PREVENTIVE AND PROTECTIVE MEASURES AGAINST INSIDER THREATS
|
|
- MargaretMargaret Lynch
- 6 years ago
- Views:
Transcription
1 NUCLEAR SECURITY SERIES NO. XX NST01 DRAFT, November 01 STEP : Submission to MS for comment Interface Document: NSGC, all SSCs PREVENTIVE AND PROTECTIVE MEASURES AGAINST INSIDER THREATS (REVISION OF NUCLEAR SECURITY SERIES NO. ) DRAFT IMPLEMENTING GUIDE INTERNATIONAL ATOMIC ENERGY AGENCY VIENNA, 01X
2 FOREWORD By Yukiya Amano, Director General The IAEA s principal objective under its Statute is to accelerate and enlarge the contribution of atomic energy to peace, health and prosperity throughout the world. Our work involves both preventing the spread of nuclear weapons and ensuring that nuclear technology is made available for peaceful purposes in areas such as health and agriculture. It is essential that all nuclear and other radioactive materials, and the facilities in which they are held, are managed in a safe manner and properly protected against criminal or intentional unauthorized acts. Nuclear security is the responsibility of each individual country, but international cooperation is vital to support States in establishing and maintaining effective nuclear security regimes. The central role of the IAEA in facilitating such cooperation, and providing assistance to States, is well recognized. The Agency s role reflects its broad membership, its mandate, its unique expertise and its long experience of providing technical assistance and specialist, practical guidance to States. Since 00, the IAEA has issued Nuclear Security Series publications to help States to establish effective national nuclear security regimes. These publications complement international legal instruments on nuclear security, such as the Convention on the Physical Protection of Nuclear Material and its Amendment, the International Convention for the Suppression of Acts of Nuclear Terrorism, United Nations Security Council Resolutions 1 and 10, and the Code of Conduct on the Safety and Security of Radioactive Sources. Guidance is developed with the active involvement of experts from IAEA Member States, which ensures that it reflects a consensus on good practices in nuclear security. The IAEA Nuclear Security Guidance Committee, established in March 01 and made up of Member States representatives, reviews and approves draft publications in the Nuclear Security Series as they are developed. The IAEA will continue to work with its Member States to ensure that the benefits of peaceful nuclear technology are made available to improve the health, well-being and prosperity of people world-wide.
3 CONTENTS 1. INTRODUCTION... 1 Background... 1 Objective... 1 Scope... 1 Structure.... CHARACTERIZATION OF INSIDERS... Attributes of insiders... Motivations of insiders... Categories of insider adversaries... Guidance for identifying potential insider threats.... TARGET IDENTIFICATION... Targets for unauthorized removal... Sabotage targets... Protection of systems that contribute to nuclear security.... COMPREHENSIVE MEASURES AGAINST POTENTIAL INSIDER THREATS... General approach... Preventive measures... 1 Management Systems... 1 Computer Systems... 1 Protective measures... 1 Detection... 1 Delay... Response... Contingency plans... Maintenance programme... System recovery.... EVALUATION OF MEASURES... Objectives and overview of the evaluation process... Evaluation of preventive measures... Evaluation of protective measures... Evaluation of measures against collusion between insiders... 1 Evaluation of measures against protracted theft... 1 Evaluation of measures against sabotage REFERENCES... GLOSSARY...
4
5 1. INTRODUCTION BACKGROUND 1.1. The IAEA published an Implementing Guide in 00 on preventive and protective measures against insider threats. Since then, the IAEA has issued Nuclear Security Fundamentals [1] describing the essential elements of a national nuclear security regime and Nuclear Security Recommendations setting out measures that States should take to achieve and maintain an effective national nuclear security regime consistent with the Fundamentals for nuclear material and nuclear facilities []1, for radioactive material and associated facilities [] and for nuclear and other radioactive material out of regulatory control [] or in transport. 1.. All of these publications, as well as guidance in the Nuclear Security Series on other specific aspects of nuclear security [ 1], recognize the particular threat that could be posed by insiders and the need to implement specific measures against the insider threat. This Implementing Guide has been developed to update and revise the guidance provided in the 00 Guide, to ensure that it is consistent with the Nuclear Security Fundamentals and Recommendations published since 00. OBJECTIVE 1.. The objective of this Implementing Guide is to provide updated general guidance to States, and their competent authorities and operators, on implementing recommendations for addressing insider threats, particularly those set out in Ref. [] for nuclear material and nuclear facilities. SCOPE 1.. This Implementing Guide focuses primarily on preventive and protective measures against insider threats in relation to the unauthorized removal of nuclear material and sabotage of nuclear material and facilities, and therefore makes particular reference to the recommendations in Ref. []. The general approaches described in the guidance may also be applied, following a graded approach, to measures against insider threats in relation to radioactive material and associated facilities, materials undergoing transport, as well as to the measures to deal with radioactive material out of regulatory control. 1 The recommendations for nuclear material and nuclear facilities in Ref. [] are also Revision of INFCIRC/, the guidance to Contracting Parties to the Convention on the Physical Protection of Nuclear Material (CPPNM) [] on measures to meet their obligations under the Convention. Revision also includes guidance on how to meet the obligations of Contracting Parties under the amended Convention in the event of the 00 Amendment to the CPPNM [] entering into force. 1
6 This publication applies to any type of nuclear facility, notably nuclear power plants, research reactors and other nuclear fuel cycle facilities (e.g. enrichment plants, reprocessing plants, fuel fabrication plants and storage facilities), whether in construction, operation, shut down or being decommissioned. As indicated above, the general approaches may also be applicable to other facilities and activities For the purposes of this publication insider access to the facility includes three different types: 1) physical access, ) remote computer access, and ) access to or knowledge of sensitive information about the facility. 1.. The preventive and protective measures described in this publication should be implemented in manner that does not affect safety systems. Implementation of this guidance should consider worker radiation protection when implementing this guidance. 1.. Information regarding measures against insider threats, incidents involving malicious insiders and associated lessons learned should be carefully collected by official national organizations to analyse trends, weaknesses and best practices, and if appropriate, share with authorized international agencies. 1.. This publication is a revision of, and supersedes, the Implementing Guide Preventive and Protective Measures against Insider Threats published as Nuclear Security Series No. in 00. STRUCTURE 1.. Sections of this Implementing Guide provide general guidance to States, competent authorities and operators regarding insider threats. Section introduces the concepts of the insider and insider threats, the motivations and other considerations for use in analysing insider actions, and ways to categorize insiders into groups. Section identifies targets and facility systems that need protection from malicious insider activities. Section describes comprehensive preventive and protective measures that can be applied at the facility level to address insider threats. Section discusses the evaluation of the measures introduced in Section CHARACTERIZATION OF INSIDERS.1. An insider is defined in Ref. [] as one or more individuals with authorized access to nuclear facilities or nuclear material in transport who could attempt unauthorized removal or sabotage, or who could aid an external adversary to do so. The definition in Ref. [1] generalizes this to include access to other radioactive material, facilities and activities, and the possibility of committing or facilitating other possible criminal or unauthorized acts, and also specifically includes individuals with authorized access to sensitive information... The term adversary is used in this Implementing Guide to describe an individual or group of individuals performing or attempting to perform a malicious act.
