1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.

Slides:

Advertisements

Similar presentations

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.

Advertisements

Brent Castagnetto, CBRM, CBRA, MABR Manager, Cyber Security Audits

CIP Cyber Security – Security Management Controls

1 Hot Topics in the CIP Standards First Quarter 2010 Dial-in Number: Meeting ID: 1299 Password:  If possible, please consolidate your.

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.

1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

System Security Scanning and Discovery Chapter 14.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

1. Definition of a Reconciliation 2. Importance of a Reconciliation 3. When to Prepare a Reconciliation 4. Items Needed to Prepare a Reconciliation 5.

Computer Security: Principles and Practice

Stephen S. Yau CSE , Fall Security Strategies.

Payment Card Industry (PCI) Data Security Standard

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Patch Management Strategy

Peer Information Security Policies: A Sampling Summer 2015.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Technical Feasibility Exceptions (TFEs) ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Steve Garn, Sr. Engineer.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Degree and Graduation Seminar Project Management Processes

CIP 43 ReliabilityFirst Audit Observations ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance.

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

Evolving IT Framework Standards (Compliance and IT)

FY2010 PEMP Notable Outcomes October 15, FRA, LLC Board of Directors 10/15-16/2009 Office of Quality and Best Practices Performance Evaluation Management.

1 Hot Topics in the CIP Standards Second Quarter 2010 Questions by Audience Answers by RFC Staff June 22, 2010.

1 CIP Physical Security of Critical Cyber Assets A Compliance Perspective Lew Folkerth CIP Compliance Workshop Baltimore, MD August 19-20, 2009 ©

1 Remote Access Update ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.

How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August 19-20, 2009.

Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.

SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?

Statutory Audit of SSA Accounts for A PROGRAMME FOR UNIVERSAL ELEMENTARY EDUCATION MANUAL ON FINANCIAL MANAGEMENT AND PROCUREMENT Ministry of Human.

Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.

1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.

CIP Systems Security Management A Compliance Perspective

Click anywhere to continue Click here to go back Presented by Sam Sciacca – Working Group C1 Chair Substations C0 Subcommittee IEEE Standard for Substation.

1 Audit Preparation - Evidence ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.

Special Education Law for the General Education Administrator Charter Schools Institute Webinar October 24, 2012.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Problem Areas Updates Penalties FRCC Compliance Workshop September / October

The Government Recordkeeping Survey 2008 Natalie Dewson, Senior Advisor, Government Recordkeeping Programme, Archives New Zealand.

Date CIP Standards Update Chris Humphreys Texas RE CIP Compliance.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

ISO/IEC 27001:2013 Annex A.8 Asset management

Tony Purgar June 22,  Background  Portal Update ◦ CIP 002 thru 009 Self Certification Forms  Functional Specific (i.e. BA, RC, TOP – SCC, Other)

Report Performance Monitor & Control Risk Administer Procurement MONITORING & CONTROLLING PROCESS.

ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

Board Financial Oversight Governing Board Online Training Module.

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Software Engineering — Software Life Cycle Processes — Maintenance

Using evidence to review and moderate students’ progress against the Teachers’ Standards Explain that the review will relate directly to three different.

Using evidence to review and moderate students’ progress against the Teachers’ Standards Explain that students should have provided their TP files and.

Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.

1Y0-253 Exam Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

NERC Cyber Security Standards Pre-Ballot Review

Quality Control SOP 3.12 Release Date: 08/10/2015.

Current Privacy Issues That May Affect Your Credit Union

Cyber System-Centric Approach To Cyber Security and CIP

Quality Assurance of Assessment Arrangements

Quality Assurance of Assessment Arrangements

Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005

IS4680 Security Auditing for Compliance

Measuring What Matters

An overview of Internal Controls Structure & Mechanism

Report of Japanese Test Phase <Cyber Security>

Aerodrome Certification Workshop

Presentation transcript:

1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance

CIP-005: ESP Access Points CIP R2.2: “At all access points to the Electronic Security Perimeter(s), the Responsible Entity shall enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services.” CIP R4.2 requires that the Cyber Vulnerability Assessment (CVA) include: “A review to verify that only ports and services required for operations at these access points are enabled” CIP R5 requires annual review and update within 90 days of change 2

CIP-007: Systems Within ESP CIP R2.1: “The Responsible Entity shall enable only those ports and services required for normal and emergency operations.” CIP R8.2 requires that the CVA include: “A review to verify that only ports and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled” CIP R9 requires annual review and update within 30 days of change 3

Audit Approach What follows is an example of how the compliance review might proceed. Since each entity is different, this example is offered only as general guidance on what to present to the audit team. 4

Baseline The baseline configuration is one or more lists of ports and services that have been determined to be needed for normal and/or emergency operations. The baseline includes: Port or range of ports The associated service The operational purpose of the port and/or service For firewalls, the source and destination address ranges Once baseline configurations have been established, changes and exceptions should be managed by a change management process The configuration of authorized ports and services should be able to be produced for any given time period 5

Operational Purpose Operational Purpose: The reason a port and/or service is needed for normal or emergency operations Demonstrates that a port and/or service is “required for operations” per the language of the standard Examples: Insufficient: Port 22/tcp is Secure Shell (SSH). Sufficient: Port 22/tcp is associated with the Secure Shell (SSH) service, which is required for remote administration of the SCADA system and other applications. Sufficient: Port 22/tcp, the SSH service, is needed for unknown reasons. The service was disabled in a test environment, after which the SCADA system operated in an anomalous manner. See testing document ABC

Audit of Baseline For the baseline configurations, the audit team will seek to determine: Do the baselines collectively cover all applicable cyber assets? For each port or port range listed, is there an associated service identified? What is the operational purpose of the port and/or service? For firewalls, are the source and destination address ranges sufficiently restricted? Are variations from the baseline properly documented? 7

Audit of Firewalls For a sample of firewalls, the audit team will ask the entity to demonstrate that the actual configuration of the firewall matches the expected configuration – that is, the baseline plus any documented variances The audit team will ask the entity to demonstrate that this determination has been made at least annually (per CIP-005 R4 and CIP-005 R5) 8

Audit of Systems Within ESP For a sample of systems within an ESP, the audit team will ask the entity to demonstrate that the actual ports open and services running match the expected configuration – that is, the baseline plus any documented variances The entity is free to use any desired tool, but the audit team will accept the output of “netstat –an” if no other tool is available. The audit team will ask the entity to demonstrate that this determination has been made at least annually (per CIP-007 R8 and CIP-007 R9) 9

CVA vs. Document Maintenance One question that usually arises from this discussion is: “What is the difference between the Cyber Vulnerability Assessment (CVA) (in CIP-005 R4 and CIP-007 R8) and Documentation Review and Maintenance (in CIP-005 R5 and CIP-007 R9)? The Documentation Review and Maintenance provisions require the documentation to be kept up with changes to the actual systems. The documentation should be compared against the actual systems to ensure the documentation accurately reflects the configuration of the systems. The CVA requires a review of the system configurations, not just the documentation. All ports and services should be reviewed to ensure that each is still necessary for normal or emergency operations. 10

Questions Questions should be ed to Karen Yoder Subject: “CIP Questions will be considered in the order they are received Clarifying questions are welcome and we will do our best to answer during the question period Challenges to a position should be addressed to the presenter and will be taken offline