1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

2. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Overview of SANS CSCS 20, NERC-CIP & PCI-DSS SANS CSCS 20 SWOT Analysis ISO 27001:2013 ISMS SWOT Analysis Integrating ISMS with SANS CSCS 20, NERC-CIP & PCI-DSS 3. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 4. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Critical Security Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness. Standardization and automation is another top priority, to gain operational efficiencies while also improving effectiveness. The US State Department has previously demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls. 5. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** SANS determined the following: The majority of respondents (73%) are aware of the CSCs and have adopted or are planning to adopt them, while a further 15% are aware of the Controls and only 12% hadn't heard of the Controls before the survey. The respondents' primary driver for Controls adoption is the desire to improve enterprise visibility and reduce security incidents. Operational silos within the IT security organization and between IT and other business departments are still the greatest impediment to implementing repeatable processes based on the Controls. Only 10% of respondents feel they've done a complete job of implementing all of the Controls that apply to their organizations 6. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** SANS CSC TOP 20 are procedure based. 1: Inventoryof Authorized and Unauthorized Devices 2: Inventoryof Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: ApplicationSoftware Security 7: Wireless Device Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training to Fill Gaps 10: Secure Configurationsfor Network Devices such as Firewalls, Routers, and Switches 11: Limitationand Control of Network Ports, Protocols, and Services 12: Controlled Use of AdministrativePrivileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Loss Prevention 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises 7. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** SANS 20 (procedure based) 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Device Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training to Fill Gaps 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11: Limitation and Control of Network Ports, Protocols, and Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Loss Prevention 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises ISO 27001:2013 Standards (control point based) A5. Management direction for information security, A6. Organisation of information security, A7. Human Resource security, A8. Asset Management, A9. Access control, A10. Cryptography, A11. Physical and Environmental security, A12. Operations Security, A13. Communications Security, A14. System acquisition, Development and Maintenance, A15. Supplier Relationships, A16. Information Security Incident Management, A17. Information Security Aspects of Business Continuity Management, A18. Compliance 8. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 9. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The original guidelines addressing cyber security in the energy infrastructure are known as NERC 1200 UAS. This standard was passed in 2003, in response to the Homeland Security Act of 2002. It was designed to reduce the overall vulnerability of bulk electric systems to cyber threats. However, NERC 1200 was considered only a temporary fix to the problem. NERC 1300 was subsequently introduced because there was still no consensus on a final set of standards, and it was still another year before NERC Critical Infrastructure Protection (CIP) cyber security standards were passed. NERC CIP spells out an auditable guide covering a variety of areas related to cyber security. 10. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The EROs key programs, which impact more than 1,900 Bulk-Power System owners and operators, are based on four pillars of continued success: Reliability to address events and identifiable risks, thereby improving the reliability of the Bulk-Power System. Assurance to provide assurance to the public, industry and government for the reliable performance of the Bulk-Power System. Learning to promote learning and continuous improvement of operations and adapt to lessons learned for improvement of Bulk-Power System reliability. Risk-Based Approach to focus attention, resources and actions on issues most important to Bulk-Power System reliability. 11. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The reliability councils within the Eastern Interconnection are: Florida Reliability Coordinating Council (FRCC) Midwest Reliability Organization (MRO) Northeast Power Coordinating Council (NPCC) Reliability First Corporation (RFC) SERC Reliability Corporation (SERC) Southwest Power Pool, Inc. (SPP) The reliability council for the Texas Interconnection is: Electric Reliability Council of Texas (ERCOT) The reliability council for the Qubec Interconnection is: Northeast Power Coordinating Council (NPCC) The reliability council for the Alaska Interconnection is: Alaska Systems Coordinating Council (ASCC), an affiliate member of NERC 12. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 13. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** There are nine separate CIP cyber security standards that NERC has passed. Each standard sets out details concerning who the responsible party is, what the requirements are, and what constitutes different levels of non-compliance. CIP-001 Sabotage Reporting CIP-002 Critical Cyber Assets CIP-003 Security Management Controls CIP-004 Personnel & Training CIP-005 Electronic Security CIP-006 Physical Security of Critical Cyber Assets CIP-007 Systems Security Management CIP-008 Incident Reporting and Response Planning CIP-009 Recovery Plans for Critical Cyber Assets 14. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** NERC CIP Standards. (procedure based) CIP-001 Sabotage Reporting CIP-002 Critical Cyber Assets CIP-003 Security Management Controls CIP-004 Personnel & Training CIP-005 Electronic Security CIP-006 Physical Security of Critical Cyber Assets CIP-007 Systems Security Management CIP-008 Incident Reporting and Response Planning CIP-009 Recovery Plans for Critical Cyber Assets ISO 27001:2013 Standards. (control point based) A5. Management direction for information security, A6. Organisation of information security, A7. Human Resource security, A8. Asset Management, A9. Access control, A10. Cryptography, A11. Physical and Environmental security, A12. Operations Security, A13. Communications Security, A14. System acquisition, Development and Maintenance, A15. Supplier Relationships, A16. Information Security Incident Management, A17. Information Security Aspects of Business Continuity Management, A18. Compliance 15. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** SANS 20 (procedure based) 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Device Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training to Fill Gaps 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11: Limitation and Control of Network Ports, Protocols, and Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Loss Prevention 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises ISO 27001:2013 Standards (control point based) A5. Management direction for information security, A6. Organisation of information security, A7. Human Resource security, A8. Asset Management, A9. Access control, A10. Cryptography, A11. Physical and Environmental security, A12. Operations Security, A13. Communications Security, A14. System acquisition, Development and Maintenance, A15. Supplier Relationships, A16. Information Security Incident Management, A17. Information Security Aspects of Business Continuity Management, A18. Compliance 16. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 17. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council. The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements. 18. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 19. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** SANS CSC 20, PCI-DSS is a US based approach that will help US organizations address Cyber Security risks. Based on a small set of procedures it should be easy to implement and get up and running quickly. The SANS CSC TOP 20 is procedure based and should be easy to teach and monitor for knowledge transfer within most organizations. The SANS CSC TOP 20 was created at a high-level and flexible enough to fit the organization need to be selected and audited against. The SANS CSC TOP 20 is a small series of procedures applicable to most organizations. 20. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** SANS CSC 20 is not internationally accepted and thus is not positioned to raise the bar on information security on a global scale. SANS CSC 20 is based a small demographic of security professionals as opposed to an international body which limits its footprint and potential for application outside the United States. SANS CSC 20 is not saleable and thus limited to large organizations that have the resources and budget to carry it. Small businesses will find it difficult to scale to their limited resources and budgets. SANS CSC 20 is process based limits its flexibility. Only the control points that fit the organization need to be selected and audited against. SANS CSC 20 is not independently registered /certified or audited by independent security professionals limiting its verification and validation further impacting the trust factor. 21. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** There is a lot of room to expand the standard framework from a procedure based standard to a ore flexible control point framework. Once SANS CSC Top 20 has been established and matures organizations can improve its integration with existing security or data protection procedures improving its effectiveness and efficiency. If all US based businesses adopted the same approach there would be fewer risks and potential liabilities, lower insurance costs. If SANS CSC Top 20 could help standardizing security practices it would also help control costs, while improving relationships with trading partners, shareholders and consumers . This would contribute to revenue, growth and the bottom line. 22. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Despite a solid effort the standard is without the all important management system and this will become a problem following its implementation it will be bumpy ride and the standard will become outdated quickly. The cost of implementation and maintenance will be high despite the fact that its a good standard it is completely customized and doesnt seem to fit with any other frameworks There is a lot of misinformation concerning the level of effort and documentation required to adopt SANS CSC Top 20, just how much will it cost and how long will it take is a huge unknown. Many organizations do not understand information security and they will be very reluctant to adopt a prescriptive series of security standards without knowing the cost or impact to their respective organizations. Several countries are continuing to develop their own Cyber Security standards and some like ISO 27001 ISMS are far ahead in terms of maturity. 23. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 24. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Internationally accepted ISO 27001 is best positioned to raise the bar on information security on a global scale which benefits all of us. Based on best practices its helps establish a solid footing for future security hardening. Scalable makes it fit small or big organizations with one office or one thousand. Control point based adds to the flexibility. Only the control points that fit the organization need to be selected and audited against. Independently audited and independent security adds to the level of verification and validations further enhancing the trust factor. 25. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Awareness is very low in North America. World wide adoption is up 12% the majority is in Asia and now in the UK. Lots of misinformation concerning adoption costs creates hesitation by Executives and board of directors. Lots of misinformation concerning potential impact to organizational culture creates hesitation by Executives and board of directors. Lots of misinformation concerning adoption effort in terms of man hours, documentation, competency creates hesitation by Executives and board of directors. ISO 27001 ISMS is a benchmark that has been widely acceptance however needs to be adapted to the industry, organization , culture and before it can mature into a 26. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** There is a lot of room to expand the standard framework when considering the fact the information transcends technology. Once the information security management systems have been established organizations can adopt any security or data protection standard due to the flexible approach of the ISMS framework. If all international businesses adopted the same approach there would be fewer risks and potential liabilities and insurance costs associated with information handling . Standardizing security practices help control costs while improving relationship with trading partners, shareholders and consumers . This would contribute to revenue, growth and the bottom line. 27. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Despite a solid auditable standard and a standard operating procedure to guide ISO 27001 auditors the minimum acceptable level of control varies between registrars Registrars are allowed to play both the role of the auditor and implementation consultant creating a conflict of interest. Lots of misinformation concerning the level of effort and documentation required to become registered /certified. Many organizations continue to not fully understand that ISO 27001 is a starting point, a benchmark and not the final solution. Several countries are continuing to develop their own versions of ISO 27001 ISMS avoiding the inevitable assimilation. The irony is that most of them are copying ISO 27001 and reproducing it with a different label adding to confusion and disjoined global approach necessary for GDP and foreign trade. 28. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 29. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** When is comes to Management Systems SANS CSC 20, NERC-CIP AND PCI DDS have not integrated the concept of a management system. This section of ISO/IEC 27001:2013 is so important that its considered to be mandatory for success adoption and registration /certification. 148 control points have been documented within clauses 4 10. 30. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** When is comes to ISO/IEC 27001:2013 ISMS Annex A domains A5 A7 PCI DDS has most significant GAPS in Security Organization and Human Resources while SANS CSC 20 was weak on Management and NERC-CIP was weak on Organization of Information Security.. 31. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** When is comes to ISO/IEC 27001:2013 ISMS Annex A domains A8 A10 NERC-CIP has most significant GAPS in Access Control and Cryptography while SANS CSC 20 was weak on Cryptography. All three were ok with Asset Management. 32. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** When is comes to ISO/IEC 27001:2013 ISMS Annex A domains SANS CSC 20, NERC- CIP AND PCI DDS are the strongest in domains operations, communications and system acquisition, development and maintenance . 33. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** When is comes to ISO/IEC 27001:2013 ISMS Annex A domains A15 A18 PCI DDS is the weakest with GAPS in incident management, business continuity and compliance . SANS CSC 20 and NERC-CIP are close behind both with GAPS in Supplier Relationship and Compliance Management. 34. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 35. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 36. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 37. ***THISDOCUMENTISCLASSIFIEDFORPUBLICACCESS*** 38. ***THISDOCUMENTISCLASSIFIEDFORPUBLICACCESS*** 39. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The statement of applicability (SoA) is created following a risk assessment against organizational assets that are in scope for protection from threats and vulnerabilities leading to loss of confidentiality, integrity and availability. Internal and external audits are facilitated against the SoA. The flexibility of the ISMS allows additional security control decks to be added such as SANS CSC 20 if they can be justified. The framework also streamlines any overlapping controls minimizing or eliminating costly overlaps while improving the effectiveness and efficiency of the ISMS. 40. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Similarly, Service Level Agreements could be established between the business unit or line of business seeking ISO 27001 Registration /Certification and external parties like, Cloud Computing Services, Vendors and Suppliers. 41. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A Risk Assessment is necessary once all assets have been identified within the scope of service. These assets are utilized for the product or service delivery and the revenue stream. 42. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risk Treatment Plans are defined by Corrective Action plans and Preventive Action plans. The RTP is basically a rolled up dashboard utilized for tracking and monitoring CAPA by ISMS Governance Committee. 43. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Some risk are shared with external vendors and suppliers. These risks are recorded within the following risk registry and monitored with service providers during service management meeting and reported back to the ISMS Governance Committee. 44. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with strategic planning, credit, market and financial that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 5 impact a threshold can be added for clarity. These risk are for internal report purposes and probable would not be shared or reviewed with the external party. 45. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with compliance to statutes, regulations and contractual obligations that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 5 impact a threshold can be added for clarity. 46. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with operations are the most common risks that external parties can positively or negatively impact. that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 5 impact a threshold can be added for clarity. 47. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Within the Statement of Applicability we select and design controls that mitigate or eliminate risk. Each control selected addresses a specific risk angle or trigger point. These controls are listed within the SoA. Six specific asset categories have been created each sharing common vulnerabilities. This extends the capability of ISMS to effectively and efficiently mitigate risk by applying controls in critical areas within the organizational workflow that mitigate risks to one or more assets. 48. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Enterprise Security Architecture was created following the natural order in which organizations are structured. 49. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Information Security Management System program provides a single point of contact and leadership for Enterprise Security based on strategic organizational goals and objectives. The ESMS brings together physical security with information security in support of Business Architecture guided by organizational Governance and Risk Management. 50. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** ESMS Examples: Subjects of Interest Access Control Active Shooter Asset Protection and Management Background Screening/Due Diligence Bomb Threats CCTV Compliance Management Corruption/Ethics Crime, Prevention Cryptography Data/Information Security Data Privacy Disaster/Crisis Management Environmental Executive Protection/Personnel Security Facilities (General) Health and Safety Incident Management Investigations Mail Security Pandemics Physical Security, General Quality Management Risk Management Risk/Vulnerability Assessment and Site Surveys Security Personnel/Duties Security Planning and Management Sexual Harassment/Discrimination Social Media Social Engineering Supply Chain Strikes/Demonstrations/Unrest Substance Abuse Telecommunications Travel Utilities Vehicles and Vehicle Operation Visitors Water Workplace Violence ESMS Examples: Applicable Industries Agriculture Aviation Banking Chemical Cities Distribution Centers Educational Institutions Energy Industry Factories FDIC Government Healthcare Industrial Sites Insurance Mass Transit Manufacturing Media Oil and gas/Energy Seaports Stadiums and Arenas Telecommunications Technology Theme Parks Universities 51. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** SANS CSC 20, NERC-CIP & PCI-DSS are all good standards, but they still dont meet the minimum security requirements defined by ISO 27001:2013. Organizations should consider adopting one information security framework that would address all security requirement. This sustainable approach would control costs while improving business resilience and agility. 52. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** For more information contact Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard