Download:
pdf |
pdfCyber IST Questions
Cyber IST Questions
January 2014
Version 1.1.10 (01-09-14)
U.S. Department of Homeland Security
1
�This page is intentionally left blank
�OMB Control Number: 1670-NEW
Expiration Date: XX/XX/XXXX
Privacy Act Statement:
Authority: 44 U.S.C. § 3101 and 44 U.S.C. § 3534 authorize the collection of this information.
Purpose: DHS will use this information to create and manage your user account and grant access to the Infrastructure Protection (IP) Gateway.
Routine Use: This information may be disclosed as generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974. This includes using the
information, as necessary and authorized by the routine uses published in DHS/ALL-004 - General Information Technology Access Account Records System
(GITAARS) November 27, 2012, 77 Fed. Reg. 70,792.
Disclosure: Furnishing this information is voluntary; however failure to provide the information requested may delay or prevent DHS from processing your
access request.
Paperwork Reduction Act: The public reporting burden to complete this information collection is estimated at 7.5 hours per response, including the time for
reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and the completing and reviewing the collected
information. An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays a currently valid
OMB control number and expiration date. Send comments regarding this burden estimate or any other aspect of this collection of information, including
suggestions for reducing this burden to DHS/NPPD/IICD, Kimberly Sass, [email protected] ATTN: PRA [OMB Control Number 1670-New].
�This page is intentionally left blank
�Cyber IST Questions
Contents
Contents ........................................................................................................................................................ 2
Document History ......................................................................................................................................... 3
1.0
Background Information ................................................................................................................... 4
1.1
Cyber Service Point of Contact and Visit Participants ................................................................. 4
1.2
Service Contact that Should Receive Primary Access to the Cyber Survey Dashboard ............... 4
1.2
Other Service Contacts, Assessment Participants ......................................................................... 4
2.0
General Information .......................................................................................................................... 7
2.1
What is a Critical Cyber Service? ................................................................................................. 7
2.2
Comments and Briefing Notes ...................................................................................................... 7
2.3
General Cyber Service Description (For Information Only) ........................................................ 9
3.0
Cyber Security Management (LEVEL ONE) .................................................................................. 14
3.1
Cyber Security Leadership (LEVEL TWO) ............................................................................... 14
3.2
Cyber Service Architecture (LEVEL TWO)............................................................................... 16
3.3
Change Management (LEVEL TWO) ........................................................................................ 20
3.4
Lifecycle Tracking (LEVEL TWO) ............................................................................................ 23
3.5
Accreditation and Assessment (LEVEL TWO) .......................................................................... 25
3.6
Cyber Security Plan (LEVEL TWO) .......................................................................................... 29
3.7
Cyber Security Exercises (LEVEL TWO) .................................................................................. 33
3.8
Information Sharing (LEVEL TWO) .......................................................................................... 35
4
Cyber Security Forces (LEVEL ONE) ............................................................................................ 40
4.1
Personnel (LEVEL TWO) .......................................................................................................... 40
4.2
Cyber Security Training (LEVEL TWO) ................................................................................... 43
5
Cyber Security Controls (LEVEL ONE) ......................................................................................... 46
5.1
Identification, Authentication, and Authorization Controls (LEVEL TWO) ............................. 46
5.2
Access Controls (Level Two) ..................................................................................................... 49
5.3
Cyber Security Measures (LEVEL TWO) .................................................................................. 53
5.4
Information Protection (LEVEL TWO) ...................................................................................... 57
5.5
User Training (LEVEL TWO) .................................................................................................... 60
5.6
Defense Sophistication and Compensating Controls (LEVEL TWO) ........................................ 62
6.0
Incident Response (LEVEL ONE) .................................................................................................. 64
6.1
Incident Response Measures (LEVEL TWO)............................................................................. 64
6.2
Alternate Site and Disaster Recovery (LEVEL TWO) ............................................................... 67
7.0
Dependencies (LEVEL ONE) ......................................................................................................... 70
7.1
Dependencies – Data at Rest (LEVEL TWO) ............................................................................ 71
7.2
Dependencies – Data in Motion (LEVEL TWO) ....................................................................... 73
U.S. Department of Homeland Security
2
�Cyber IST Questions
7.3
Dependencies – Data in Process (LEVEL TWO) ....................................................................... 75
7.4
Dependencies – End Point Services (LEVEL TWO) ................................................................. 76
Document History
Required
Version
Description of Change
Author
Date
1.0
Initial draft.
Nate Evans
29 April 13
1.1
Clean version produced from initial
comments.
Nate Evans
7 June 13
1.1.1
Edits from various conversations and
collaborations between Evans and Willke.
Nate Evans
30 June 13
1.1.2
Edits to update language. General
Section and Document History added.
Nate Evans
1 July 13
1.1.3
Edits from conversation with Willke on
July 1, 2013. Staffing Section added.
General Section modified.
Nate Evans
2 July 13
1.1.4
Edits to map to NIST framework/
standards and reduce question set.
Nate Evans and
Rebecca
Haffenden
2 August 13
1.1.5
Updated to reflect organizational changes
and to change “system” to “service.”
Nate Evans
14 August 13
1.1.6
Updated on the basis of testing.
Nate Evans and
Bradford Willke
26 August 13
1.1.7
Updated based on SLTT Feedback
Nate Evans and
Bradford Willke
26
September
13
1.1.8
Updated based on Lab Cyber Elicitation
Amanda Theel,
Nate Evans, Bill
Buehring, and
Angeli Tompkins
18 November
13
1.1.9
Updated based on SLTT Cyber Elicitation
Amanda Theel,
Nate Evans, Bill
Buehring, and
Angeli Tompkins
22 November
13
1.1.10
Edits and updates of ‘helps’
Amanda Theel
9 January 14
U.S. Department of Homeland Security
3
�Cyber IST Questions
1.0
Background Information
1.1
Primary Cyber or Cyber Security Point of Contact
Include a single Point Of Contact (POC.) Typically this is the primary POC for the company and the 24
hour contact and is the person that will receive the dashboard. On occasion, the Cyber POC will not be
the owner / operator.
1.2
Technical Operator Contact that Should Receive Primary Access to the Cyber
Survey Dashboard
Please identify the individual that will be the primary user of the dashboard; if applicable, please select
the individual that has signed the E&C. This user will be able to create additional users for the site.
1.2
Other Organizations and Visit Participants / Emergency Communications
List all persons contacted during the assessment or that was provided by the owner. If the person
participated in the assessment select the box indicating participated in survey.
List all protocols/services that are contacted for emergency communications in an event of an incident or
disaster for this site.
U.S. Department of Homeland Security
4
�Cyber IST Questions
Primary Cyber or Cyber Security Point of Contact (POC)
First Name
Last Name
Title
Company/Agency
Office:
Phone
Cell:
Email
Report to
Dashboard recipient
Participated in site visit
Technology Operator Contact (may be different from the Primary Cyber or Cyber Security
Point of Contact)
Same as Primary POC
First Name
Last Name
Title
Company/Agency
Office:
Phone
Cell:
Email
Report to
Dashboard recipient
Participated in site visit
Other Organization Contact or Visit Participant (replicate as needed)
First Name
Last Name
Company/Agency
Title/Position
Phone
Office:
Cell:
Email
Participated in site visit
Emergency Communications
U.S. Department of Homeland Security
5
�Cyber IST Questions
Protocol for
Emergency
Communications
U.S. Department of Homeland Security
6
�Cyber IST Questions
2.0
General Information
2.1
What is a Critical Cyber Service?
