104 - self assessment isbr
TRANSCRIPT
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 1/41
Information Security Baseline Requirements
for
Process Control, Safety, and Support ICT SystemsSelf Assessment
Ver. 1.2
© 2007 Norwegian Oil and Gas Association
This is a self assessment tool for verifying the company's degree of compliance
with the Norwegian Oil and Gas Information Security Baseline Requirements
(ISBR). The tool (ISBR/SA) was produced to help the companies in assessing the
security level of the ICT equipment in the production environment (Process Control,
Safety, and Support ICT Systems - PCSS/ICT), and it is not meant as a tool forexternal reporting. The ISBR/SA is intended for internal use only. How the tool
should be utilized is entirely up to the company, but the idea behind this was not to
distribute it internally and then collect the answers. The spreadsheet was made for
The summary worksheet can be used for communicating the final results without
unveiling the underlaying answers.
Answering all of the questions asked for an ISBR is not required in order to get a
score. For this reason Not Applicable is not added for Yes/No- questions. If a
question is not considered relevant just leave it unanswered.
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 2/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 3/41
-1 Does the company have an information security policy
document specifically developed for the PCSS/ICT
systems in the production environments?
-2 [If NO in ISBR#1-1] Does the company have a global or
corporate information security policy which also
encompasses the production environment?
-3 Has the information security policy been signed by
local/regional top management?
-4 Has the information security policy been written or
revised during the last previous three years?
-5 To what degree is the information security policyenforced in all of the company's production
environments?
-6 To what degree is management active in promoting and
enforcing the information security policy?
-7 To what degree are the employees and contractors in the
production environment informed of and familiar with the
information security policy?
-8 To what degree do all the employees and contractors in
the production environment abide by the information
security policy?
-9 To what degree have information security instructions
and/or guidelines been developed for the production
environments?
-10 To what degree are the information security instructions
and guidelines revised and updated on a regular basis?-11 To what degree do all the employees and contractors in
the production environment abide by the information
security instructions/guidelines?
2-1 Does the company have documented requirements to
perform risk assessments regularly for all critical
PCSS/ICT systems in the production environments?
2-2 Does the company have a documented framework or
methodology for risk assessment that can be utilized for
information security in the production environments?2-3 To what degree have information security risk
assessments been performed for all critical PCSS/ICT
systems during the last year?
2-4 To what degree has top management defined which risksare unacceptable?
2-5 To what degree are uncovered severe information
security risks handled immediately?
2-6 Does the company have a dedicated system for
registering information security risks?
2-7 To what degree are all uncovered information security
risks registered?
SBR# 1 - An Information Security Policy for process control, safety, and support ICT systems environments shall be documented.
SBR# 2 - Risk assessments shall be performed for process control, safety, and support ICT systems and networks.
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 4/41
2-8 To what degree are all registered risks followed up and
responded to within a reasonable timeframe?
3-1 To what degree has the company defined, identified, and
documented which ICT systems in the production
environment are considered critical?
3-2 Are there internal requirements for appointing system
owners for critical ICT systems in the production
environment?
3-3 To what degree are system owners actually appointed for
all critical ICT systems in the production environment?3-4 Does the company have a documented overview (list or
database) of personnel appointed as system owners?
3-5 To what degree is this overview complete and updated?
3-6 Does the company have documentation that describes
the authorities and responsibilities of the role as system
owner?3-7 To what degree are all system owners aware of their
authorities and responsibilities?
3-8 Are there internal requirements for appointing
data/information owners for critical data?
3-9 To what degree are data owners actually appointed for
all critical data?
3-10 Does the company have documentation that describes
the authorities and responsibilities of the role as data
owner?3-11 To what degree are all data owners aware of their
authorities and responsibilities?
4-1 Are there internal documented requirements for
segregating the production networks from the
administrative networks?
4-2 To what degree are the production networks actually
segregated from the administrative networks? (e.g. by
installing tightly configured firewalls between the
networks)
4-3 To what degree is it currently possible to further
segregate the networks in the production environment if
needed? (i.e. with the technology and the IT
infrastructure that the company has today)4-4 To what degree does all internal data communication
between the production networks and the administrative
networks go through controlled gateways? [e.g. fi rewalls,
filtering routers]
4-5 To what degree does all external data communication
between the production networks and the suppliers go
through controlled gateways? [e.g. firewalls, terminal
servers]
SBR# 3 - Process control, safety, and support ICT systems shall have designated system and data owners.
