ISA 99 Technical Requirements Situation assessment as seen by Dennis Holstein, Lead Editor 13 November 20081ISA99WG04
Situation today (Nov 2008) ISA 99 is a multipart standard to be aligned with IEC parts : Terminology, Concepts and Models: Published : Framework for a Security Program: In ballot : Guideline for Operating a Security Program: Not started : Target System Security Levels: Work-in-progress : System Security Compliance Metrics: Work-in-progress : Protection of Data at Rest: Work-in-progress Derived requirements ( x) are prescriptive, requiring Traceability to the 7 foundational requirements in Supporting rationale with use cases Security assurance metrics Technical Requirements work-in-progress task teams Foundational requirements Zones, conduits and security levels Derived requirements 13 November 20082ISA99WG04
Maturity assessment Foundational Requirements Zones, Conduits and Security Levels Derived Requirements Team LeaderFreemon JohnsonRahul BhojaniKevin Staggs (Interim) Status of team composition Team in place Very weak participation Team in place Barely acceptable participation Very weak participation Status of work-in- progress Mapping to NIST 800 complete Need to document as an ISA TR Active discussion via weekly LiveMeetings/TELECONs Focus on Protection of Data at Rest Structure of release series in debate Prognosis for publication Ready for community review by end of 2008 Probably ready for by the end of ready by the end of 2009 Crystal ball projection for the rest at best Long pole in the tentNone Security Metrics Use Cases Security Assurance Levels Security Metrics Allocation to subsystems & components Use Cases Security Metrics 13 November 20083ISA99WG04
Timely publication best serves our community Part TitleScope and Purpose Primary UsersExpected Publication Date Technical Requirements: Target Security Levels Use NIST mapping to establish target security levels Includes high-level description of domains including their zones and conduits Asset owner Security system architect System integrator System providers including 3 rd party outsources Mid Nov 2008: ready for ballot? Technical Requirements: System Security Compliance Metrics Defines measurable compliance metrics that are context specific Asset owner Security system architect System integrator ISA Compliance Institute System providers including 3 rd party outsources Late 2009 Technical Requirements: Allocation to Subsystems and Components Normative specification of security requirements including rationale and supporting use cases based on example reference models Includes detailed description of domains including their zones and conduits Asset owner Security system architect System integrator ISA Compliance Institute System, subsystem and component providers including 3 rd party outsources : Late x: ???? 13 November 20084ISA99WG04
In summary Accelerate publication of technical requirements ISA-DS “Target Security Levels” With editorial changes, is it ready to ballot? Use formal review processes and procedures of ISA and IEC in parallel Use agreed-to ISA/IEC document template Ballot resolution team address comments received from both balloting bodies Charlie Robinson will coordinate ISA & IEC (via Tom Phinney) balloting Lessons learned feed-forward to next publication in the series 13 November 20085ISA99WG04