7 Insider adversaries pose a severe threat to a facility because they can exploit their advantages of having authorized access to, authority over, or knowledge about nuclear material, nuclear facilities or associated systems when attempting a malicious act. The insider s advantage may include access to or knowledge of sensitive information or sensitive information assets, including, for example, information regarding transport or movement of nuclear material... The term outsider is used to describe an adversary other than an insider. ATTRIBUTES OF INSIDERS.. A nuclear security system is designed and evaluated against threats posed both by outsiders and insiders. Insider threats possess a unique set of attributes that give them advantages over outsiders in conducting malicious activities. Those advantages include: Access. Insiders by the nature of their position in the organization have access to areas, equipment and information relevant to their work. Access includes physical or remote computer access to nuclear facilities, nuclear materials and associated systems, components and equipment. This may include access to computer systems and networks that control processes, provide safety, contain sensitive information or otherwise contribute to nuclear security. Authority. Insiders have authority to conduct operations in the performance of their assigned duties, and may also have the authority to direct other employees. Such authority may be used to support malicious activities and can include physical acts, but may also include computer activities such as digital file or process manipulation. Knowledge. Insiders may have expert knowledge of the facility or systems, including knowledge enabling them to bypass or defeat dedicated physical protection elements or other facility systems such as safety, nuclear material accounting and control (NMAC), operating measures, procedures and response capabilities... In addition to potential insiders identified through the inherent ability to obtain authorized access, people with no access to a facility or transport operation but with sufficient knowledge and/or authority to conduct a malicious act (e.g. a headquarters manager who issues a counterfeit delivery order to an outside location) should be given specific consideration... Access, authority and knowledge create more opportunities for insiders to select the most vulnerable target and the best time to perform or attempt to perform a malicious act. Insider adversaries might extend a malicious act over a long period of time to maximize the likelihood of success. This could include, for example, tampering with physical protection equipment, safety equipment to prepare for an attempt or act of sabotage, or falsifying accounting records to repeatedly steal small amounts of nuclear material that have less robust protection.
8 1 1 1 MOTIVATIONS OF INSIDERS.. Insiders may have different motivations for their malicious activities. Examples of possible motivations include financial or ideological factors, revenge or ego, and coercion... Sufficient motivation for an individual to become an insider adversary may exist prior to or after access to the facility is obtained. An insider who already has access may develop the motivation to perform a malicious act independently, or as a result of a mental health or medical issue, or may be recruited by another adversary seeking to exploit their access. An insider could be forced to commit a malicious act through coercion (such as threats against his person or family)... An unwitting insider is an insider without motivation who may be exploited without his/her knowledge by another insider or by an outsider to complete or facilitate a malicious action. For example, in a computer-based attack, an insider may not be aware that they are providing information or authenticated access to an adversary, and is therefore unaware of their involvement in the attack... Figure 1 represents the process an insider may follow in committing a malicious act. The algorithm addresses how attributes, motivation and confidence can affect the insider s actions.
9 FIG. 1. Algorithm of a malicious act. CATEGORIES OF INSIDER ADVERSARIES.1. An insider adversary may be categorized as being passive or active, and an active adversary may be violent or non-violent (Figure )..1. A passive insider adversary is characterized by non-violent activity, primarily providing privileged information that could help adversaries to perform a malicious act..1. An active non-violent insider adversary can provide information and/or use stealth and deceit to complete or facilitate a malicious act. The active non-violent insider adversary may attempt an abrupt or protracted theft of nuclear material, or may assist outside adversaries (for example, by
10 disabling or ignoring alarms, or opening doors). Active non-violent insiders would be expected to abandon their actions if there were a high probability of being identified (they may risk detection but not identification)..1. An active violent insider adversary differs from the active non-violent insider only in that the individual is willing to use force against personnel in order to complete or facilitate a malicious act. Insider Passive Active Nonviolent Violent FIG.. Categories of insider adversaries..1. Insiders hold many different positions in an organization (e.g., experimenter, physical protection system designer, system administrator, IT specialist, security guard, material handler, clerk, nuclear material custodian, safeguards officer, operational and maintenance worker or senior manager) and any of these might have the motivation to be an insider adversary. Others not directly employed by the operator but who also have access (such as vendors, emergency personnel such as firefighters and first responders, contractors, subcontractors and inspectors from regulatory bodies or other competent authorities) should also be considered..1. Insider adversaries may therefore have the opportunity to commit a malicious act during normal or abnormal conditions of a facility, maintenance, or transport or movement of nuclear material, and may select the most favourable time to do so..1. Insiders could act independently or in collusion (secret cooperation for an illegal or malicious purpose) with other insiders or outsiders. GUIDANCE FOR IDENTIFYING POTENTIAL INSIDER THREATS.1. The design basis threat is an important tool commonly used as a basis for developing nuclear security systems and measures. A State should consider attributes and characteristics of potential insider adversaries and include them in the design basis threat or threat assessment..0. This section presents guidance for identifying potential insider threats at the facility level. Information on insiders should be provided in the design basis threat or other State-level documents, such as a national threat assessment, as a starting point.
