security

North American Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) standards is an IT Compliance Standards that released by the Federal
Energy Regulatory Commission (FERC). The NERC CIP is applicable to every utilities do with computers related to the operation of the grid, data collection and data dissemination throughout the enterprise. The NERC CIP has fines of up to $1 million per day for non compliance

Electronic Security (CIP-002, 003, 005, 007, 009)

Download Free SAS70 Outsourcing Project Implementation Contracts Evaluation Checklist

Purpose
This section describes in simple terms the purpose of the evaluation, how it relates to the customer, and the benefits the organization will receive from the evaluation process. It is essential that you use common terminology relevant to the organization to ensure that this material is understood.

Methodology
This section describes the methodology that will be used to conduct the evaluation. This is a good place to emphasize the IEM as a standard methodology to conduct technical INFOSEC evaluations, developed and approved by the National Security Agency. This section includes the phases, processes, and steps to be used during the evaluation.

Scope
This section is a detailed demonstration of the level of effort, boundaries, and limitations of the evaluation. Appropriate assumptions are a critical part of the scoping process. The scope section provides a detailed listing of known assumptions affecting the evaluation. Assumptions are critical in demonstrating an understanding of the customer environment and detailing how that environment will affect the evaluation. The types of assumptions may include number of physical locations, number and type of systems, number and type of networks, relevant POC information, information about scheduling of the technical scans and conducting the 10 baseline IEM activities, and any associated constraints that can be listed as assumptions.

Roles and responsibilities of customer staff

Download Free ISO 27001/ISO17799 Wireless LAN Security Summary

1. Develop an agency security policy that addresses the use of wireless technology, including 802.11.
A security policy is the foundation on which other countermeasures—the operational and technical ones—are rationalized and implemented. A documented security policy allows an organization to define acceptable architecture, implementation, and uses for 802.11 wireless technologies.

2. Ensure that users on the network are fully trained in computer security awareness and the risks associated with wireless technology (e.g., 802.11).
A security awareness program helps users to establish good security practices to prevent inadvertent or malicious intrusions into an organization’s information systems.

Download free ISO 27001 Information Classification, Labelling and Handling (available in PDF and XLS format):

Objectives:
- The organization defines in the security plan, explicitly or by reference, its protected environment for media labeling requirements;
- The organization defines in the security plan, explicitly or by reference, media types and hardware components that are exempted from external labeling requirements; and
- The organization affixes external labels to removable information storage media and information system output not otherwise exempted from this labeling requirement, indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.

Download free SCADA Cyber Security Risk Assessments Tools. This Tools covers:
What processes are in place to identify security risks from cyber incidents in our SCADA system?
Considering the potential for security risks associated with SCADA systems, it is important that there is a framework in place to identify possible risks for existing and new SCADA systems. As SCADA systems are becoming increasingly interconnected with the Internet and corporate networks they are also becoming more exposed to Internet security threats and network vulnerabilities.

What strategies have been put in place to manage these risks?
It is crucial for SCADA managers to put in place appropriate risk management strategies. Such strategies might include regular vulnerability assessments of SCADA systems, processes for patch management and configuration management, communication between engineering and IT departments, staff training, appropriate network architecture etc.

How regularly are vulnerability assessments undertaken of our SCADA system?