SBR# 4 - The infrastructure shall be able to provide segregated networks, and all communication paths shall be controlled.
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 5/41
4-6 Does the organization require all external companies
(e.g. suppliers and contractors) to sign a company non-
disclosure agreement?
4-7 To what degree are these requirements adhered to?
4-8 Does the organization require all employees from
external companies (e.g. suppliers and contractors) to
sign a personal non-disclosure agreement before
granting access?4-9 To what degree are these requirements adhered to?
4-10 Have all modems in the production environment been
removed? (i.e. modems connected directly to the
production networks or to IT systems connected to the
production networks)4-11 [If NO in ISBR#4-10] Are all modems switched off or
physically disconnected when not in use?
4-12 [If NO in ISBR#4-10] Are there any written plans for
discontinuing these modems?
5-1 To what degree are there documented requirements for
information security training for all employees in the
production environment?
5-2 To what degree are newly hired personnel in the
production environment being trained in information
security?
5-3 To what degree is introduction training in information
security also available for hired personnel and
contractors?5-4 To what degree are the employees in the production
environment informed about information security through
the company's intranet?
5-5 To what degree are the employees in the production
environment informed about information security directly
through the use of e-mail?5-6 To what degree are the employees in the production
environment informed about information security through
general meetings?
5-7 To what degree are contractors responsibilities for
information security included in their contracts?
6-1 To what degree has acceptable use of each of the critical
PCSS/ICT system been documented?6-2 To what degree are the critical PCSS/ICT systems
utilized for their originally designated purpose only?
6-3 To what degree are the critical PCSS/ICT systems
audited to ensure that only authorized and dedicated
software is installed?
SBR# 5 - Users of process controll, safety, and support ICT systems shall be educated in the information security requirements and acceptable
SBR# 7 - Disaster recovery plans shall be documented and tested for critical process control, safety, and support ICT systems.
SBR# 6 - Process control, safety, and support ICT systems shall be used for designated purposes only.
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 6/41
7-1 Does the company have a managed process for
developing disaster recovery plans for all critical ICT
systems in the production environment?
7-2 To what degree does the company have documented
disaster recovery plans for every critical ICT system in
the production environment?
7-3 Does the company have a managed process for
maintaining and updating existing disaster recovery plans
for the production environment?
7-4 To what degree have the disaster recovery plans been
tested for all critical IT systems in the production
environment during the last two years?
8-1 Does the company have documented internal guidelines
for including information security requirements in the
engineering, procurement, and commissioning process
for PCSS/ICT systems?
8-2 To what degree does the company currently specify
information security requirements in all parts of the
engineering, procurement, and commissioning process
for PCSS/ICT systems?
8-3 To what degree are the implemented information security
controls and measures in new PCSS/ICT systems
documented by the supplier?
8-4 To what degree are the implemented information security
controls and measures tested by the company before
new PCSS/ICT systems are put into production?
9-1 Does the company have documented internal
requirements for specifying the necessary level of lifetime
service and support for critical PCSS/ICT systems?
9-2 To what degree have the necessary level of lifetime
service and support for all of the currently installed critical
PCSS/ICT systems been documented?
9-3 To what degree is this document maintained and kept
updated?
0-1 To what degree have procedures for updating operating
software and applications in PCSS/ICT systems beendocumented?
0-2 To what degree are these procedures adhered to?
0-3 To what degree have procedures for repair and
replacement of defect or malfunctioning PCSS/ICT
equipment been documented?
0-4 To what degree are these procedures adhered to?
SBR# 10 - Change management and work permit procedures shall be followed for all connections to and changes in the process control, safety
and networks.
SBR# 8 - Information security requirements for ICT components shall be integrated in the engineering, procurement, and commissioning proce
SBR# 9 - Critical process control, safety, and support ICT systems shall have defined and documented service and support levels.
