electric, oil, gas, water, manufacturing) to share information, obtain direct inputs, and determine their level of interest in voluntarily adopting and using NIST’s ICS augmentation of NIST SP

49 SP800-53/NERC CIP Mappings Developed a bi-directional mapping and gap analysis between NIST SP and the NERC CIP standard to discover and propose modifications to remove any conflicts Generally, conforming to moderate baseline in SP complies with the management, operational and technical security requirements of the NERC CIPs; the converse is not true. Full report available at:

50 SP800-53/NERC CIP Mapping Table (Small Section of Actual Table)

51 Recommendations to FERC
“Our assessment is that the NERC CIPs do not provide levels of protection commensurate with the mandatory minimum federal standards (FIPS) prescribed by NIST for protecting federal non-national security information and information systems, including industrial control systems (ICS), from cyber attacks.” “Our recommendation is for FERC to consider issuing interim cyber security standards for the bulk electric system that are a derivative of the NERC CIPs (e.g., NERC CIPs; NERC CIPs appropriately modified, enhanced, or strengthened), and would allow for planned transition (say in two to three years) to cyber security standards that are identical to, consistent with or based on SP and related NIST standards and guidelines (as interpreted for ICSs).  This will be a plan to strengthen the NERC CIPs, rather than a plan to abandon them.”

52 NIST SP Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Provide guidance for establishing secure SCADA and ICS, including implementation guidance for SP ICS controls Content Overview of ICS ICS Characteristics, Threats and Vulnerabilities ICS Security Program Development and Deployment Network Architecture ICS Security Controls Appendixes Current Activities in Industrial Control System Security Emerging Security Capabilities ICS in the FISMA Paradigm

53 NIST SP 800-82 Initial public draft released September 2006
Downloaded over 200,000 times Second public draft scheduled for release summer 2007

54 NIST ICS Security Project Summary
Issue ICS security guidance Evolve SP Recommended Security Controls for Federal Information Systems security controls to better address ICSs Initial public draft scheduled for release summer 2007 Publish SP Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security Initial public draft released September 2006 Second public draft scheduled for release summer 2007 Improve the security of public and private sector ICSs Raise the level of control system security awareness Work with on-going industry standards activities Assist in standards and guideline development Foster convergence

55 NIST ICS Security Project
NIST ICS Security Project Contact Information Project Leaders Keith Stouffer Dr. Stu Katzke (301) (301) Web Pages Federal Information Security Management Act (FISMA) Implementation Project NIST ICS Security Project

Download ppt "US Federal Industrial Control System (ICS) Security Standards and Guidelines Keith Stouffer National Institute of Standards and Technology (NIST) June."

Similar presentations

EMS Checklist (ISO model)

EMS Checklist (ISO model)
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.

Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Contractor Management and ISO 14001:2004

Contractor Management and ISO 14001:2004
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Risk Assessment Frameworks

Risk Assessment Frameworks
Federal IT Security Professional - Manager FITSP-M Module 1.

Federal IT Security Professional - Manager FITSP-M Module 1.
RC14001 ® Update GPCA Responsible Care Committee September 23, 2013.

RC14001 ® Update GPCA Responsible Care Committee September 23, 2013.
Dr. Ron Ross Computer Security Division

Dr. Ron Ross Computer Security Division
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.

Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.

Similar presentations

Ads by Google