Compiled by Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
Overview of SANS CSCS 20, NERC-CIP & PCI-DSS
SANS CSCS 20 SWOT Analysis
ISO 27001:2013 ISMS SWOT Analysis
Integrating ISMS with SANS CSCS 20, NERC-CIP &
PCI-DSS

The Critical Security Controls effort focuses first on prioritizing security
functions that are effective against the latest Advanced Targeted Threats, with
a strong emphasis on "What Works" - security controls where products,
processes, architectures and services are in use that have demonstrated real
world effectiveness. Standardization and automation is another top priority, to
gain operational efficiencies while also improving effectiveness. The US State
Department has previously demonstrated more than 94% reduction in
"measured" security risk through the rigorous automation and measurement
of the Top 20 Controls.
SANS determined the following:

The majority of respondents (73%) are aware of the CSCs and have adopted or
are planning to adopt them, while a further 15% are aware of the Controls and
only 12% hadn't heard of the Controls before the survey.

The respondents' primary driver for Controls adoption is the desire to improve
enterprise visibility and reduce security incidents.

Operational silos within the IT security organization and between IT and other
business departments are still the greatest impediment to implementing
repeatable processes based on the Controls.

Only 10% of respondents feel they've done a complete job of implementing all of
the Controls that apply to their organizations
SANS CSC TOP 20 are procedure based.
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and
Servers
4: Continuous Vulnerability Assessment and Remediation
5: Malware Defenses
6: Application Software Security
7: Wireless Device Control
8: Data Recovery Capability
9: Security Skills Assessment and Appropriate Training to Fill Gaps
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11: Limitation and Control of Network Ports, Protocols, and Services
12: Controlled Use of Administrative Privileges
13: Boundary Defense
14: Maintenance, Monitoring, and Analysis of Audit Logs
15: Controlled Access Based on the Need to Know
16: Account Monitoring and Control
17: Data Loss Prevention
18: Incident Response and Management
19: Secure Network Engineering
20: Penetration Tests and Red Team Exercises
SANS 20 (procedure based)

3: Secure Configurations for Hardware and Software on Mobile Devices,
Laptops, Workstations, and Servers
5: Malware Defenses
10: Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
ISO 27001:2013 Standards (control point based)

A5. Management direction for information security,
A6. Organisation of information security,
A7. Human Resource security,
A8. Asset Management,
A9. Access control,
A10. Cryptography,
A11. Physical and Environmental security,
A12. Operations Security,
A13. Communications Security,
A14. System acquisition, Development and Maintenance,
A15. Supplier Relationships,
A16. Information Security Incident Management,
A17. Information Security Aspects of Business Continuity
Management,
A18. Compliance
The original guidelines addressing cyber security in the energy infrastructure
are known as NERC 1200 UAS. This standard was passed in 2003, in response
to the Homeland Security Act of 2002. It was designed to reduce the overall
vulnerability of bulk electric systems to cyber threats. However, NERC 1200
was considered only a temporary fix to the problem. NERC 1300 was
subsequently introduced because there was still no consensus on a final set of
standards, and it was still another year before NERC Critical Infrastructure
Protection (CIP) cyber security standards were passed. NERC CIP spells out an
auditable guide covering a variety of areas related to cyber security.
The EROs key programs, which impact more than 1,900 Bulk-Power System owners
and operators, are based on four pillars of continued success:

Reliability to address events and identifiable risks, thereby improving the
reliability of the Bulk-Power System.

Assurance to provide assurance to the public, industry and government for the
reliable performance of the Bulk-Power System.

Learning to promote learning and continuous improvement of operations and
adapt to lessons learned for improvement of Bulk-Power System reliability.

Risk-Based Approach to focus attention, resources and actions on issues most
important to Bulk-Power System reliability.
The reliability councils within the Eastern Interconnection are:
Florida Reliability Coordinating Council (FRCC)
Midwest Reliability Organization (MRO)
Northeast Power Coordinating Council (NPCC)
Reliability First Corporation (RFC)
SERC Reliability Corporation (SERC)
Southwest Power Pool, Inc. (SPP)

The reliability council for the Texas Interconnection is:
Electric Reliability Council of Texas (ERCOT)

The reliability council for the Qubec Interconnection is:
Northeast Power Coordinating Council (NPCC)

The reliability council for the Alaska Interconnection is:
Alaska Systems Coordinating Council (ASCC), an affiliate member of NERC
There are nine separate CIP cyber security standards that NERC has passed.
Each standard sets out details concerning who the responsible party is, what
the requirements are, and what constitutes different levels of non-compliance.

