104 - Self Assessment ISBR

8/13/2019 104 - Self Assessment ISBR

http://slidepdf.com/reader/full/104-self-assessment-isbr 1/41

Information Security Baseline Requirements

for

Process Control, Safety, and Support ICT SystemsSelf Assessment

Ver. 1.2

© 2007 Norwegian Oil and Gas Association

This is a self assessment tool for verifying the company's degree of compliance

with the Norwegian Oil and Gas Information Security Baseline Requirements

(ISBR). The tool (ISBR/SA) was produced to help the companies in assessing the

security level of the ICT equipment in the production environment (Process Control,

Safety, and Support ICT Systems - PCSS/ICT), and it is not meant as a tool forexternal reporting. The ISBR/SA is intended for internal use only. How the tool

should be utilized is entirely up to the company, but the idea behind this was not to

distribute it internally and then collect the answers. The spreadsheet was made for

The summary worksheet can be used for communicating the final results without

unveiling the underlaying answers.

Answering all of the questions asked for an ISBR is not required in order to get a

score. For this reason Not Applicable is not added for Yes/No- questions. If a

question is not considered relevant just leave it unanswered.





-1 Does the company have an information security policy

document specifically developed for the PCSS/ICT

systems in the production environments?

-2 [If NO in ISBR#1-1] Does the company have a global or

corporate information security policy which also

encompasses the production environment?

-3 Has the information security policy been signed by

local/regional top management?

-4 Has the information security policy been written or

revised during the last previous three years?

-5 To what degree is the information security policyenforced in all of the company's production

environments?

-6 To what degree is management active in promoting and

enforcing the information security policy?

-7 To what degree are the employees and contractors in the

production environment informed of and familiar with the

information security policy?

-8 To what degree do all the employees and contractors in

the production environment abide by the information

security policy?

-9 To what degree have information security instructions

and/or guidelines been developed for the production

environments?

-10 To what degree are the information security instructions

and guidelines revised and updated on a regular basis?-11 To what degree do all the employees and contractors in

the production environment abide by the information

security instructions/guidelines?

2-1 Does the company have documented requirements to

perform risk assessments regularly for all critical

PCSS/ICT systems in the production environments?

2-2 Does the company have a documented framework or

methodology for risk assessment that can be utilized for

information security in the production environments?2-3 To what degree have information security risk

assessments been performed for all critical PCSS/ICT

systems during the last year?

2-4 To what degree has top management defined which risksare unacceptable?

2-5 To what degree are uncovered severe information

security risks handled immediately?

2-6 Does the company have a dedicated system for

registering information security risks?

2-7 To what degree are all uncovered information security

risks registered?

SBR# 1 - An Information Security Policy for process control, safety, and support ICT systems environments shall be documented.

SBR# 2 - Risk assessments shall be performed for process control, safety, and support ICT systems and networks.



2-8 To what degree are all registered risks followed up and

responded to within a reasonable timeframe?

3-1 To what degree has the company defined, identified, and

documented which ICT systems in the production

environment are considered critical?

3-2 Are there internal requirements for appointing system

owners for critical ICT systems in the production

environment?

3-3 To what degree are system owners actually appointed for

all critical ICT systems in the production environment?3-4 Does the company have a documented overview (list or

database) of personnel appointed as system owners?

3-5 To what degree is this overview complete and updated?

3-6 Does the company have documentation that describes

the authorities and responsibilities of the role as system

owner?3-7 To what degree are all system owners aware of their

authorities and responsibilities?

3-8 Are there internal requirements for appointing

data/information owners for critical data?

3-9 To what degree are data owners actually appointed for

all critical data?

3-10 Does the company have documentation that describes

the authorities and responsibilities of the role as data

owner?3-11 To what degree are all data owners aware of their

authorities and responsibilities?

4-1 Are there internal documented requirements for

segregating the production networks from the

administrative networks?

