Information Security Baseline Requirements

for

Process Control, Safety, and Support ICT Systems Self Assessment

Ver. 1.2

2007 Norwegian Oil and Gas Association This is a self assessment tool for verifying the company's degree of compliance with the Norwegian Oil and Gas Information Security Baseline Requirements (ISBR). The tool (ISBR/SA) was produced to help the companies in assessing the security level of the ICT equipment in the production environment (Process Control, Safety, and Support ICT Systems - PCSS/ICT), and it is not meant as a tool for external reporting. The ISBR/SA is intended for internal use only. How the tool should be utilized is entirely up to the company, but the idea behind this was not to distribute it internally and then collect the answers. The spreadsheet was made for information security managers or similar functions to use during interviews with key The summary worksheet can be used for communicating the final results without unveiling the underlaying answers. Answering all of the questions asked for an ISBR is not required in order to get a score. For this reason Not Applicable is not added for Yes/No- questions. If a question is not considered relevant just leave it unanswered.

ISBR# 1 - An Information Security Policy for process control, safety, and support ICT systems environments shall be documented. 1-1 Does the company have an information security policy document specifically developed for the PCSS/ICT systems in the production environments? [If NO in ISBR#1-1] Does the company have a global or corporate information security policy which also encompasses the production environment? Has the information security policy been signed by local/regional top management? Has the information security policy been written or revised during the last previous three years? To what degree is the information security policy enforced in all of the company's production environments? To what degree is management active in promoting and enforcing the information security policy? To what degree are the employees and contractors in the production environment informed of and familiar with the information security policy? To what degree do all the employees and contractors in the production environment abide by the information security policy? To what degree have information security instructions and/or guidelines been developed for the production environments? To what degree are the information security instructions

1-2

1-3 1-4 1-5

1-6 1-7

1-8

1-9

1-10

and guidelines revised and updated on a regular basis? 1-11 To what degree do all the employees and contractors in the production environment abide by the information security instructions/guidelines? ISBR# 2 - Risk assessments shall be performed for process control, safety, and support ICT systems and networks. 2-1 Does the company have documented requirements to perform risk assessments regularly for all critical PCSS/ICT systems in the production environments? Does the company have a documented framework or methodology for risk assessment that can be utilized for information security in the production environments? To what degree have information security risk assessments been performed for all critical PCSS/ICT systems during the last year? To what degree has top management defined which risks are unacceptable? To what degree are uncovered severe information security risks handled immediately? Does the company have a dedicated system for registering information security risks? To what degree are all uncovered information security risks registered?

2-2

2-3

2-4 2-5 2-6 2-7

2-8

To what degree are all registered risks followed up and responded to within a reasonable timeframe? ISBR# 3 - Process control, safety, and support ICT systems shall have designated system and data owners. 3-1 To what degree has the company defined, identified, and documented which ICT systems in the production environment are considered critical? Are there internal requirements for appointing system owners for critical ICT systems in the production environment? To what degree are system owners actually appointed for

3-2

3-3

all critical ICT systems in the production environment? 3-4 Does the company have a documented overview (list or database) of personnel appointed as system owners? 3-5 To what degree is this overview complete and updated? 3-6 Does the company have documentation that describes the authorities and responsibilities of the role as system owner? 3-7 To what degree are all system owners aware of their authorities and responsibilities? 3-8 Are there internal requirements for appointing data/information owners for critical data? 3-9 To what degree are data owners actually appointed for all critical data? 3-10 Does the company have documentation that describes the authorities and responsibilities of the role as data owner? 3-11 To what degree are all data owners aware of their authorities and responsibilities? ISBR# 4 - The infrastructure shall be able to provide segregated networks, and all communication paths shall be controlled. 4-1 Are there internal documented requirements for segregating the production networks from the administrative networks? To what degree are the production networks actually segregated from the administrative networks? (e.g. by installing tightly configured firewalls between the networks) To what degree is it currently possible to further segregate the networks in the production environment if needed? (i.e. with the technology and the IT infrastructure that the company has today) To what degree does all internal data communication between the production networks and the administrative networks go through controlled gateways? [e.g. firewalls, filtering routers] To what degree does all external data communication between the production networks and the suppliers go through controlled gateways? [e.g. firewalls, terminal servers]