CIP-001 Sabotage Reporting
CIP-002 Critical Cyber Assets
CIP-003 Security Management Controls
CIP-004 Personnel & Training
CIP-005 Electronic Security
CIP-006 Physical Security of Critical Cyber Assets
CIP-007 Systems Security Management
CIP-008 Incident Reporting and Response Planning
CIP-009 Recovery Plans for Critical Cyber Assets
NERC CIP Standards. (procedure based)

CIP-001 Sabotage Reporting
CIP-002 Critical Cyber Assets
CIP-003 Security Management Controls
CIP-004 Personnel & Training
CIP-005 Electronic Security
CIP-006 Physical Security of Critical Cyber Assets
CIP-007 Systems Security Management
CIP-008 Incident Reporting and Response Planning
CIP-009 Recovery Plans for Critical Cyber Assets
ISO 27001:2013 Standards. (control point based)

A9. Access control,
A10. Cryptography,
Management,
A18. Compliance
SANS 20 (procedure based)

3: Secure Configurations for Hardware and Software on Mobile Devices,
Laptops, Workstations, and Servers
5: Malware Defenses
10: Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
ISO 27001:2013 Standards (control point based)

A9. Access control,
A10. Cryptography,
Management,
A18. Compliance
The Council's five founding global payment brands -- American Express,
Discover Financial Services, JCB International, MasterCard Worldwide, and
Visa Inc. -- have agreed to incorporate the PCI DSS as the technical
requirements of each of their data security compliance programs. Each
founding member also recognizes the QSAs, PA-QSAs and ASVs certified
by the PCI Security Standards Council.

The PCI Security Standards Council is an open global forum, launched in
2006, that is responsible for the development, management, education, and
awareness of the PCI Security Standards, including the Data Security
Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS),
and PIN Transaction Security (PTS) requirements.
SANS CSC 20, PCI-DSS is a US based approach that will help US organizations
address Cyber Security risks.

Based on a small set of procedures it should be easy to implement and get
up and running quickly.

The SANS CSC TOP 20 is procedure based and should be easy to teach and
monitor for knowledge transfer within most organizations.

The SANS CSC TOP 20 was created at a high-level and flexible enough to fit
the organization need to be selected and audited against.

The SANS CSC TOP 20 is a small series of procedures applicable to most
organizations.
SANS CSC 20 is not internationally accepted and thus is not positioned to raise
the bar on information security on a global scale.

SANS CSC 20 is based a small demographic of security professionals as opposed
to an international body which limits its footprint and potential for application
outside the United States.

SANS CSC 20 is not saleable and thus limited to large organizations that have the
resources and budget to carry it. Small businesses will find it difficult to scale to
their limited resources and budgets.

SANS CSC 20 is process based limits its flexibility. Only the control points that fit
the organization need to be selected and audited against.

SANS CSC 20 is not independently registered /certified or audited by
independent security professionals limiting its verification and validation further
impacting the trust factor.
There is a lot of room to expand the standard framework from a procedure
based standard to a ore flexible control point framework.

Once SANS CSC Top 20 has been established and matures organizations can
improve its integration with existing security or data protection procedures
improving its effectiveness and efficiency.

If all US based businesses adopted the same approach there would be fewer
risks and potential liabilities, lower insurance costs.

If SANS CSC Top 20 could help standardizing security practices it would also
help control costs, while improving relationships with trading partners,
shareholders and consumers . This would contribute to revenue, growth and
the bottom line.
Despite a solid effort the standard is without the all important management
system and this will become a problem following its implementation it will be
bumpy ride and the standard will become outdated quickly.

The cost of implementation and maintenance will be high despite the fact that its
a good standard it is completely customized and doesnt seem to fit with any other
frameworks

There is a lot of misinformation concerning the level of effort and documentation
required to adopt SANS CSC Top 20, just how much will it cost and how long will it
take is a huge unknown.

Many organizations do not understand information security and they will be very
reluctant to adopt a prescriptive series of security standards without knowing the
cost or impact to their respective organizations.

