Presentation is loading. Please wait.

Presentation is loading. Please wait.

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.

Published byAinsley Linge Modified over 9 years ago

Similar presentations

Presentation on theme: "NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO."— Presentation transcript:

1 NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO

2 NERC 1200 Cyber Security Standard  1201 – Cyber Security Policy  1202 – Critical Cyber Assets  1203 – Electronic Security Perimeter  1204 – Electronic Access Controls  1205 – Physical Security Perimeter  1206 – Physical Access Controls  1207 – Personnel  1208 – Monitoring Physical Access  1209 – Monitoring Electronic Access  1210 – Information Protection  1211 – Training  1212 – Systems Management  1213 – Test Procedures  1214 – Electronic Incident Response Actions  1215 – Physical Incident Response Actions  1216 – Recovery Plans

3 1203 – Electronic Security Perimeter Provide detailed documentation that includes:  Detailed data flow diagrams  Source/destination systems  Required services/ports (protocols)  Interconnectivity requirements  Access points

4 1204 – Electronic Access Controls Deliver systems:  With detailed documentation around access controls  That require authentication and authorization using unique user Ids  Where access management is simple  Where access control exists at all layers (e.g. operations system, database, application)

5 1207 – Personnel Provide detailed documentation that includes:  List of all personnel supporting product plus access required, including sub-contractors  Promptly notify customer of any changes in support personnel  Conduct proper background checks on all personnel –provide evidence to customer of background check

6 1209 – Monitoring Electronic Access Deliver systems:  With detailed documentation around access monitoring, including error codes  That provided auditable logging of events  That synchronize with a central time source  That log to a remote central repository  With tools to analyze audit logs where appropriate

7 1210 – Information Protection Deliver systems:  With detailed documentation that identifies critical configuration settings, processes, libraries, etc. that should be monitored

8 1211 – Training  Provide security training specific to your product  Document security features, including configuration and administration procedures, for your product  Provide detailed documentation for rebuilding the system securely

9 1212 – Systems Management Deliver systems:  Where access management is simple (e.g. password can be changed easily and periodically)  With all unnecessary ports and services disabled  That use secure protocols verses insecure protocols  Promptly test all released operating systems and third-party patches to allow for proper and timely patch management  With remote administration securely configured (e.g. modems, VPN, etc.)

10 1213 – Test Procedures Deliver systems:  With a set of test procedures that the customer can use to verify system security

11 1216 – Recovery Plans Deliver systems:  With documents designed specifically for disaster recovery

12 General Recommendations  Design with system security in mind up front  Vendors should sponsor annual security user group meetings  Keep it Simple, Stupid (KISS)

Download ppt "NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO."

Similar presentations

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Audit of IT Systems SARQA / DKG Scandinavian Conference, October 2002, Copenhagen Sue Gregory.

Audit of IT Systems SARQA / DKG Scandinavian Conference, October 2002, Copenhagen Sue Gregory.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Cyber Security 2005 ERCOT COMPLIANCE ROLLOUT Lane Robinson Reliability Analyst.

Cyber Security 2005 ERCOT COMPLIANCE ROLLOUT Lane Robinson Reliability Analyst.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Initial Findings  Secure all contracts with third party vendors immediately  Develop a strong understanding of the ‘Flow of PHI’ within and outside of.

Initial Findings  Secure all contracts with third party vendors immediately  Develop a strong understanding of the ‘Flow of PHI’ within and outside of.
Network security policy: best practices

Network security policy: best practices
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
University of Missouri System 1 Security – Defending your Customers from Themselves StateNets Annual Meeting February, 2004.

University of Missouri System 1 Security – Defending your Customers from Themselves StateNets Annual Meeting February, 2004.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Similar presentations

Ads by Google