A basic principle to remember throughout the survey is, “What is a ‘Critical Cyber Service.” A cyber
service is any combination of equipment and devices (hardware); applications and platforms (software),
communications, and data that is integrated to provide specific cyber services. A critical cyber service
(CCS) is a service that the loss thereof would result in physical destruction, safety, and health effects
(e.g., a chemical release or loss of traffic controls), theft of sensitive information that can be exploited,
business interruption (e.g., denial of service), or other economic loss to the organization or its
customers/users.
Example 1: The SCADA system performing water treatment operations at a water treatment
facility.
Example 2: The traffic control operations system that manages transportation lights and cameras
for a large city.
Example 3: The centralized network operations serving department and agency level IT services.
Example 4: The management system that handles medical records for a Health Information
Exchange.
Example 5: The operations center that supports statewide law enforcement emergency
management and coordination.
2.2
Comments and Briefing Notes
Blank areas have been provided for general comments. Consider briefing notes internal use only..
Briefing note areas are for short bullets that the outbriefer can use to quickly assemble the out-briefing
and should only contain something that could be out-briefed to the facility.
Comment areas are for any comments that may be useful in QA or to explain a checkbox answer more
fully. Consider comment areas available to all external users.
U.S. Department of Homeland Security
7
�Cyber IST Questions
Critical Cyber Service (CCS) Information
Service Name
Other Service
Names/Aliases
Alias:
Primary Systems Name
Visit Date(s)
Start Date:
End Date:
Resident CSA
Who Completed This
Assessment?
Non-resident CSA
Name:
Other (e.g., SME)
Name:
No
Is This a Multi-site
Service?
Yes
If yes, please describe: _____
If yes, indicate below which CCS location is being evaluated.
Street Address (City,
County, State, ZIP
Code, Country)
Congressional District
Latitude/Longitude
(Decimal format
preferred)
Assessment
Motivation
(Check all that apply.)
Latitude:
Longitude:
Cyber Resilience Review
RRAP
Organization request
Law enforcement request
Direct threats/suspicious incidents:
Special event:
Other:
U.S. Department of Homeland Security
8
�Cyber IST Questions
2.3
General Cyber Service Description (For Information Only)
The purpose of this list is to gather information on the organization’s specific networks, services,
applications, and connections to determine commonalities with other CCSs within the organization.
The purpose of these questions is to gather a general outline of what functions the CCS supports (e.g.,
Industrial Control, email, billing, or customer service Internet application) and what comprises the
Service (e.g., hardware, software, devices, or workstations). Consider the “electronic security perimeter”
for the Service, defined as the logical border surrounding a network to which critical cyber assets are
connected and for which access is controlled (NERC glossary) and everything that is essential to the
reliable operation of the Service. This will establish the CCS for which all other questions will be
evaluated.
For example, a SCADA Service may support the monitoring and control of the transmission of
electric power within a specific geographic area, including redundant vendor servers, switches,
and seven workstations in the company control center, fiber connections to 189 remote terminal
units at substations, and limited connections to laptops and business servers, all operating on a
specific vendor platform with in-house applications for power flow analysis and predictive
planning.
For purposes of this survey the cyber security budget should be answered for the normal operations of
the Service; not for unusual events or incident response staffing.
U.S. Department of Homeland Security
9
�Cyber IST Questions
Critical Cyber Service (CCS) Information
General CCS
Description:
Check any that apply and provide a short description:
Networks (wireless networks, wired networks, etc.):
____________________________________________________________
____________________________________________________________
____
Services (computer services, e-mail servers, web servers, control
services, etc.):
____________________________________________________________
____________________________________________________________
____
Applications (computer programs, ERP software, shareware user-added
non-company software, etc.):
____________________________________________________________
____________________________________________________________
____
Connections (VPN access by subcontractors, portable devices
connected to organization services, interconnections between networks,
connection of a CCS to the Internet, etc.):
____________________________________________________________
____________________________________________________________
____
U.S. Department of Homeland Security
10
�Cyber IST Questions
Critical Cyber Service (CCS) Information
Which of these
cyber systems
primarily defines
the CCS?
(Check one.)
Business cyber system(s) that contain sensitive business information,
whose exploitation could result in business interruption, economic loss,
or theft.
Business cyber system(s) that manage supply chain, inventory
tracking, ordering and/or shipping, whose exploitation could result in
the theft or diversion of property, business interruption, or economic
loss.
Business cyber systems that support business functions such as
corporate email, payroll, human resources, reporting, scheduling,
regulatory and other business-related functions, whose loss or
exploitation could result in business interruption or economic loss.
Internet cyber systems that support business functions, such as
ordering, customer support, advertising, interactive business functions,
and other business-related public interfaces, whose loss or exploitation
could result in business interruption or economic loss.
Cyber systems that perform physical security functions (e.g., physical
intrusion detection services, access control services, camera services
and monitoring software), whose loss or exploitation could result in
security vulnerabilities, safety and health issues, damage to equipment
or property, business interruption, or economic loss.
Control system(s) that monitor and/or control on-site physical
processes or manufacturing services, whose loss or exploitation could
result in business interruption, safety and health issues, damage to
equipment or property, or economic loss.
Control system(s) that monitor and/or control remote physical
processes or services, whose loss or exploitation could result in
business interruption, safety and health issues, damage to equipment
or property, or economic loss.
Data storage system(s) that provide enterprise, backup, or archiving
storage for the organization, whose loss could result in business
interruption, theft, or economic loss.
Data storage system(s) that provide enterprise, backup, archiving, or
disaster recovery storage for others, whose loss could result in
business interruption, theft, or economic loss.
Other cyber system(s) whose exploitation could result in business
interruption, safety and health issues, damage to property, or
economic loss.
U.S. Department of Homeland Security
11
�Cyber IST Questions
Critical Cyber Service (CCS) Information
Which of the
following cyber
systems
additionally
comprise the
primary CCS?
(Check all that
apply.)
Business cyber system(s) that contain sensitive business information,
whose exploitation could result in business interruption, economic loss,
or theft.
Business cyber system(s) that manage supply chain, inventory
tracking, ordering and/or shipping, whose exploitation could result in the
theft or diversion of property, business interruption, or economic loss.
Business cyber systems that support business functions such as
corporate email, payroll, human resources, reporting, scheduling,
regulatory and other business-related functions, whose loss or
exploitation could result in business interruption or economic loss.
Internet cyber systems that support business functions, such as
ordering, customer support, advertising, interactive business functions,
and other business-related public interfaces, whose loss or exploitation
could result in business interruption or economic loss.
Cyber systems that monitor physical security of assets (e.g., intrusion
detection services, access control services, camera services and
monitoring software), whose loss or exploitation could result in security
vulnerabilities, safety and health issues, damage to equipment or
property, business interruption, or economic loss.
Control system(s) that monitor and/or control on-site physical
processes or manufacturing services, whose loss or exploitation could
result in business interruption, safety and health issues, damage to
equipment or property, or economic loss.
Control system(s) that monitor and/or control remote physical
processes or services, whose loss or exploitation could result in
business interruption, safety and health issues, damage to equipment
or property, or economic loss.
Data storage system(s) that provide enterprise, backup, or archiving
storage for the organization, whose loss could result in business
interruption, theft, or economic loss.
Data storage system(s) that provide enterprise, backup, archiving, or
disaster recovery storage for others, whose loss could result in
business interruption, theft, or economic loss.
Other cyber system(s) whose exploitation could result in business
interruption, safety and health issues, damage to property, or economic
loss.
How many
authorized
users/customers
have access to
this CCS?
1 to 500
501 to
5,000
5,001 to
50,000
U.S. Department of Homeland Security
>50,000
12
�Cyber IST Questions
Critical Cyber Service (CCS) Information
What is the basis
of the Cyber
Security budget
for this CCS?