Several countries are continuing to develop their own Cyber Security standards and
some like ISO 27001 ISMS are far ahead in terms of maturity.
Internationally accepted ISO 27001 is best positioned to raise the bar on
information security on a global scale which benefits all of us.

Based on best practices its helps establish a solid footing for future security
hardening.

Scalable makes it fit small or big organizations with one office or one
thousand.

Control point based adds to the flexibility. Only the control points that fit the
organization need to be selected and audited against.

Independently audited and independent security adds to the level of
verification and validations further enhancing the trust factor.
Awareness is very low in North America. World wide adoption is up 12% the
majority is in Asia and now in the UK.

Lots of misinformation concerning adoption costs creates hesitation by
Executives and board of directors.

Lots of misinformation concerning potential impact to organizational culture
creates hesitation by Executives and board of directors.

Lots of misinformation concerning adoption effort in terms of man hours,
documentation, competency creates hesitation by Executives and board of
directors.

ISO 27001 ISMS is a benchmark that has been widely acceptance however
needs to be adapted to the industry, organization , culture and before it can
mature into a

There is a lot of room to expand the standard framework when considering
the fact the information transcends technology.

Once the information security management systems have been established
organizations can adopt any security or data protection standard due to the
flexible approach of the ISMS framework.

If all international businesses adopted the same approach there would be
fewer risks and potential liabilities and insurance costs associated with
information handling .

Standardizing security practices help control costs while improving
relationship with trading partners, shareholders and consumers . This would
contribute to revenue, growth and the bottom line.
Despite a solid auditable standard and a standard operating procedure to guide
ISO 27001 auditors the minimum acceptable level of control varies between
registrars

Registrars are allowed to play both the role of the auditor and implementation
consultant creating a conflict of interest.

Lots of misinformation concerning the level of effort and documentation
required to become registered /certified.

Many organizations continue to not fully understand that ISO 27001 is a starting
point, a benchmark and not the final solution.

Several countries are continuing to develop their own versions of ISO 27001
ISMS avoiding the inevitable assimilation. The irony is that most of them are
copying ISO 27001 and reproducing it with a different label adding to confusion
and disjoined global approach necessary for GDP and foreign trade.
When is comes to Management Systems SANS CSC 20, NERC-CIP AND PCI DDS
have not integrated the concept of a management system. This section of ISO/IEC
27001:2013 is so important that its considered to be mandatory for success
adoption and registration /certification. 148 control points have been
documented within clauses 4 10.
When is comes to ISO/IEC 27001:2013 ISMS Annex A domains A5 A7 PCI DDS has
most significant GAPS in Security Organization and Human Resources while SANS
CSC 20 was weak on Management and NERC-CIP was weak on Organization of
Information Security..
When is comes to ISO/IEC 27001:2013 ISMS Annex A domains A8 A10 NERC-CIP
has most significant GAPS in Access Control and Cryptography while SANS CSC 20
was weak on Cryptography. All three were ok with Asset Management.
When is comes to ISO/IEC 27001:2013 ISMS Annex A domains SANS CSC 20, NERC-
CIP AND PCI DDS are the strongest in domains operations, communications and
system acquisition, development and maintenance .
When is comes to ISO/IEC 27001:2013 ISMS Annex A domains A15 A18 PCI DDS
is the weakest with GAPS in incident management, business continuity and
compliance . SANS CSC 20 and NERC-CIP are close behind both with GAPS in
Supplier Relationship and Compliance Management.
*
*
*

T
H
I
S

D
O
C
U
M
E
N
T

I
S

C
L
A
S
S
I
F
I
E
D

F
O
R

P
U
B
L
I
C

A
C
C
E
S
S

*
*
*

*
*
*

T
H
I
S

D
O
C
U
M
E
N
T

I
S

C
L
A
S
S
I
F
I
E
D

F
O
R

P
U
B
L
I
C

A
C
C
E
S
S

*
*
*

The statement of applicability (SoA) is
created following a risk assessment
against organizational assets that are in
scope for protection from threats and
vulnerabilities leading to loss of
confidentiality, integrity and availability.
Internal and external audits are
facilitated against the SoA.