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 7/41
0-5 Does the company have documented configuration and
set-up requirements for suppliers' and third-parties' test
equipment when temporarily connecting to the production
network?
0-6 To what degree are these procedures adhered to?
0-7 Does the company have documented requirements that
suppliers' and third-parties' ICT equipment shall be
updated with the latest version of security programs such
as anti-virus program and personal firewall before
connecting to the production network?
0-8 Does the company have documented procedures on how
suppliers and third-parties shall connect their ICT
equipment to the production networks or to PCSS/ICTsystems?
0-9 To what degree are these procedures adhered to?
1-1 Does the company have internal requirements for
documenting and maintaining network maps, where all
critical ICT components in the production environment
are included?
1-2 To what degree have all networks and critical ICT
components in the production environment been
documented? [e.g. IP- and MAC-adresses, hardware
configurations, physical location]
1-3 To what degree is this documentation maintained and
kept updated?
1-4 To what degree have applications considered criticalbeen documented?
1-5 To what degree is this documentation maintained and
kept updated?
1-6 To what degree have the interfaces between the critical
applications been documented?
1-7 To what degree does the company have updated
documentation on the set-up and configurations on all
critical ICT systems?
2-1 Does the company have documented requirements for
updating software installed in critical PCSS/ICT systems
when new security patches are released?
2-2 To what degree does the company have an updated
overview on the version numbers and patch-level for theoperating software and applications installed on the
PCSS/ICT systems in the production networks?
2-3 To what degree does the overview cover all ICT systems
connected to the production networks?
2-4 Has the company appointed personnel with the
responsibility of specifically following up on releases of
software updates and patches?
SBR# 12 - Process control, safety, and support ICT systems shall be kept updated when connected to process control, safety, and support netw
SBR# 11 - An updated network topology diagram including all system components and interfaces to other systems shall be provided.
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 8/41
2-5 To what degree are the PCSS/ICT systems updated with
the latest security patches released by the software
developer?
3-2 Does the company have internal requirements for
protecting the PCSS/ICT systems against malicious code
such as viruses, Trojan horses, and worm as well as
activities such as unauthorised use and computer break-
ins?
3-3 To what degree is anti-virus software installed on all
critical PCSS/ICT systems in the production network?
3-4 To what degree is (personal) firewall software installedon all critical PCSS/ICT systems in the production
network?
3-5 To what degree are PCSS/ICT systems in the production
networks which are not protected against unauthorized
activities and malicious code isolated in separate
segments or installed behind other protective security
measures?
3-6 To what degree are new versions of anti-virus and
firewall software installed within a reasonable timeframe
after they have been released?3-7 To what degree are real-time systems that cannot have
anti-virus and firewall software installed scanned
manually to verify that they have not been infected?
4-1 Does the company have documented guidelines that
require all access rights to PCSS/ICT systems to be on a
need-to-use basis?
4-2 Does the company have documented guidelines that
require all access rights to files and applications in the
PCSS/ICT systems to be denied unless explicitly
granted?
4-3 [If YES in ISBR#14-2] To what degree is every
PCSS/ICT system configured to comply with this
requirement?
4-4 To what degree do all external suppliers and third-party
users have to be authorized on an event-by-event basis
by the company to get access to the production networks
(i.e. external users do not have permanent access rights
to the production networks)?
4-5 To what degree are users logged on the company's
office domains restricted from, or thoroughly controlled
when, accessing the production networks?
5-1 Are there have written requirements for documenting the
operational routines for all critical PCSS/ICT systems?
SBR# 15 - Required operational and maintenance procedures shall be documented and kept current.
SBR# 13 - Process control, safety, and support ICT systems shall have adequate, updated, and active protection against malicious software.
SBR# 14 - All access requests shall be denied unless explicitly granted.
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 9/41
5-2 To what degree is this requirement fulfilled for all new
PCSS/ICT systems?
5-3 To what degree is this requirement fulfilled for all older
PCSS/ICT systems?
5-4 To what degree is the documentation for the operational
routines maintained and kept current?
5-5 Does the company have internal requirements for
documenting operational procedures and maintenance
routines for critical PCSS/ICT systems?
5-6 To what degree is this requirement fulfilled for all new
PCSS/ICT systems?