No formal
budget is
established
Strict dollar
amount
Strict
percentage
of IT budget
U.S. Department of Homeland Security
Strict
percentage
of overall
budget
13
�Cyber IST Questions
3.0
Cyber Security Management (LEVEL ONE)
For purposes of this evaluation cyber security management includes the leadership roles and
responsibilities (e.g., governance), physical documentation, lifecycle tracking, information sharing (e.g.,
threat information), accreditation, assessment, and audits.
3.1
Cyber Security Leadership (LEVEL TWO)
Cyber security leadership includes roles and responsibilities (e.g., governance), physical documentation,
lifecycle tracking, information sharing (e.g., threat information), accreditation, assessment, and audits.
Management may be deemed to a single individual or a department as long as roles and responsibilities
are slated to cyber security.
Third-party contracts for cyber management or operational functions includes any/all cyber assessments,
cyber documentation, IT audits, and/or additional work that is not done by the primary organization.
U.S. Department of Homeland Security
14
�Cyber IST Questions
Cyber Security Leadership (LEVEL TWO)
Is there a manager/department in
charge of cyber security
management?
No
Yes
If yes, is this the primary function
of that manager?
No
Yes
N/A
Is there a third-party contract
arrangement for primary cyber
management and/or operational
functions for this CCS?
< 50% but less than 75%
> 25% but less than 50%
> 10% but less than 25%
less than 10%
If the organization has
CCS systems that are
not or cannot be updated
with respect to critical
vulnerabilities,
approximately what
percentage of these
systems have
compensating security
controls in place?
100%
> 75% but less than 100%
> 50% but less than 75%
> 25% but less than 50%
> 10% but less than 25%
less than 10%
Which documents does
the organization retain
that can demonstrate
integration of cyber
security into the CCS
asset life cycle? (Check
all that apply.)
Security accreditation/certification
Requirements analysis
Acquisition plans and/or procedures
Implementation plans and/or procedures
Operations plans and/or procedures
Change management plans and/or procedures
Vulnerability management plans and/or procedures
Lifecycle Tracking Briefing Notes:
Lifecycle Tracking Comments:
3.5
Accreditation and Assessment (LEVEL TWO)
Does the facility utilize formal, external cyber-security guidance and standards for identifying and
implementing cyber-security controls (management, operational, and technical)?The purpose of capturing
accreditation and assessment information is to see if the facility utilizes external standards to develop
policies regarding cyber security including policies that affect people, processes, and equipment. This
information is to help to compare across sectors and amongst different standards.
U.S. Department of Homeland Security
25
�Cyber IST Questions
The purpose of capturing if an audit or assessment is conducted in accordance with the standard practiced
is to benchmark the particular standards and their practiced requirements.
U.S. Department of Homeland Security
26
�Cyber IST Questions
Accreditation and Assessment
Does your
organization follow
a cyber security
standard(s) of
practice?
Not scored—
information only.
No
Yes
If yes, which standard(s) of practice do you follow? (Check all that apply.)
NIST SP 800 Series
ISO/IEC 27000 Series
CObit
ITIL
HITRUST
ISF Standard of Good Practice (SOGP)
NERC CIP
FIPS 199
HIPAA
NIST Cyber Security Framework
Other_______________
<>
If yes, a standard
of accreditation is
required for:
(Check all that
apply.)
Business requirements
Legislative or regulatory requirements
Contractual requirements
Not scored—
information only.
If yes, is audit
required against
the standards?
Organization policy
No
Yes
Not scored—
information only.
Does the
organization
conduct cyber
security
vulnerability/risk
assessments to
identify potential
No
Yes
U.S. Department of Homeland Security
27
�Cyber IST Questions
vulnerabilities of
the CCS assets
and networks?
<| File Type | application/pdf |
| Author | Horsthemke, William |
| File Modified | 2016-09-27 |
| File Created | 2014-01-15 |