4-2 To what degree are the production networks actually

segregated from the administrative networks? (e.g. by

installing tightly configured firewalls between the

networks)

4-3 To what degree is it currently possible to further

segregate the networks in the production environment if

needed? (i.e. with the technology and the IT

infrastructure that the company has today)4-4 To what degree does all internal data communication

between the production networks and the administrative

networks go through controlled gateways? [e.g. fi rewalls,

filtering routers]

4-5 To what degree does all external data communication

between the production networks and the suppliers go

through controlled gateways? [e.g. firewalls, terminal

servers]

SBR# 3 - Process control, safety, and support ICT systems shall have designated system and data owners.

SBR# 4 - The infrastructure shall be able to provide segregated networks, and all communication paths shall be controlled.



4-6 Does the organization require all external companies

(e.g. suppliers and contractors) to sign a company non-

disclosure agreement?

4-7 To what degree are these requirements adhered to?

4-8 Does the organization require all employees from

external companies (e.g. suppliers and contractors) to

sign a personal non-disclosure agreement before

granting access?4-9 To what degree are these requirements adhered to?

4-10 Have all modems in the production environment been

removed? (i.e. modems connected directly to the

production networks or to IT systems connected to the

production networks)4-11 [If NO in ISBR#4-10] Are all modems switched off or

physically disconnected when not in use?

4-12 [If NO in ISBR#4-10] Are there any written plans for

discontinuing these modems?

5-1 To what degree are there documented requirements for

information security training for all employees in the

production environment?

5-2 To what degree are newly hired personnel in the

production environment being trained in information

security?

5-3 To what degree is introduction training in information

security also available for hired personnel and

contractors?5-4 To what degree are the employees in the production

environment informed about information security through

the company's intranet?

5-5 To what degree are the employees in the production

environment informed about information security directly

through the use of e-mail?5-6 To what degree are the employees in the production

environment informed about information security through

general meetings?

5-7 To what degree are contractors responsibilities for

information security included in their contracts?

6-1 To what degree has acceptable use of each of the critical

PCSS/ICT system been documented?6-2 To what degree are the critical PCSS/ICT systems

utilized for their originally designated purpose only?

6-3 To what degree are the critical PCSS/ICT systems

audited to ensure that only authorized and dedicated

software is installed?

SBR# 5 - Users of process controll, safety, and support ICT systems shall be educated in the information security requirements and acceptable

SBR# 7 - Disaster recovery plans shall be documented and tested for critical process control, safety, and support ICT systems.

SBR# 6 - Process control, safety, and support ICT systems shall be used for designated purposes only.



7-1 Does the company have a managed process for

developing disaster recovery plans for all critical ICT

systems in the production environment?

7-2 To what degree does the company have documented

disaster recovery plans for every critical ICT system in

the production environment?

7-3 Does the company have a managed process for

maintaining and updating existing disaster recovery plans

for the production environment?

7-4 To what degree have the disaster recovery plans been

tested for all critical IT systems in the production

environment during the last two years?

8-1 Does the company have documented internal guidelines

for including information security requirements in the

engineering, procurement, and commissioning process

for PCSS/ICT systems?

8-2 To what degree does the company currently specify

information security requirements in all parts of the

engineering, procurement, and commissioning process

for PCSS/ICT systems?

8-3 To what degree are the implemented information security

controls and measures in new PCSS/ICT systems

documented by the supplier?

8-4 To what degree are the implemented information security

controls and measures tested by the company before

new PCSS/ICT systems are put into production?

9-1 Does the company have documented internal

requirements for specifying the necessary level of lifetime

service and support for critical PCSS/ICT systems?

9-2 To what degree have the necessary level of lifetime

service and support for all of the currently installed critical

PCSS/ICT systems been documented?

9-3 To what degree is this document maintained and kept

updated?

0-1 To what degree have procedures for updating operating

software and applications in PCSS/ICT systems beendocumented?

0-2 To what degree are these procedures adhered to?

0-3 To what degree have procedures for repair and

replacement of defect or malfunctioning PCSS/ICT

equipment been documented?


SBR# 10 - Change management and work permit procedures shall be followed for all connections to and changes in the process control, safety

and networks.

SBR# 8 - Information security requirements for ICT components shall be integrated in the engineering, procurement, and commissioning proce

SBR# 9 - Critical process control, safety, and support ICT systems shall have defined and documented service and support levels.



0-5 Does the company have documented configuration and

set-up requirements for suppliers' and third-parties' test

equipment when temporarily connecting to the production

network?


0-7 Does the company have documented requirements that

suppliers' and third-parties' ICT equipment shall be

updated with the latest version of security programs such

as anti-virus program and personal firewall before

connecting to the production network?

0-8 Does the company have documented procedures on how

suppliers and third-parties shall connect their ICT

equipment to the production networks or to PCSS/ICTsystems?


1-1 Does the company have internal requirements for

documenting and maintaining network maps, where all

critical ICT components in the production environment

are included?

1-2 To what degree have all networks and critical ICT

components in the production environment been

documented? [e.g. IP- and MAC-adresses, hardware

configurations, physical location]

1-3 To what degree is this documentation maintained and

kept updated?

1-4 To what degree have applications considered criticalbeen documented?

1-5 To what degree is this documentation maintained and

kept updated?

1-6 To what degree have the interfaces between the critical

applications been documented?

1-7 To what degree does the company have updated

documentation on the set-up and configurations on all

critical ICT systems?

2-1 Does the company have documented requirements for

updating software installed in critical PCSS/ICT systems

when new security patches are released?

2-2 To what degree does the company have an updated

overview on the version numbers and patch-level for theoperating software and applications installed on the

PCSS/ICT systems in the production networks?

2-3 To what degree does the overview cover all ICT systems

connected to the production networks?

2-4 Has the company appointed personnel with the

responsibility of specifically following up on releases of

software updates and patches?

SBR# 12 - Process control, safety, and support ICT systems shall be kept updated when connected to process control, safety, and support netw

SBR# 11 - An updated network topology diagram including all system components and interfaces to other systems shall be provided.



2-5 To what degree are the PCSS/ICT systems updated with

the latest security patches released by the software

developer?


protecting the PCSS/ICT systems against malicious code

such as viruses, Trojan horses, and worm as well as

activities such as unauthorised use and computer break-

ins?

3-3 To what degree is anti-virus software installed on all

critical PCSS/ICT systems in the production network?

3-4 To what degree is (personal) firewall software installedon all critical PCSS/ICT systems in the production

network?

3-5 To what degree are PCSS/ICT systems in the production

networks which are not protected against unauthorized

activities and malicious code isolated in separate

segments or installed behind other protective security

measures?

3-6 To what degree are new versions of anti-virus and

firewall software installed within a reasonable timeframe

after they have been released?3-7 To what degree are real-time systems that cannot have

anti-virus and firewall software installed scanned

manually to verify that they have not been infected?

4-1 Does the company have documented guidelines that

require all access rights to PCSS/ICT systems to be on a

need-to-use basis?

4-2 Does the company have documented guidelines that

require all access rights to files and applications in the

PCSS/ICT systems to be denied unless explicitly

granted?

4-3 [If YES in ISBR#14-2] To what degree is every

PCSS/ICT system configured to comply with this

requirement?

4-4 To what degree do all external suppliers and third-party

users have to be authorized on an event-by-event basis

by the company to get access to the production networks

(i.e. external users do not have permanent access rights

to the production networks)?

4-5 To what degree are users logged on the company's

office domains restricted from, or thoroughly controlled

when, accessing the production networks?

5-1 Are there have written requirements for documenting the

operational routines for all critical PCSS/ICT systems?

SBR# 15 - Required operational and maintenance procedures shall be documented and kept current.

SBR# 13 - Process control, safety, and support ICT systems shall have adequate, updated, and active protection against malicious software.

SBR# 14 - All access requests shall be denied unless explicitly granted.



5-2 To what degree is this requirement fulfilled for all new

PCSS/ICT systems?