11 When the design basis threat has not been developed for certain areas of nuclear activities with limited potential radiological and proliferation consequences, the measures to protect against insider threats should be based on those proposed in Sections and of this publication... In addition to the information in the design basis threat, information on the facility, nuclear material, and processes or transport operations should be used to identify potential insider threats based on levels of access, authority over others and knowledge that could support performing or facilitating malicious acts... Modern facility systems, including those that contribute to nuclear security, rely on computer controls and networks. These should be protected against cyber attack as set out in Ref. [1] for nuclear material and nuclear facilities and should be considered when identifying potential insider threats. The threat from an external person with approved access to facilities systems through computer networks, must be treated as a potential inside threat... Situations outside the facility or in the vicinity of transport routes, including the general attitude of the community and any presence of organized hostile groups, may also be favourable to insider threats. Any such conditions should also be considered. Special attention should be given to possible connections between hostile groups and individuals with experience in facility operations or with access to the nuclear facility. The operator, through formal relationship with appropriate government agencies, should be made aware of these situations when considering insider threats TARGET IDENTIFICATION.1. Target identification is an evaluation of what needs to be protected, including nuclear material, associated areas, buildings and equipment, components, systems and functions, but does not include consideration of how to provide protection... Guidance on target identification for facilities and for nuclear and radioactive material is provided in Refs [], [] and [1]... Assets that are not themselves considered targets but are critical for the protection of identified targets may also require protection. These are systems that an insider adversary can potentially bypass or compromise in order to complete a malicious act. Examples of these systems may include those for NMAC, physical protection, operations, process control equipment important to safety, and computer systems. TARGETS FOR UNAUTHORIZED REMOVAL.. Nuclear material targets for unauthorized removal should be identified through information or criteria contained in a State-level document. Targets may be grouped in one of three categories (I, II and III) identified in the table Categorization of Nuclear Material in both the CPPNM [] and Ref.
12 []. The categorization is the basis for a graded approach for protection against unauthorized removal of nuclear material that could be used in a nuclear explosive device... To consider all of these, the inventory of all nuclear material at a facility or during movements should be considered. The inventory list should include at a minimum the amount, form, type, responsibility, and location of all nuclear material at the facility or during movement... Potential targets for unauthorized removal of nuclear material by the insider should take into account protracted theft and abrupt theft. Abrupt theft is the unauthorized removal of a quantity of nuclear material during a single event; Protracted theft is the repeated, unauthorized removal of small quantities of nuclear material during several events from either single or multiple locations (possibly of lower categorization). Protracted theft may be accomplished either by removing the nuclear material from the facility with each acquisition, or by the accumulation of the nuclear material in a hidden unauthorized location and later removal from the facility in one attempt... In addition, in identifying the targets for unauthorized removal of nuclear material by insiders, the possibility of an adversary collecting an amount equivalent to a higher category from several locations of lower category should be considered... The insider may choose to use protracted theft of small quantities of nuclear material to stay under the detection limits of systems such as NMAC and physical protection systems. Properties of nuclear material, including physical form, should be considered when determining if protracted theft is reasonable... Theft targets may include sensitive nuclear technology, either physical items or information. SABOTAGE TARGETS.. Sabotage targets at a facility are determined by analysing the potential for the facility s radioactive material inventory, including nuclear material and radioactive sources, to result in unacceptable radiological consequences (URC) or high radiological consequences (HRC). HRC exceed URC and are defined by the State competent authority and may vary from State to State. For HRC it is recommended that vital areas are identified and protected at a higher level, as specified in paras.0. of Ref. []. If the analysis identifies material, equipment, systems, or devices that could directly or indirectly lead to URC or HRC then the material, equipment, systems, and devices must be protected... As specified in Ref. [], the operator should design a physical protection system (nuclear security) that is effective against defined sabotage scenarios (including insider adversaries). The physical protection system developed should be an element of an integrated facility system to prevent
13 the potential consequences of sabotage, taking into account the robustness of engineered safety and operational features..1. The combination of actions (scenarios) to degrade facility components, systems, and equipment that may result in unacceptable or high radiological consequences should be identified as part of the target identification process. PROTECTION OF SYSTEMS THAT CONTRIBUTE TO NUCLEAR SECURITY.1. Protection of systems that contribute to the facility nuclear security system should be considered. The more obvious components are the actual detection elements or systems, which include physical protection systems, NMAC systems, safety and process control systems..1. A complete insider evaluation should consider all aspects of the nuclear security system that could require additional protection from insider activities. The insider has authorized access to the facility and to information about the facility, and therefore can attack other systems or components that may indirectly perpetrate an attack, mask malicious acts or aid an external adversary. Depending on the facility or operation, computers used, for example, for office networks or communication, may be exploited by the insider, for example to acquire sensitive information Nuclear systems that are computer based provide functions that, if attacked, could have an adverse effect on safety, security of nuclear material, or accident mitigation. Cyber attacks may potentially cause safety, safety-related, non-safety systems and security systems to operate in ways that compromise facility safety and security. Computer systems that contained information related to safety or security should undergo a classification and inventory based on risk and potential consequence (e.g., defence in depth) to identify critical computer systems, which may be more vulnerable to an insider malicious act, and the failure of which could cause a nuclear security event..1. Outsiders may target the privileges provided to insiders to access a facility, sensitive information, sensitive information assets, or the facility s networks to facilitate a remote (stand-off attack). For example, a successful cyber attack against an unwitting insider may allow for use of their privileged access to facilitate the outsider s attack. Communication systems may be targeted by insider or with the help of an insider, for example as part of an act of sabotage or theft COMPREHENSIVE MEASURES AGAINST POTENTIAL INSIDER THREATS GENERAL APPROACH.1. The general approach to implementing comprehensive measures against potential insiders is to implement a combination of preventive and protective measures. The term preventive measures is used to describe measures to preclude or remove possible insiders, or to minimize threat opportunities,
