�ݺ�ߣ

1
Question Functional Area Description
Do I have a building
control system
cybersecurity
program
(governance,
policies, roles &
responsibilities)?
Security Program
(Governance,
Policy, Roles)
Ensure that the security program has
support and sponsorship from senior
leadership.
Ensure that the security program includes
governance, policy, and role descriptions
for both OT and IT.

2
Are all the devices and
software that run my
building(s) accounted
for in an up-to-date
asset inventory
program?
System Asset
Inventory (Hardware
and Software)
A system asset inventory must be actively
managed to keep information up to date. This
applies to both hardware and software for all
components in the system. The information
included should be at a minimum of the following:
 Manufacturer
 Model name
 Model number
 Manufacturer support status (End of
Life)
 Operating system (OS)/firmware
manufacturer/version
 List of applications
manufacturer/version
 Location (building, floor, room
number)
 Network Address (e.g. IP)

3
Have I identified
critical building
systems and
performed risk
assessments?
Risk Assessment
with Identification
of Essential
Functions
Documentation that shows how, when, and
what was assessed. The risk assessment
results must also include a risk rating that
identifies critical systems and/or devices that
would affect the operations of the building.

4
Do I have a complete,
up-to-date list of
each service provider
that supports the
systems within my
buildings?
Service Provider
Management
Provide a list of service providers. With the
following information:
 Service provider name
 Service provider security contact
 Service scope
 Service provider’s responsibilities
 Service provider agreements
 List of authorized service provider
personnel

5
Who controls access
to my building
control networks
locally and remotely?
System/Network
Access Control
(remote and local)
Documents that outline how, who, and when
anyone connects to the BACS system and/or
network.
 Account names
 Account policies
 Roles
 Permissions
 Access methods (local/remote)

6
Are all building
control networks
documented?
Physical and
Logical Network
Architecture
Drawing
Actively managed drawings that include:
 How the networks are interconnected
 Description of systems and services on
the network
 Description of systems and services that
connect to the network
 Network management (devices,
software, and services)

7
Are all building
control systems,
including the devices
throughout the
building, accurately
and consistently
backed up?
System
Backup/Restore
BACS backup documentation identifies:
 Scope (what is being backed up)
 Frequency
 Method
 Storage (online/offline)
 Location (onsite/offsite)

8
Do I control physical
access to building
systems in my
facility?
Physical Access
Control
Documented physical access control
establishes guidelines for asset owner-
employees and service providers. At a
minimum, these guidelines identify:
 Who has access to what location/area
 Access methods (key checkout, card,
biometric, etc.)
 Enrollment Process
 Restrictions

9
Do I control access to
accounts used to
login to building
systems in my
facility?
System Account
Management
Processes for identifying users, adding and
removing accounts, assigning permissions,
and periodic review of accounts and
permissions. Include any additional policies
and procedures for privileged accounts
(e.g., administrator accounts)

10
Do you know how all
building systems
networks are
connected to each
other?
Network
Infrastructure
Management
Documented network infrastructure
management deals with the oversight of key
OT infrastructure elements that are required
to deliver building control and monitoring.
These can include networking components,
but the primary focus of network
infrastructure management also includes
physical components such as networking.

11
Do you have change
management for
building systems with
the appropriate level
of approval?
Change
Management
Documentation that describes the practices
designed to ensure successful prioritizing,
approval, scheduling, and execution of
changes to a BACS.
11

12
Is your As-built
documentation for
your building systems
kept up to date?
Updated As-builts
System
Documentation
As-built system documentation must reflect
the system as it is configured currently.
12

13
Do you periodically
verify that your
security measures are
configured correctly
and operational?
System Security
Verification
This documentation shows that the systems
have been commissioned/reviewed to
ensure that cybersecurity measures have
been implemented. This documentation
must also show ongoing reviews to ensure
that the implemented cybersecurity
measures have not been altered or removed.
13

14
Do you have an
incident response
and recovery plan for
your building systems
that include
cybersecurity
incidents, and do you
periodically test it?
Incident Response
and Recovery
Incident response or what happens when an
event occurs documentation must include:
 Roles & responsibilities
 Communication plan
 Incident prevention
 Monitoring
 Containment of an event
 Remediation processes
 Recovery & restoration processes
 Post-event analysis & forensics processes
14

15
Do you have building
system security
awareness and
training programs
that are appropriate
for each role?
Security
Awareness and
Skills Training
Security awareness and training
documentation must show:
 Areas of focus
 Expectations
 Frequency
 Active management to stay current on
cybersecurity trends
15

16
Do you have a
comprehensive
approach to
protecting data at
rest or in motion?
Data Protection Data protection policy and procedure
documentation that includes:
 Data classification
 Data protection (at rest or in motion)
 Data retention
 Data purging
16

�ݺ�ߣ

ARE YOU READY FOR A CYBER EVENT - ASK YOURSELF THESE QUESTIONS.pptx

More Related Content

ARE YOU READY FOR A CYBER EVENT - ASK YOURSELF THESE QUESTIONS.pptx