4-2

4-3

4-4

4-5

4-6

Does the organization require all external companies (e.g. suppliers and contractors) to sign a company nondisclosure agreement? 4-7 To what degree are these requirements adhered to? 4-8 Does the organization require all employees from external companies (e.g. suppliers and contractors) to sign a personal non-disclosure agreement before granting access? 4-9 To what degree are these requirements adhered to? 4-10 Have all modems in the production environment been removed? (i.e. modems connected directly to the production networks or to IT systems connected to the production networks) 4-11 [If NO in ISBR#4-10] Are all modems switched off or physically disconnected when not in use? 4-12 [If NO in ISBR#4-10] Are there any written plans for discontinuing these modems? ISBR# 5 - Users of process controll, safety, and support ICT systems shall be educated in the information security requirements and acceptable use of the ICT systems. 5-1 To what degree are there documented requirements for information security training for all employees in the production environment? 5-2 To what degree are newly hired personnel in the production environment being trained in information security? 5-3 To what degree is introduction training in information security also available for hired personnel and contractors? 5-4 To what degree are the employees in the production environment informed about information security through the company's intranet? 5-5 To what degree are the employees in the production environment informed about information security directly through the use of e-mail? 5-6 To what degree are the employees in the production environment informed about information security through general meetings? 5-7 To what degree are contractors responsibilities for information security included in their contracts? ISBR# 6 - Process control, safety, and support ICT systems shall be used for designated purposes only. 6-1 To what degree has acceptable use of each of the critical PCSS/ICT system been documented? 6-2 To what degree are the critical PCSS/ICT systems utilized for their originally designated purpose only? 6-3 To what degree are the critical PCSS/ICT systems audited to ensure that only authorized and dedicated software is installed? ISBR# 7 - Disaster recovery plans shall be documented and tested for critical process control, safety, and support ICT systems.

7-1

Does the company have a managed process for developing disaster recovery plans for all critical ICT systems in the production environment? 7-2 To what degree does the company have documented disaster recovery plans for every critical ICT system in the production environment? 7-3 Does the company have a managed process for maintaining and updating existing disaster recovery plans for the production environment? 7-4 To what degree have the disaster recovery plans been tested for all critical IT systems in the production environment during the last two years? ISBR# 8 - Information security requirements for ICT components shall be integrated in the engineering, procurement, and commissioning processes. 8-1 Does the company have documented internal guidelines for including information security requirements in the engineering, procurement, and commissioning process for PCSS/ICT systems? 8-2 To what degree does the company currently specify information security requirements in all parts of the engineering, procurement, and commissioning process for PCSS/ICT systems? 8-3 To what degree are the implemented information security controls and measures in new PCSS/ICT systems documented by the supplier? 8-4 To what degree are the implemented information security controls and measures tested by the company before new PCSS/ICT systems are put into production? ISBR# 9 - Critical process control, safety, and support ICT systems shall have defined and documented service and support levels. 9-1 Does the company have documented internal requirements for specifying the necessary level of lifetime service and support for critical PCSS/ICT systems? 9-2 To what degree have the necessary level of lifetime service and support for all of the currently installed critical PCSS/ICT systems been documented? 9-3 To what degree is this document maintained and kept updated? ISBR# 10 - Change management and work permit procedures shall be followed for all connections to and changes in the process control, safety, and support ICT systems and networks. 10-1 To what degree have procedures for updating operating software and applications in PCSS/ICT systems been documented? 10-2 To what degree are these procedures adhered to? 10-3 To what degree have procedures for repair and replacement of defect or malfunctioning PCSS/ICT equipment been documented? 10-4 To what degree are these procedures adhered to?