5-7 To what degree is this requirement fulfilled for all older
PCSS/ICT systems?5-8 To what degree is the documentation for operational
procedures and maintenance routines updated and kept
current?
5-9 To what degree have all necessary operational
procedures and routines for all critical applications in the
production environment been documented?
5-10 Does the company have internal requirements for
backing up data in critical PCSS/ICT systems?
5-11 To what degree are data and applications backed up
regularly in all critical PCSS/ICT systems?
5-12 To what degree are the back-ups tested regularly for
readability?
6-1 To what degree does the company have a managed anddocumented process for handling information security
incidents?
6-2 To what degree has the company defined and
documented what it considers as being information
security incidents?
6-3 To what degree has the company documented how
information security incidents most likely to happen shall
be handled?
6-4 To what degree has the company developed
documented guidelines on how information security
incidents in the production environment shall be
handled?
6-5 Has the company developed templates, have intranet
pages, or specific applications for the users to report
information security incidents?6-7 Does the company have documented requirements for
the users to report information security incidents?
6-8 [If YES in ISBR#16-7] To what degree is this requirement
fulfilled?
6-9 To what degree are reported information security
incidents registered and followed up?
6-10 To what degree is local/regional top management
informed when security incidents happen?
SBR# 16 - 16. Procedures for reporting of security events and incidents shall be documented and implemented in the organisation.
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 10/41
6-11 To what degree does local/regional top management
receive regular reports on information security incidents
(preferably monthly)?
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 11/41
Asset / Installation:
Date of interview:
Interviewee:
Interviewer:
ISBR# 13 - Process contr
protection against malici
ISBR# 14 - All access req
ISBR# 15 - Required ope
ISBR# 16 - Procedures fo
implemented in the orga
ISBR# 9 - Critical proces
documented service and
ISBR# 10 - Work permit p
and changes in the proc
ISBR# 11 - An updated n
other systems shall be p
ISBR# 12 - Process contr
to process control, safet
ISBR# 5 - Users of proce
information security req
ISBR# 6 - Process contro
only.
ISBR# 7 - Disaster recov
and support ICT systems
ISBR# 8 - Information se
engineering, procureme
ISBR# 1 - An Informationenvironments shall be d
ISBR# 2 - Risk assessme
and networks.
ISBR# 3 - Process contro
owners.
ISBR# 4 - The infrastruct
paths shall be controlled
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 12/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 13/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 14/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 15/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 16/41
ol, safety, and support ICT systems shall have adequate, updated, and active
ous software.
uests shall be denied unless explicitly granted.
ational and maintenance procedures shall be documented and kept current.
r reporting of security events and incidents shall be documented and
isation.
control, safety, and support ICT systems shall have defined and
support levels.
rocedures (change management) shall be followed for all connections to
ss control, safety, and support ICT systems and networks.
etwork topology diagram including all system components and interfaces to
ovided.
ol, safety, and support ICT systems shall be kept updated when connected
, and support networks.
s controll, safety, and support ICT systems shall be educated in the
irements and acceptable use of the ICT systems.
l, safety, and support ICT systems shall be used for designated purposes
ry plans shall be documented and tested for critical process control, safety,
.
urity requirements for ICT components shall be integrated in the
t, and commissioning processes.
Security Policy for process control, safety, and support ICT systemscumented.
nts shall be performed for process control, safety, and support ICT systems
l, safety, and support ICT systems shall have designated system and data
re shall be able to provide segregated networks, and all communication
.
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 17/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 18/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 19/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 20/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 21/41
Score
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
#DIV/0!
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 22/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 23/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 24/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 25/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 26/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 27/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 28/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 29/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 30/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 31/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 32/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 33/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 34/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 35/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 36/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 37/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 38/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 39/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 40/41
8/13/2019 104 - Self Assessment ISBR
http://slidepdf.com/reader/full/104-self-assessment-isbr 41/41
Not at all 0 0-5%
To a lesser degree 1 6-35%
To some degree 2 36-65%
To a large degree 3 66-95%
Totally, Completely, Fully 4 96-100%Not applicable N/A
No 0 0%
Yes 4 100%