14 or to deter or prevent a malicious act from being carried out. The term protective measures is used to describe measures to deter, detect, delay, and respond to malicious acts that are carried out; and to mitigate or minimize their consequences. Protective measures should be coordinated with the overall contingency plans in accordance with agreed procedures... A robust nuclear security culture is an essential aspect in countering the insider and outsider threat. The foundation of nuclear security culture is recognition that a credible threat exists and that nuclear security is important. Personnel that have a role in regulating, managing, or operating nuclear facilities and activities and should be trained to understand their role as part of an important aspect of the nuclear security culture. (For more information on nuclear security culture, see Ref. [])... Nuclear security culture plays a key role in ensuring that individuals, organizations, and institutions remain vigilant and that sustained measures are taken to counter insider threats. The effectiveness of preventive and protective measures against insider threats depends on the behaviours and actions of individuals (For indicators that can be used to evaluate the security culture, see Ref. [1])... Preventive and protective measures may be implemented by the use of technical means, administrative means, or a combination of both... Preventive and protective measures should provide defence in depth, and should be fully integrated into a well-developed nuclear security system. Security system at existing operating facilities may need to be upgraded to meet evolving insider threats... The facility should develop a nuclear security plan as defined in Ref. [] and ensure that it addresses the insider threat. The primary principle of insider threat prevention and mitigation is to incorporate the insider threat as an integral part of planning and evaluation at the facility level, when designing and implementing protection systems... The nuclear security plan, should be used to define how measures are implemented at the nuclear facility including measures to specifically protect against the insider threat for the identified targets and should include the following: Technical measures; 0 1 o o o multiple protection layers, including containment and surveillance fitted with detection and delay, monitoring and hardening of networks and associated devices, technical measures to enforce access control, and Administrative aspects; o o procedures, instructions,
15 o o o o o administrative sanctions, access control rules, two-person rules, confidentiality rules, and administrative checks The plan should also specify how the measures will be evaluated... A robust security system design should include several layers of defence and should effectively and comprehensively integrate the administrative and technical aspects of the preventive and protective measures that insiders would have to overcome or circumvent in order to achieve their objectives. Implementation of the administrative and technical aspects is through documented operating procedures that integrate people and equipment... Technical and administrative aspects against insider threats have traditionally been shaped primarily by physical protection principles. Therefore, it is recommended that information and computer security be considered as a component in the overall security plan and that such a plan addresses the insider threat posed by adversaries with the ability to conduct cyber attacks... For insiders, requirements of preventive and protective measures should be based on a graded approach that takes into account the current defined threat; the relative attractiveness; the characteristics of the nuclear material; and, the potential consequences associated with the unauthorized removal of nuclear material, and sabotage against nuclear material or nuclear facilities... Figure illustrates the steps (represented by the arrows between boxes) for preventive and protective measures against the potential insiders identified in Section. Preventive Measures: (1) Exclude potential insiders by identifying undesirable behaviour or characteristics, which may indicate motivation, prior to allowing them access; () Further exclude potential insiders by identifying undesirable behaviour or characteristics, which may indicate motivation, after they have access; () Minimize opportunities for malicious acts by limiting access, authority and knowledge, and by other measures. Protective Measures: () Detect, delay, and respond to malicious acts; () Mitigate or minimize consequences and locate or recover the material.
16 1 FIG.. Steps for preventive and protective measures against potential insiders..1. Many measures listed in paras.1. can be considered as both preventive and protective measures. Each proposed measure should be considered and taken into account for its preventive or protective characteristics. PREVENTIVE MEASURES.1. The goal of preventive measures is to reduce the number of potential adversaries and to minimize the likelihood of insiders attempting a malicious act. Preventive measures are applied preemployment, during employment, and upon termination. The following are recommended as preventive measures..1. Individuals applying for access should be subject to: (a) Identity verification, to authenticate an individual s identity. This confirms that personal details of the individual in question are correct. National laws may restrict the scope or conduct of identity verification and trustworthiness assessments in a State. The provisions of this Implementing Guide are without prejudice to the legal rights of individuals, including the right to due process, under national and/or international law. 1
17 (b) Personal document verification, to authenticate details of an applicant s work history, educational background and skill set applicability to the work to be performed. Verification and validation of the documents may be accomplished by contacting prior employers, educational institutions and references. (c) Trustworthiness assessment, providing initial and ongoing assessments of an individual s integrity, honesty and reliability in pre-employment checks and checks during employment that are intended to identify the motivation or behaviour of persons who could become insider adversaries. These checks attempt to identify motivational factors such as greed, financial factors, ideological interests, psychological factors, desire for revenge (e.g., due to perceived injustice), physical dependency (e.g., on drugs, alcohol, or sex) and factors due to which an individual could be coerced by outsiders. Such factors might be indicated by a review of criminal records, references, past work history, financial records, social networks, political networks, medical records and psychological examinations or records. The State should determine a trustworthiness policy..1. The following measures should be applied for individuals with authorized access (including access to critical assets or vital areas): (d) Escorting. Persons whose trustworthiness has not been determined (e.g., temporary repair, service or construction workers, and visitors) should be escorted by persons who have authorized, unescorted access. Escorting such people is a way of making sure that they are in the correct location and that they are performing their duties properly. To be effective, the escort should be knowledgeable about their approved activities, including access to specific places and actions they should not perform. (e) Periodic reassessment of trustworthiness. Ongoing trustworthiness assessments should be conducted during employment as some of the behaviours and characteristics of an employee may not have previously been apparent or may change over time. These reviews are of particular interest in the case of temporary employees and workers whose duties may place them close to sensitive targets. The use of random testing for drug use or alcohol use during a work shift should also be considered. The depth of the trustworthiness checks should be graded according to the level of access the individual has (e.g., insiders performing network administration or supervisory activities should require a higher level of trustworthiness). This should include insiders that may facilitate remote access to sensitive information assets. National laws may restrict the scope or conduct of identity verification and trustworthiness assessments in a State. The provisions of this Implementing Guide are without prejudice to the legal rights of individuals, including the right to due process, under national and/or international law. 1
18 (f) Requirements to protect sensitive information. Information on security measures or sensitive targets (e.g., the location of the nuclear material inventory, facility maps or specific drawings of equipment, systems or devices that represent the design features of specific targets, lock combinations, passwords, and mechanical key designs) could help insiders successfully perform a malicious act. This information should be kept confidential so that only those who need to know are permitted access to it. In addition, information addressing potential vulnerabilities in nuclear security systems should be highly protected and compartmentalized, as it could facilitate the unauthorized removal of nuclear material or an act of sabotage. (g) Authorization of access. A documented process for authorizing and revoking access to nuclear facilities, nuclear material, systems or sensitive information should be established and implemented. The process should apply strict need-to-know and need-to-access rules defined for the facility. Individuals should be authorized for unescorted access only to areas that are required to complete assigned work. The number of persons with authorized access to designated areas should be kept to the minimum necessary. (h) Authorization of activities that involve nuclear material. Activities with nuclear material such as processing or transportation should be authorized prior to their occurrence. One example of the use of authorization of activities with nuclear material is the removal of nuclear material from a storage vault for use in processing. Having a written procedure, which specifies who can remove material and when it can be removed from a storage vault and who can authorize that removal gives an auditable trail for each removal. A coordinated and approved daily or weekly schedule of activities also focuses additional attention on any unscheduled activities and helps eliminate opportunities for unauthorized activities, even those by personnel who normally perform those activities. (i) Compartmentalization. Compartmentalization is used to divide areas, duties or information such that one individual does not have sufficient access, authority or knowledge to complete a malicious act. Effective compartmentalization ensures that insiders would have to expend additional efforts to complete a malicious act. 0 1 o Physical areas. Compartmentalizing physical areas ensures that one individual does not have the access to all systems, components and equipment that would enable the individual to complete a malicious act. Every effort should be made to ensure that a single person does not acquire all the necessary access authorizations that would enable such an individual to commit a malicious act. The number of individuals with access to any area requiring protection should be limited. Need-to-access rules should be defined and applied to each compartmentalized area. Additionally, the number of persons empowered to give access authorization to each of the compartmentalized areas should be strictly limited. Need-to-access rules should be reviewed and changed when processes or configurations within the compartmentalized area are changed. 1
19 o o Inspections and performance tests should be performed to ensure procedural adherence to the need-to-access rules. The time of day that an individual accesses an area should also be considered. Segregation of duties. Segregation of duties compartmentalizes the activities of individuals in order to limit an individual s ability to obtain the complete set of capabilities necessary to conduct a malicious act. For example, when authorizing activities, restricting use of special tools and equipment (including computer systems) required for operations or for handling material to only designated individuals under specified conditions. Transfer of such special tools, material, and equipment between areas should also be formalized and should involve more than one person in order to minimize opportunities for unauthorized removal of nuclear material by insider adversaries. Segregation of duties includes applying the principle of least privilege to computer systems. The principle of least privilege means assigning an individual only those privileges that are essential to that individual s work. Information. Compartmentalizing information means dividing information into separately controlled parts and enforcing access control measures by administrative and technical means to prevent insiders from collecting all the information necessary to attempt a malicious act. Special attention should be paid to electronic information. Need-to-know rules that are defined for sensitive information should be used when compartmentalizing information (j) Standard operating procedures. A standard operating procedure (SOP) is a written instruction that directs recurring tasks according to approved specifications in order to produce a required outcome. SOPs are useful in mitigating possible malicious insider acts because they provide a baseline of predetermined activities from which deviations in procedure can be more readily detected and challenged by other employees or managers. (k) Security awareness raising and training. Implementing a strong security awareness programme for staff and contractors contributes to an ongoing security culture within the organization and is an effective measure against the insider threat. A strong security awareness programme requires clear security policies, the enforcement of security practices and continuous training. The purpose of the training programme is to establish an environment in which all employees are mindful of security policies and procedures, so that they can aid in detecting and reporting inappropriate behaviour or acts. The training programme should include methods to evaluate security awareness, training effectiveness, and processes for continuous improvement or retraining including methods and indications associated with cyber attacks. (l) Everyone, irrespective of their role or function, should be aware of the threats and potential consequences of malicious acts and of their own role in reducing the risks and in developing a 1
20 comprehensive and effective security framework. Security awareness programmes should also provide for measures to reduce risks of blackmail, coercion, extortion or other threats to employees and their families, and should promote the reporting of such coercions or attempts thereof to the security management. Finally, security awareness programmes should be developed in a coordinated manner with safety awareness programmes in order to establish effective and complementary safety and security cultures. It is important for management to ensure that security awareness of the insider threat is fully integrated into the overall facility nuclear security culture. (m) Investigation of incidents of security concern. Incidents of security concern are any incidents that occur at a facility that are related to violations or irregularities associated with security policies, procedures, or systems. A programme of investigating these incidents by a facility to determine potential impacts, cause, and extent of condition will help the facility develop corrective actions and can be a preventive measure for insider threats. Some incidents may be caused by an insider threat as a precursor to a malicious event to prepare for the event or to test the system. Investigating these incidents may act as a deterrent and may identify personnel who pose a potential threat to the facility. (n) Employee satisfaction and rewards. Good relations among workers and between management and workers should be given due consideration and should be part of the security culture. Managers should be trained to identify and raise any concerns about an employee s behaviour with an appropriate person, (e.g., a senior manager, security manager, or human resource adviser). Rewards and recognition are an important part of maintaining and increasing employee morale and loyalty. Assistance to employees who are in difficult situations (financial, medical, and psychological) may be considered. Employee health and fitness for duty programs may also be considered. (o) Sanctions (disciplinary actions and prosecution). It is important that potential insiders be aware that deliberate violation of laws and regulations or the instructions of the operator may be sanctioned. The certainty of disciplinary action and prosecution may deter insiders from committing malicious acts. In addition, requiring operators to inform the competent authority of every malicious act or attempt would provide, after proper evaluation, a basis for feedback to other operators and for a possible need for updating regulatory requirements. (p) On termination of an individual s position or employment, that individual s access (including computer access) and authority should be cancelled. Termination procedures should be established, which should include measures such as revoking physical access, invoking a nondisclosure agreement to protect sensitive information, changing encryption keys, passwords, ciphers and monitoring information. 1
21 Management Systems.1. Quality assurance is an element of a satisfactory nuclear security programme. The quality assurance policy and programmes for nuclear security should ensure that a nuclear security system is designed, implemented, operated, inspected, and maintained in a condition capable of effectively responding to the insider adversary based on the threat assessment or design basis threat and the State s regulations..1. Quality assurance programmes should ensure that nuclear security systems designed to a performance-based approach have adequate supporting documentation for effectiveness. This is particularly important when establishing compensatory measures and implementing justifying corrective actions..1. Implementation of preventive and protective measures may be implemented through standard operating procedures. SOPs minimize variation and promote quality through consistent implementation of a process within an organization, even if there are personnel changes. SOPs can also encourage compliance with organizational and governmental requirements, as they provide written documentation that can be compared with actual activities at facility..1. Quality assurance should require configuration management of the nuclear security systems to ensure continuity of these systems and understanding the potential consequences when changes are made. Computer Systems.0. Escorting, and quality assurance will not provide sufficient protection for computer and network systems. For example, third parties and vendors may have physical access during development, and logical access during all lifecycle stages to sensitive information and assets..1. An acceptable use of computer-based systems policy should be defined. This policy may include the approved use of assets, set forth employee expectations in regards to monitoring that use, provide training, and explicitly identify unapproved actions on computing systems. The use of technical measures to enforce or enhance the systems policy should be considered. For example, define a social media policy and provide training on the use of social media in target identification for cyber adversaries (unwitting insider)... Information security includes protection of the integrity, availability, authenticity, nonrepudiation and confidentiality of sensitive information. It uses physical, technical and administrative controls to accomplish these tasks. 1
22 PROTECTIVE MEASURES.. The purpose of protective measures is to detect, delay, and respond to malicious acts after their initiation by the insider. When designing and implementing protective measures, efforts should be made to ensure that these measures are supportive of and do not have an adverse effect on plant operations and safety. In case of conflict, particularly with safety measures, a solution must be reached in which the overall risk to the workers and the public is minimized. The following items are recommended as protective measures. They include physical protection systems, operations systems, safety systems, information security and NMAC, which can be used in combination to aid in protecting against malicious acts by insiders. These measures should be applied using a graded approach for identified targets, including nuclear material, nuclear facilities, and other areas identified with targets that contribute to nuclear security. Detection.. Detection (for both the insider and outsider adversaries) is a process that begins with sensing a potentially malicious or otherwise unauthorized act and is completed with the assessment of the cause of the alarm. Provision should be made for timely detection of unauthorized or suspicious acts... Detection of insider malicious acts is heavily dependent on personnel monitoring systems, network monitoring controls, inspecting system activity logs, and observing activities. To be effective, the monitoring, inspecting, and observation require the personnel performing these duties to be authorized and trained in established procedures, and have the knowledge and means to immediately report suspected malicious acts or suspicious activity. Policies and procedures should be implemented which ensure employees receive no repercussions for reporting malicious acts or suspicious activity... Assessing an insider action may be difficult and may require time to analyse data or perform an investigation. Investigation may include review of recorded videos, network monitoring data, inspection of access logs, review of measurement NMAC data, or performing emergency inventories. Correct assessment of an insider malicious act is heavily dependent on personnel performing analysis and investigation. When analysis or investigation is required for assessment, the time between sensing and assessment directly affects the ability to respond to a malicious act in a timely manner... Procedures for reporting malicious acts or potential malicious acts should be established to ensure timely communication to the appropriate entity... It is very important to detect and investigate actions that may be in the preparatory or exploratory phase. This may include detecting and monitoring attempts to bypass procedures (such as bringing prohibited items into an area); entering areas where the person is not authorized (attempting to enter through an emergency door or other possible path); causing some alarm and then observing 1
23 the time and nature of the response; or attempting to gain access to information which is not granted to them... Detecting the insider requires identifying facility specific protective measures that are designed to identify (sense), correctly assess, and report potential insider malicious acts or preparatory acts..0. In the case of outsiders, detection measures focus on detecting penetration of protective layers by adversaries. Detection of malicious acts committed by insiders is more difficult. Insiders may have authorized access or be able to bypass or defeat many physical protection and NMAC measures. However, many (multiple and diverse) elements of the physical protection and NMAC systems may be implemented to specifically address sensing of potential insider malicious actions and provide information for correct assessment. A comprehensive assessment of possible insider activities should combine the investigation of all sensing provided by different measures to ensure that signals which individually might seem meaningless or insignificant but when combined are indications of malicious activity are not missed Access control.1. Monitoring access is an element of a robust access control system that provides protection by defining and preventing unauthorized access for personnel and vehicles to nuclear material, systems, and equipment. Potential insider malicious acts may be identified when monitoring or inspecting access logs of physical locations and computer systems for irregularities or suspicious events. Inspections of logs may identify events such as unscheduled vault access, a failed PIN or biometric for an authorized badge, or entry attempts by unauthorized individuals. Once identified, the irregularity or suspicious event can be assessed as a potential malicious act... If appropriately recorded, access control records can be used during the investigation of a malicious act to determine a list of possible suspects. Requests for authorized access to security areas, or systems relevant to safety or security, whether approved or disapproved, should also be reviewed and inspected to identify potential insider malicious activity... Strict access control rules and the process for authorizing and revoking access to nuclear material, equipment used for processing or handling nuclear material, or data about nuclear material or systems relevant to safety or security should be established and documented. Procedures should be developed to provide instructions on authorization to access nuclear material areas and actions required to control nuclear material in routine and non-routine situations as well as actual or simulated emergency situations. Examples of access control rules apply to provisions for manual systems (control and disseminate keys and combinations) and electronic systems (printing badges, enrolling PINs and biometrics, and control of locks). 1
Joint ICTP-IAEA School of Nuclear Energy Management November 2012
2374-20 Joint ICTP- School of Nuclear Energy Management 5-23 November 2012 Establishing National Nuclear Security Infrastructure (Module 9 Topics 3 & 4) EVANS Rhonda International Atomic Energy Agency,
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationHow AlienVault ICS SIEM Supports Compliance with CFATS
How AlienVault ICS SIEM Supports Compliance with CFATS (Chemical Facility Anti-Terrorism Standards) The U.S. Department of Homeland Security has released an interim rule that imposes comprehensive federal
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationINFORMATION SECURITY AND RISK POLICY
INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:
More informationExpert support and Reach back activities
GICNT- Nuclear Detection Working Group Magic Maggiore Ispra 28 March 2017 Expert support and Reach back activities Thierry PELLETIER Nuclear Security Division Safety and Security department International
More informationIAEA Perspective: The Framework for the Security of Radioactive Material and Associated Facilities
59 th General Conference Senior Regulators Meeting Security Session 16 September 2015 IAEA Perspective: The Framework for the Security of Radioactive Material and Associated Facilities Khammar Mrabit Director,
More informationIAEA Division of Nuclear Security
IAEA Division of Nuclear Security Computer Security Activities Overview Donald Dudenhoeffer 25 May 2017 Computer and Information Security The Division of Nuclear Security (NSNS) seeks to support Member
More informationNuclear Security. Resolution adopted on 30 September 2016 during the tenth plenary meeting
General Conference GC(60)/RES/10 Date: September 2016 General Distribution Original: English Sixtieth regular session Item 14 of the agenda (GC(60)/20) Nuclear Security Resolution adopted on 30 September
More informationInternational Atomic Energy Agency Meeting the Challenge of the Safety- Security Interface
Meeting the Challenge of the Safety- Security Interface Rhonda Evans Senior Nuclear Security Officer, Division of Nuclear Security Department of Nuclear Safety and Security Outline Introduction Understanding
More informationSAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department
SAND No. 2012-1606C S 0 606C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy s National Nuclear Security Administration
More informationCNSC Presentation to the Federal Agency for Nuclear Control
CNSC Presentation to the Federal Agency for Nuclear Control Canadian Experience in the Development and Implementation of Regulatory Requirements for the Security of Radioactive Sources Raphael Duguay,
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationPerformance- Based Approach to the Security of Radioactive Sealed Sources: A Canadian Perspective
Performance- Based Approach to the Security of Radioactive Sealed Sources: A Canadian Perspective Abstract Raphaël Duguay, M.Sc., PSP Nuclear Security Division Canadian Nuclear Safety Commission, Canada
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationOFFICIAL COMMISSIONING OF SECURITY SYSTEMS AND INFRASTRUCTURE
Title of document ONR GUIDE COMMISSIONING OF SECURITY SYSTEMS AND INFRASTRUCTURE Document Type: Unique Document ID and Revision No: Nuclear Security Technical Assessment Guide CNS-TAST-GD-4.4 Revision
More informationGUIDANCE ON THE SECURITY ASSESSMENT OF GENERIC NEW NUCLEAR REACTOR DESIGNS
Title of document ONR GUIDE GUIDANCE ON THE SECURITY ASSESSMENT OF GENERIC NEW NUCLEAR REACTOR DESIGNS Document Type: Unique Document ID and Revision No: Nuclear Security Technical Assessment Guide Revision
More informationSYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement
SYSTEM KARAN ADVISER & INFORMATION CENTER Information technology- security techniques information security management systems-requirement ISO/IEC27001:2013 WWW.SYSTEMKARAN.ORG 1 www.systemkaran.org Foreword...
