1 / 12

NERC Security Requirements – What Vendors Should Provide

NERC Security Requirements – What Vendors Should Provide. James W. Sample, CISSP, CISM Manager of Information Security California ISO. NERC 1200 Cyber Security Standard. 1201 – Cyber Security Policy 1202 – Critical Cyber Assets 1203 – Electronic Security Perimeter

wallace-rohan
Download Presentation

NERC Security Requirements – What Vendors Should Provide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO

  2. NERC 1200 Cyber Security Standard • 1201 – Cyber Security Policy • 1202 – Critical Cyber Assets • 1203 – Electronic Security Perimeter • 1204 – Electronic Access Controls • 1205 – Physical Security Perimeter • 1206 – Physical Access Controls • 1207 – Personnel • 1208 – Monitoring Physical Access • 1209 – Monitoring Electronic Access • 1210 – Information Protection • 1211 – Training • 1212 – Systems Management • 1213 – Test Procedures • 1214 – Electronic Incident Response Actions • 1215 – Physical Incident Response Actions • 1216 – Recovery Plans

  3. 1203 – Electronic Security Perimeter Provide detailed documentation that includes: • Detailed data flow diagrams • Source/destination systems • Required services/ports (protocols) • Interconnectivity requirements • Access points

  4. 1204 – Electronic Access Controls Deliver systems: • With detailed documentation around access controls • That require authentication and authorization using unique user Ids • Where access management is simple • Where access control exists at all layers (e.g. operations system, database, application)

  5. 1207 – Personnel Provide detailed documentation that includes: • List of all personnel supporting product plus access required, including sub-contractors • Promptly notify customer of any changes in support personnel • Conduct proper background checks on all personnel • provide evidence to customer of background check

  6. 1209 – Monitoring Electronic Access Deliver systems: • With detailed documentation around access monitoring, including error codes • That provided auditable logging of events • That synchronize with a central time source • That log to a remote central repository • With tools to analyze audit logs where appropriate

  7. 1210 – Information Protection Deliver systems: • With detailed documentation that identifies critical configuration settings, processes, libraries, etc. that should be monitored

  8. 1211 – Training • Provide security training specific to your product • Document security features, including configuration and administration procedures, for your product • Provide detailed documentation for rebuilding the system securely

  9. 1212 – Systems Management Deliver systems: • Where access management is simple (e.g. password can be changed easily and periodically) • With all unnecessary ports and services disabled • That use secure protocols verses insecure protocols • Promptly test all released operating systems and third-party patches to allow for proper and timely patch management • With remote administration securely configured (e.g. modems, VPN, etc.)

  10. 1213 – Test Procedures Deliver systems: • With a set of test procedures that the customer can use to verify system security

  11. 1216 – Recovery Plans Deliver systems: • With documents designed specifically for disaster recovery

  12. General Recommendations • Design with system security in mind up front • Vendors should sponsor annual security user group meetings • Keep it Simple, Stupid (KISS)

More Related