10-5

Does the company have documented configuration and set-up requirements for suppliers' and third-parties' test equipment when temporarily connecting to the production network? 10-6 To what degree are these procedures adhered to? 10-7 Does the company have documented requirements that suppliers' and third-parties' ICT equipment shall be updated with the latest version of security programs such as anti-virus program and personal firewall before connecting to the production network? 10-8 Does the company have documented procedures on how suppliers and third-parties shall connect their ICT equipment to the production networks or to PCSS/ICT systems? 10-9 To what degree are these procedures adhered to? ISBR# 11 - An updated network topology diagram including all system components and interfaces to other systems shall be provided. 11-1 Does the company have internal requirements for documenting and maintaining network maps, where all critical ICT components in the production environment are included? 11-2 To what degree have all networks and critical ICT components in the production environment been documented? [e.g. IP- and MAC-adresses, hardware configurations, physical location] 11-3 To what degree is this documentation maintained and kept updated? 11-4 To what degree have applications considered critical been documented? 11-5 To what degree is this documentation maintained and kept updated? 11-6 To what degree have the interfaces between the critical applications been documented? 11-7 To what degree does the company have updated documentation on the set-up and configurations on all critical ICT systems? ISBR# 12 - Process control, safety, and support ICT systems shall be kept updated when connected to process control, safety, and support networks. 12-1 Does the company have documented requirements for updating software installed in critical PCSS/ICT systems when new security patches are released? To what degree does the company have an updated overview on the version numbers and patch-level for the operating software and applications installed on the PCSS/ICT systems in the production networks? To what degree does the overview cover all ICT systems connected to the production networks? Has the company appointed personnel with the responsibility of specifically following up on releases of software updates and patches?

12-2

12-3 12-4

12-5

To what degree are the PCSS/ICT systems updated with the latest security patches released by the software developer? ISBR# 13 - Process control, safety, and support ICT systems shall have adequate, updated, and active protection against malicious software. 13-2 Does the company have internal requirements for protecting the PCSS/ICT systems against malicious code such as viruses, Trojan horses, and worm as well as activities such as unauthorised use and computer breakins? 13-3 To what degree is anti-virus software installed on all critical PCSS/ICT systems in the production network? 13-4 To what degree is (personal) firewall software installed on all critical PCSS/ICT systems in the production network? 13-5 To what degree are PCSS/ICT systems in the production networks which are not protected against unauthorized activities and malicious code isolated in separate segments or installed behind other protective security measures? 13-6 To what degree are new versions of anti-virus and firewall software installed within a reasonable timeframe after they have been released? 13-7 To what degree are real-time systems that cannot have anti-virus and firewall software installed scanned manually to verify that they have not been infected? ISBR# 14 - All access requests shall be denied unless explicitly granted. 14-1 Does the company have documented guidelines that require all access rights to PCSS/ICT systems to be on a need-to-use basis? 14-2 Does the company have documented guidelines that require all access rights to files and applications in the PCSS/ICT systems to be denied unless explicitly granted? 14-3 [If YES in ISBR#14-2] To what degree is every PCSS/ICT system configured to comply with this requirement? 14-4 To what degree do all external suppliers and third-party users have to be authorized on an event-by-event basis by the company to get access to the production networks (i.e. external users do not have permanent access rights to the production networks)? 14-5 To what degree are users logged on the company's office domains restricted from, or thoroughly controlled when, accessing the production networks? ISBR# 15 - Required operational and maintenance procedures shall be documented and kept current. 15-1 Are there have written requirements for documenting the operational routines for all critical PCSS/ICT systems?

15-2

To what degree is this requirement fulfilled for all new PCSS/ICT systems? 15-3 To what degree is this requirement fulfilled for all older PCSS/ICT systems? 15-4 To what degree is the documentation for the operational routines maintained and kept current? 15-5 Does the company have internal requirements for documenting operational procedures and maintenance routines for critical PCSS/ICT systems? 15-6 To what degree is this requirement fulfilled for all new PCSS/ICT systems? 15-7 To what degree is this requirement fulfilled for all older PCSS/ICT systems? 15-8 To what degree is the documentation for operational procedures and maintenance routines updated and kept current? 15-9 To what degree have all necessary operational procedures and routines for all critical applications in the production environment been documented? 15-10 Does the company have internal requirements for backing up data in critical PCSS/ICT systems? 15-11 To what degree are data and applications backed up regularly in all critical PCSS/ICT systems? 15-12 To what degree are the back-ups tested regularly for readability? ISBR# 16 - 16. Procedures for reporting of security events and incidents shall be documented and implemented in the organisation. 16-1 To what degree does the company have a managed and documented process for handling information security incidents? 16-2 To what degree has the company defined and documented what it considers as being information security incidents? 16-3 To what degree has the company documented how information security incidents most likely to happen shall be handled? 16-4 To what degree has the company developed documented guidelines on how information security incidents in the production environment shall be handled? 16-5 Has the company developed templates, have intranet pages, or specific applications for the users to report information security incidents? 16-7 Does the company have documented requirements for the users to report information security incidents? 16-8 [If YES in ISBR#16-7] To what degree is this requirement fulfilled? 16-9 To what degree are reported information security incidents registered and followed up? 16-10 To what degree is local/regional top management informed when security incidents happen?