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationSelect Agents and Toxins Security Plan Template
Select Agents and Toxins Security Plan Template 7 CFR Part 331.11, 9 CFR Part 121.11, 42 CFR Part 73.11 Prepared by U.S. Department of Health and Human Services (HHS) Centers for Disease Control and Prevention
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationCompliance with ISPS and The Maritime Transportation Security Act of 2002
Mr. Melchor Becena Security Administrator Port Everglades SecurePort Conference Miami, Florida 25-27 27 February, 2004 Compliance with ISPS and The Maritime Transportation Security Act of 2002 Overview
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationGuidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17
GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationDonor Credit Card Security Policy
Donor Credit Card Security Policy INTRODUCTION This document explains the Community Foundation of Northeast Alabama s credit card security requirements for donors as required by the Payment Card Industry
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationSeven Requirements for Successfully Implementing Information Security Policies and Standards
Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information
More informationInformation technology Security techniques Information security controls for the energy utility industry
INTERNATIONAL STANDARD ISO/IEC 27019 First edition 2017-10 Information technology Security techniques Information security controls for the energy utility industry Technologies de l'information Techniques
More informationUTAH VALLEY UNIVERSITY Policies and Procedures
Page 1 of 5 POLICY TITLE Section Subsection Responsible Office Private Sensitive Information Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Information
More informationINFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES
INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES 1. INTRODUCTION If you are responsible for maintaining or using
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationISO/IEC Information technology Security techniques Code of practice for information security controls
INTERNATIONAL STANDARD ISO/IEC 27002 Second edition 2013-10-01 Information technology Security techniques Code of practice for information security controls Technologies de l information Techniques de
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationInformation Security Management Criteria for Our Business Partners
Information Security Management Criteria for Our Business Partners Ver. 2.1 April 1, 2016 Global Procurement Company Information Security Enhancement Department Panasonic Corporation 1 Table of Contents
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationWorkshop on Threat Assessment and Design Basis Threat (DBT) Session 6 Developing and Maintaining a DBT
Workshop on Threat Assessment and Design Basis Threat (DBT) Session 6 Developing and Maintaining a DBT Based on Chapter 6 of the IAEA Nuclear Security Series No.10 Implementing Guide Developing a DBT Learning
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationDIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018
DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL June 14, 2018 A. Overriding Objective 1.1 This Directive establishes the rules and instructions for Bank Personnel with respect to Information
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationJoint Statement of the Eminent Persons Group for the 2012 Seoul Nuclear Security Summit
Joint Statement of the Eminent Persons Group for the 2012 Seoul Nuclear Security Summit We, members of the Eminent Persons Group established to advise the President of the, Lee Myung-bak, on the 2012 Seoul
More informationHIPAA Security Rule Policy Map
Rule Policy Map Document Information Identifier Status Published Published 02/15/2008 Last Reviewed 02/15/1008 Last Updated 02/15/2008 Version 1.0 Revision History Version Published Author Description
More informationTEL2813/IS2621 Security Management
TEL2813/IS2621 Security Management James Joshi Associate Professor Lecture 4 + Feb 12, 2014 NIST Risk Management Risk management concept Goal to establish a relationship between aggregated risks from information
More informationImplementation of INFCIRC 901: Promoting Certification, Quality Management and Sustainability of Nuclear Security Training
Implementation of INFCIRC 901: Promoting Certification, Quality Management and Sustainability of Nuclear Security Training Rhonda Evans Head, WINS Academy Presentation to the IAEA International Conference
More informationLegal, Ethical, and Professional Issues in Information Security
Legal, Ethical, and Professional Issues in Information Security Downloaded from http://www.utc.edu/center-information-securityassurance/course-listing/cpsc3600.php Minor Changes from Dr. Enis KARAARSLAN
More informationInformation for entity management. April 2018
Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationCyber Security Strategy
Cyber Security Strategy Committee for Home Affairs Introduction Cyber security describes the technology, processes and safeguards that are used to protect our networks, computers, programs and data from
More informationOhio Supercomputer Center
Ohio Supercomputer Center Security Notifications No: Effective: OSC-10 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationComputer Security Policy
Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1
More informationDRAFT. Standard 1300 Cyber Security
These definitions will be posted and balloted along with the standard, but will not be restated in the standard. Instead, they will be included in a separate glossary of terms relevant to all standards
More informationPSEG Nuclear Cyber Security Supply Chain Guidance
PSEG Nuclear Cyber Security Supply Chain Guidance Developed by: Jim Shank PSEG Site IT Manager & Cyber Security Program Manager Presented at Rapid 2018 by: Bob Tilton- Director Procurement PSEG Power Goals
More informationRESOLUTION 67 (Rev. Buenos Aires, 2017)
524 Res. 67 RESOLUTION 67 (Rev. Buenos Aires, 2017) The role of the ITU Telecommunication Development Sector in child online protection The World Telecommunication Development Conference (Buenos Aires,
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More informationSubject: Kier Group plc Data Protection Policy
Kier Group plc Data Protection Policy Subject: Kier Group plc Data Protection Policy Author: Compliance Document type: Policy Authorised by: Kier General Counsel & Company Secretary Version 3 Effective
More informationPort Facility Cyber Security
International Port Security Program Port Facility Cyber Security Cyber Security Assessment MAR'01 1 Lesson Topics ISPS Code Requirement The Assessment Process ISPS Code Requirements What is the purpose
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationCourses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X
4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationIdentity Theft Prevention Policy
Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening
More informationINFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ
INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ JYVÄSKYLÄN YLIOPISTO Introduction With the principles described in this document, the management of the University of Jyväskylä further specifies
More informationTechnical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016
For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationINFORMATION SECURITY POLICY
Open Open INFORMATION SECURITY POLICY OF THE UNIVERSITY OF BIRMINGHAM DOCUMENT CONTROL Date Description Authors 18/09/17 Approved by UEB D.Deighton 29/06/17 Approved by ISMG with minor changes D.Deighton
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationStatus of Cyber Security Implementation at Canadian NPPs
Status of Cyber Security Implementation at Canadian NPPs Chul Hwan Jung Technical Specialist Systems Engineering Division (CNSC) Korean Nuclear Society Conference Jeju, Korea, May 11 13, 2016 e-docs 4982091
More informationIntegrating Nuclear Safety and Security: Operational and Policy Perspectives
Integrating Nuclear Safety and Security: Operational and Policy Perspectives Sharon Squassoni Senior Fellow & Director Proliferation Prevention Program Integrating Nuclear Safety & Security Workshop Johns
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationQuestion 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:
Cybercrime Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Organizations can prevent cybercrime from occurring through the proper use of personnel, resources,
More information