5-3 To what degree is this requirement fulfilled for all older

PCSS/ICT systems?

5-4 To what degree is the documentation for the operational

routines maintained and kept current?


documenting operational procedures and maintenance

routines for critical PCSS/ICT systems?

5-6 To what degree is this requirement fulfilled for all new

PCSS/ICT systems?

5-7 To what degree is this requirement fulfilled for all older

PCSS/ICT systems?5-8 To what degree is the documentation for operational

procedures and maintenance routines updated and kept

current?

5-9 To what degree have all necessary operational

procedures and routines for all critical applications in the

production environment been documented?


backing up data in critical PCSS/ICT systems?

5-11 To what degree are data and applications backed up

regularly in all critical PCSS/ICT systems?

5-12 To what degree are the back-ups tested regularly for

readability?

6-1 To what degree does the company have a managed anddocumented process for handling information security

incidents?

6-2 To what degree has the company defined and

documented what it considers as being information

security incidents?

6-3 To what degree has the company documented how

information security incidents most likely to happen shall

be handled?

6-4 To what degree has the company developed

documented guidelines on how information security

incidents in the production environment shall be

handled?

6-5 Has the company developed templates, have intranet

pages, or specific applications for the users to report

information security incidents?6-7 Does the company have documented requirements for

the users to report information security incidents?

6-8 [If YES in ISBR#16-7] To what degree is this requirement

fulfilled?

6-9 To what degree are reported information security

incidents registered and followed up?

6-10 To what degree is local/regional top management

informed when security incidents happen?

SBR# 16 - 16. Procedures for reporting of security events and incidents shall be documented and implemented in the organisation.



6-11 To what degree does local/regional top management

receive regular reports on information security incidents

(preferably monthly)?



Asset / Installation:

Date of interview:

Interviewee:

Interviewer:

ISBR# 13 - Process contr

protection against malici

ISBR# 14 - All access req

ISBR# 15 - Required ope

ISBR# 16 - Procedures fo

implemented in the orga

ISBR# 9 - Critical proces

documented service and

ISBR# 10 - Work permit p

and changes in the proc

ISBR# 11 - An updated n

other systems shall be p

ISBR# 12 - Process contr

to process control, safet

ISBR# 5 - Users of proce

information security req

ISBR# 6 - Process contro

only.

ISBR# 7 - Disaster recov

and support ICT systems

ISBR# 8 - Information se

engineering, procureme

ISBR# 1 - An Informationenvironments shall be d

ISBR# 2 - Risk assessme

and networks.

ISBR# 3 - Process contro

owners.

ISBR# 4 - The infrastruct

paths shall be controlled











ol, safety, and support ICT systems shall have adequate, updated, and active

ous software.

uests shall be denied unless explicitly granted.

ational and maintenance procedures shall be documented and kept current.

r reporting of security events and incidents shall be documented and

isation.

control, safety, and support ICT systems shall have defined and

support levels.

rocedures (change management) shall be followed for all connections to

ss control, safety, and support ICT systems and networks.

etwork topology diagram including all system components and interfaces to

ovided.

ol, safety, and support ICT systems shall be kept updated when connected

, and support networks.

s controll, safety, and support ICT systems shall be educated in the

irements and acceptable use of the ICT systems.

l, safety, and support ICT systems shall be used for designated purposes

ry plans shall be documented and tested for critical process control, safety,

.

urity requirements for ICT components shall be integrated in the

t, and commissioning processes.

Security Policy for process control, safety, and support ICT systemscumented.

nts shall be performed for process control, safety, and support ICT systems

l, safety, and support ICT systems shall have designated system and data

re shall be able to provide segregated networks, and all communication

.











Score

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!

#DIV/0!









































Not at all 0 0-5%

To a lesser degree 1 6-35%

To some degree 2 36-65%

To a large degree 3 66-95%

Totally, Completely, Fully 4 96-100%Not applicable N/A

No 0 0%

Yes 4 100%

Documents

104 - Self Assessment ISBR