1 / 32

Managing Cyber Security

Managing Cyber Security. Jeff Scheidel Oracle Security Architect Rex Thexton PriceWaterhouseCoopers Managing Director. Program Agenda. Security vs. Compliance Auditors: Friend or Foe? NERC and others Inventory of Audit Support Structures

niyati
Download Presentation

Managing Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Cyber Security Jeff Scheidel Oracle Security Architect Rex ThextonPriceWaterhouseCoopers Managing Director

  2. Program Agenda • Security vs. Compliance • Auditors: Friend or Foe? • NERC and others • Inventory of Audit Support Structures • Security/compliance deployment specifics • NERC CIP : v3 vs v4 vs v5

  3. Compliance does notequal security

  4. What is the lesson? • Security # compliance • Compliance # security • Reporting # either

  5. Alphabet Soup FFIEC SAS-70 HIPAASOX PCI NERC-CIPGLB EUROFISMA

  6. Moving to NERC-CIP v5 – the leap over v4 Once approved, 24 months to comply • Encryption – more PCI-like • Multiple compliance levels: low, medium, high • Role-based classifications (rather than risk-based) • Multi-factor authentication • Serial connections • Triggers for recovery plans • All software to be known (COTS and homegrown) • Security patches from beginning of time to be published • CIP-10 and CIP-11 get uglier • “Evidence of compliance”

  7. Auditors sell you what?

  8. Auditors are measured on what?

  9. A quick story

  10. Are auditors the enemy? Of course not • They light the fires • They free up budgets • They make you “clean” • They provide the measuring stick

  11. So how do you pass the audit? Know what’s in the black box !!!

  12. Make them happy, so they’ll go away • What they ask for directly • What they “ask” for indirectly • Evidence of compliance • Satisfy NERC and other requirements • Satisfy compliance and security

  13. Inventory of Assets Authoritative Sources Policies, Processes, Change Management

  14. The most important change management process? Terminations !!!

  15. Legacy systems

  16. Dev. and test procedures Data security, backups and audit Segregation of Duties

  17. Privileged Users Reporting Exceptions

  18. Certifications Education Disaster Recovery Plan

  19. Threats Risk !!! Documentation Words = deeds?

  20. Tips, hints, nitty-gritty • Know where your PII lives • Regulatory compliance requirements • Customers’ requirements • Know the penalties • Enforcement duties • Active Directory & Sharepoint • Access Rights • Privileged Users • Granularity • Using service providers? • You’re still on the hook Quick story: Fatal Audit

  21. State your case !

  22. PwC’s Oracle Security Practice Highlights The only five-time Oracle Titan Award winner • 80% of PwC’s IdM implementation revenue is Oracle • Over 160 staff currently engaged on 23 Oracle security engagements • Since 2011 all PwC Security Consulting new hires receive training on Oracle IdM or DB Security technologies • Over 60 resources trained on OIG11gR2 in the US and India in May & June • In Fy13 PwC invested over 6,000 Oracle training hours, including over 2000 hours of training on Oracle IdM and Database Security • FY14 investments on Oracle security related initiatives will increase over FY13

  23. Major changes from CIP v3 to v4/v5 CIP-002 Risk-Based Assessment becoming “Bright-Line Criteria” • Black start resources • Additional generation and transmission facilities • Facilities performing automatic load shedding • Over 60 resources trained on OIG11gR2 in the US and India in May & June • Remaining standards (003 to 009) mostly unchanged • Effective July 2014

  24. Impact to utilities and power generators CIP-002 Risk-Based Assessment becoming “Bright-Line Criteria” • More substations • Potentially includes distribution assets • Additional power plants in scope • Generation management systems • On average, we see an increase in critical cyber assets of at least 20-30%

  25. Representative impact of version 4 Eg. Independent power producer • NERC CIP v3 • No critical assets (CA’s) • No critical cyber assets (CCA’s) • NERC CIP v4 • 11 sites / locations • Generation Management System • 85 CCA’s • Physical access – 110 personnel • Cyber access – 85 personnel

  26. Representative impact of version 5 Eg. Single utility • NERC CIP v5 • 22 sites/locations • 218 CCA’s • Physical access – 380 personnel • Cyber access – 190 personnel • NERC CIP v3 • 12 sites/locations • 104 CCA’s • Physical access – 210 personnel • Cyber access – 165 personnel

  27. Most common CIP compliance issues Top 12 Violated Standards – June 1, 2011 to May 31, 2012 007-Systems Security Mgmt 005-ESP 006-Physical Security 004-Personnel/training 003-Security Mgmt Controls

  28. How identity governance addresses NERC CIP

  29. For more information Jeff Scheidel Oracle Security Architect Jeff.G.Scheidel@oracle.com 630.667.1100 Rex Thexton PwC Managing Director Rex.thexton@us.pwc.com 908.868.1386

More Related