16-11 To what degree does local/regional top management receive regular reports on information security incidents (preferably monthly)?

Asset / Installation: Date of interview: Interviewee: Interviewer: ISBR# 1 - An Information Security Policy for process control, safety, and support ICT systems environments shall be documented. ISBR# 2 - Risk assessments shall be performed for process control, safety, and support ICT systems and networks. ISBR# 3 - Process control, safety, and support ICT systems shall have designated system and data owners. ISBR# 4 - The infrastructure shall be able to provide segregated networks, and all communication paths shall be controlled. ISBR# 5 - Users of process controll, safety, and support ICT systems shall be educated in the information security requirements and acceptable use of the ICT systems. ISBR# 6 - Process control, safety, and support ICT systems shall be used for designated purposes only. ISBR# 7 - Disaster recovery plans shall be documented and tested for critical process control, safety, and support ICT systems. ISBR# 8 - Information security requirements for ICT components shall be integrated in the engineering, procurement, and commissioning processes. ISBR# 9 - Critical process control, safety, and support ICT systems shall have defined and documented service and support levels. ISBR# 10 - Work permit procedures (change management) shall be followed for all connections to and changes in the process control, safety, and support ICT systems and networks.

ISBR# 11 - An updated network topology diagram including all system components and interfaces to other systems shall be provided. ISBR# 12 - Process control, safety, and support ICT systems shall be kept updated when connected to process control, safety, and support networks.

ISBR# 13 - Process control, safety, and support ICT systems shall have adequate, updated, and active protection against malicious software. ISBR# 14 - All access requests shall be denied unless explicitly granted. ISBR# 15 - Required operational and maintenance procedures shall be documented and kept current. ISBR# 16 - Procedures for reporting of security events and incidents shall be documented and implemented in the organisation.

- An Information Security Policy for process control, safety, and support ICT systems ments shall be documented.

- Risk assessments shall be performed for process control, safety, and support ICT systems works. - Process control, safety, and support ICT systems shall have designated system and data

- The infrastructure shall be able to provide segregated networks, and all communication hall be controlled.

- Users of process controll, safety, and support ICT systems shall be educated in the ion security requirements and acceptable use of the ICT systems. - Process control, safety, and support ICT systems shall be used for designated purposes

- Disaster recovery plans shall be documented and tested for critical process control, safety, port ICT systems.

- Information security requirements for ICT components shall be integrated in the ring, procurement, and commissioning processes.

- Critical process control, safety, and support ICT systems shall have defined and nted service and support levels.

0 - Work permit procedures (change management) shall be followed for all connections to nges in the process control, safety, and support ICT systems and networks.

1 - An updated network topology diagram including all system components and interfaces to stems shall be provided.

2 - Process control, safety, and support ICT systems shall be kept updated when connected ss control, safety, and support networks.

3 - Process control, safety, and support ICT systems shall have adequate, updated, and active on against malicious software.

4 - All access requests shall be denied unless explicitly granted.

5 - Required operational and maintenance procedures shall be documented and kept current.

6 - Procedures for reporting of security events and incidents shall be documented and ented in the organisation.

Score #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0!

Not at all To a lesser degree To some degree To a large degree Totally, Completely, Fully Not applicable

0 1 2 3 4 N/A

0-5% 6-35% 36-65% 66-95% 96-100%

No Yes

0 4

0% 100%