The flexibility of the ISMS allows
additional security control decks to be
added such as SANS CSC 20 if they can
be justified. The framework also
streamlines any overlapping controls
minimizing or eliminating costly
overlaps while improving the
effectiveness and efficiency of the ISMS.
Similarly, Service
Level Agreements
could be established
between the business
unit or line of
business seeking ISO
27001 Registration
/Certification and
external parties like,
Cloud Computing
Services, Vendors and
Suppliers.
A Risk
Assessment is
necessary once all
assets have been
identified within
the scope of
service. These
assets are utilized
for the product or
service delivery
and the revenue
stream.
Risk Treatment Plans
are defined by
Corrective Action
plans and Preventive
Action plans. The
RTP is basically a
rolled up dashboard
utilized for tracking
and monitoring CAPA
by ISMS Governance
Committee.
Some risk are shared with
external vendors and suppliers.
These risks are recorded within
the following risk registry and
monitored with service providers
during service management
meeting and reported back to the
ISMS Governance Committee.
Risks associated with
strategic planning,
credit, market and
financial that are
considered open and
ongoing versus
mitigated and closed
can be added to the
Risk Registry. Within
the columns scale 1 5
impact a threshold can
be added for clarity.

These risk are for
internal report
purposes and probable
would not be shared or
reviewed with the
external party.
Risks associated
with compliance
to statutes,
regulations and
contractual
obligations that
are considered
open and ongoing
versus mitigated
and closed can be
added to the Risk
Registry. Within
the columns scale
1 5 impact a
threshold can be
added for clarity.
Risks associated with
operations are the
most common risks
that external parties
can positively or
negatively impact.
that are considered
open and ongoing
versus mitigated and
closed can be added
to the Risk Registry.

Within the columns
scale 1 5 impact a
threshold can be
added for clarity.
Within the Statement of
Applicability we select and
design controls that
mitigate or eliminate risk.
Each control selected
addresses a specific risk
angle or trigger point.
These controls are listed
within the SoA.

Six specific asset categories
have been created each
sharing common
vulnerabilities. This extends
the capability of ISMS to
effectively and efficiently
mitigate risk by applying
controls in critical areas
within the organizational
workflow that mitigate risks
to one or more assets.
Enterprise
Security
Architecture
was created
following the
natural order
in which
organizations
are structured.
The Information Security
Management System
program provides a single
point of contact and
leadership for Enterprise
Security based on strategic
organizational goals and
objectives. The ESMS brings
together physical security
with information security in
support of Business
Architecture guided by
organizational Governance
and Risk Management.
ESMS Examples: Subjects of Interest
Access Control
Active Shooter
Asset Protection and Management
Background Screening/Due Diligence
Bomb Threats
CCTV
Compliance Management
Corruption/Ethics
Crime, Prevention
Cryptography
Data/Information Security
Data Privacy
Disaster/Crisis Management
Environmental
Executive Protection/Personnel Security
Facilities (General)
Health and Safety
Incident Management
Investigations
Mail Security
Pandemics
Physical Security, General
Quality Management
Risk Management
Risk/Vulnerability Assessment and Site Surveys
Security Personnel/Duties
Security Planning and Management
Sexual Harassment/Discrimination
Social Media
Social Engineering
Supply Chain
Strikes/Demonstrations/Unrest
Substance Abuse
Telecommunications
Travel
Utilities
Vehicles and Vehicle Operation
Visitors
Water
Workplace Violence
ESMS Examples: Applicable Industries
Agriculture
Aviation
Banking
Chemical
Cities
Distribution Centers
Educational Institutions
Energy Industry
Factories
FDIC
Government
Healthcare
Industrial Sites

Insurance
Mass Transit
Manufacturing
Media
Oil and gas/Energy
Seaports
Stadiums and Arenas
Telecommunications
Technology
Theme Parks
Universities
SANS CSC 20, NERC-CIP & PCI-DSS are all good
standards, but they still dont meet the minimum
security requirements defined by ISO 27001:2013.

Organizations should consider adopting one
information security framework that would address
all security requirement. This sustainable approach
would control costs while improving business
resilience and agility.

For more information contact
Skype; Mark_E_S_Bernard
Twitter; @MESB_TechSecure
LinkedIn; http://ca.linkedin.com/in/markesbernard

Compiled by Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Compiled by Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

Uploaded by

Copyright:

Available Formats

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

You might also like