120 likes | 339 Views
NERC Security Requirements – What Vendors Should Provide. James W. Sample, CISSP, CISM Manager of Information Security California ISO. NERC 1200 Cyber Security Standard. 1201 – Cyber Security Policy 1202 – Critical Cyber Assets 1203 – Electronic Security Perimeter
E N D
NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO
NERC 1200 Cyber Security Standard • 1201 – Cyber Security Policy • 1202 – Critical Cyber Assets • 1203 – Electronic Security Perimeter • 1204 – Electronic Access Controls • 1205 – Physical Security Perimeter • 1206 – Physical Access Controls • 1207 – Personnel • 1208 – Monitoring Physical Access • 1209 – Monitoring Electronic Access • 1210 – Information Protection • 1211 – Training • 1212 – Systems Management • 1213 – Test Procedures • 1214 – Electronic Incident Response Actions • 1215 – Physical Incident Response Actions • 1216 – Recovery Plans
1203 – Electronic Security Perimeter Provide detailed documentation that includes: • Detailed data flow diagrams • Source/destination systems • Required services/ports (protocols) • Interconnectivity requirements • Access points
1204 – Electronic Access Controls Deliver systems: • With detailed documentation around access controls • That require authentication and authorization using unique user Ids • Where access management is simple • Where access control exists at all layers (e.g. operations system, database, application)
1207 – Personnel Provide detailed documentation that includes: • List of all personnel supporting product plus access required, including sub-contractors • Promptly notify customer of any changes in support personnel • Conduct proper background checks on all personnel • provide evidence to customer of background check
1209 – Monitoring Electronic Access Deliver systems: • With detailed documentation around access monitoring, including error codes • That provided auditable logging of events • That synchronize with a central time source • That log to a remote central repository • With tools to analyze audit logs where appropriate
1210 – Information Protection Deliver systems: • With detailed documentation that identifies critical configuration settings, processes, libraries, etc. that should be monitored
1211 – Training • Provide security training specific to your product • Document security features, including configuration and administration procedures, for your product • Provide detailed documentation for rebuilding the system securely
1212 – Systems Management Deliver systems: • Where access management is simple (e.g. password can be changed easily and periodically) • With all unnecessary ports and services disabled • That use secure protocols verses insecure protocols • Promptly test all released operating systems and third-party patches to allow for proper and timely patch management • With remote administration securely configured (e.g. modems, VPN, etc.)
1213 – Test Procedures Deliver systems: • With a set of test procedures that the customer can use to verify system security
1216 – Recovery Plans Deliver systems: • With documents designed specifically for disaster recovery
General Recommendations • Design with system security in mind up front • Vendors should sponsor annual security user group meetings • Keep it Simple, Stupid (KISS)