BACKGROUND
Generally described, computing devices can be utilized in a variety of contexts such as for exchanging information, facilitating communication between users, facilitating the operation and control of a wide variety devices and processes, and the like. In the context of a manufacturing or production environment, a computing network made up of a number of computing devices, including personal computing devices, server computing devices, programmable logic controllers (PLCs), or other networked devices. The computing network can be utilized in conjunction with a communication network, such as the Internet, to facilitate the operation and control of various devices/processes. For example, a networked PLC may be utilized to control the operation of physical manufacturing or processing equipment, such as controllers for valves, power supplies, pumps, machinery, etc. Similarly, a software application, or suite of software applications, may be hosted on a networked computing device (such as a server or personal computing device) to receive instructions regarding the operation of various equipment and transmit the appropriate respective instructions to the appropriate equipment (such as through a PLC).
A fault in one or more networked computing devices, such a fault in a computing device, can lead to the failure of associated equipment, loss of manufacturing/production time, property damage, and the like. Accordingly, manufacturing/production computing networks (including hardware and software aspects) can be designed with redundant components to avoid fault conditions during execution in a manufacturing/production environment. For example, a PLC may include a “fail safe” mode such that in the event of a fault, the outputs from the PLC mitigate potential damage to attached equipment or errant instructions that could cause additional faults/damage.
Generally described, the equipment in any physical location may be provided or maintained by a number of different entities, such as vendors, integrators, service providers, and the like. Each of the entities can have a different role in the installation, configuration, operation or maintenance of equipment. From the perspective of a facility owner or manager, each entity associated with the equipment should have appropriate certification of compliance with security, engineering best practices, or operational criteria based on their respective role in the process. From the perspective of the entities, role-based certification can allow for additional business opportunities or provide an opportunity to interact with other certified entities. For example, a certified integrator may only wish to utilize certified vendors.
BRIEF DESCRIPTION OF THE DRAWINGS
The present disclosure will now be described in detail below in connection with the following figures in which:
FIG. 1 is a block diagram of a certification environment including a certification authority and a number of vendors, integrators and service providers;
FIGS. 2A is block diagram of the certification system of FIG. 1 illustrating the generation of certification requirements responsive to a request from an entity;
FIG. 2B is a block diagram of the certification system of FIG. 1 illustrating the generation of a certification results responsive to a request from an entity;
FIGS. 3A and 3B are block diagrams illustrative of a data model for organizing certification requirements according to process areas, process area subgroups, and base practice objectives;
FIGS. 4A and 4B are flow diagrams illustrative of a certification scope generation routine implemented by a certification authority;
FIGS. 5A and 5B are flow diagrams illustrative of a certification requirements sub-routine implemented by a certification authority;
FIGS. 6A and 6B are flow diagrams illustrative of a certification scope generation routine implemented by a certification authority; and
FIG. 7 is a flow diagram illustrative of a process area requirements analysis sub-routine implemented by a certification authority.
DETAILED DESCRIPTION
This disclosure generally relates to the certification of entities based on satisfaction of certification requirements. More specifically, in one aspect, the present disclosure relates to systems and methods for generating a set of certification requirements based on a defined role and certification level for a requesting entity. A target set of certification requirements is organized according to a set of process areas that are applicable to one or more roles. Each process area is defined into a set of process area subgroups, which is further defined according to base practice objectives. Each base practice objective includes an identification of certification requirements. Each of the certification requirements may be applicable to a requesting entity based on the specified level of certification. For a defined role and certification level, an iterative process can be implemented to determine applicable process areas, process area subgroups, and business practice objectives. Based on the applicable process areas, process area subgroups and business practice objective, a set of applicable certification requirements can be determined.
In another aspect, an entity may request certification based on an evaluation of certification information submitted by the entity against a set of previously determined applicable certification requirements. Illustratively, the evaluation of the certification information can include a determination of how many certification requirements have been satisfied, how many certification requirements have not been satisfied but may be satisfied within a time window and how many certification requirements are determined to be not satisfied. The certification authority can utilize a variety of thresholds to determine whether certification is appropriate or what level of certification is appropriate.
Embodiments of the disclosure will now be described with reference to the accompanying figures, wherein like numerals refer to like elements throughout. The terminology used in the description presented herein is not intended to be interpreted in any limited or restrictive manner, simply because it is being utilized in conjunction with a detailed description of certain specific embodiments of the invention. Likewise, although the present application will be described with regard to specific examples, such as roles and process areas, such examples should not be construed as limiting. Accordingly, additional or alternative embodiments may be practiced in accordance with the present application. Furthermore, embodiments of the invention may include several novel features, no single one of which is solely responsible for its desirable attributes or which is essential to practicing the inventions herein described.
FIG. 1 is a block diagram of a certification environment 100 for illustration of various certification processes of the present application. The certification environment 100 includes a certification authority 102. In communication with the certification authority 102 are a number of entities that are capable of requesting certification. As illustrated in FIG. 1, the entities can be organized according to roles, such as vendors 104, integrators 106 and service providers 108. Although the certification authority 102, vendor 104, integrator 106 and service provider 108 as illustrated in FIG. 1 single components, one skilled in the relevant art will appreciate that the components may entitle a number of identifiable aspects including but not limited to one or more computing devices, networking equipment and personnel. Accordingly, the actions attributed to each of the components should not be limited to any particular type of action or specifically to a type of component.
In some embodiments, one or more aspects of the interaction of the components of the certification environment 100 may be implemented with the transmission or exchange of communications via a communication network, such as the Internet. In such embodiments, the components would utilize one or more computing devices or communication equipment to facilitate the illustrated interaction. In other embodiments, combination of interaction including manual implementation of one or more steps or processes may be implemented.
With continued reference to FIG. 1, the certification authority 102 may maintain, or otherwise be in communication with, a number of data stores for maintaining information associated with the determination of certification requirements by the certification authority or the maintenance of determined certification requirements for future analysis. In one embodiment, the certification authority may maintain a process areas requirement data store 110 maintains information related to the organization of a target set of certification requirements according to a set of defined process areas. In another embodiment, the certification authority 102 maintains a scoped requirements data store 112 for maintaining information related to a selection of certification requirements for one or more entities. Although the process areas requirement data store 110 and the scoped requirements data store 112 are illustrated as single data stores, one skilled in the relevant art will appreciate that data associated with the data stores may be maintained in various data stores or distributed over a computer network.
As previously discussed, in an illustrative embodiment, in one aspect, the certification authority 102 can generate a set of certification requirements from a target set of certification requirements. To generate the target set of certification requirements, the certification authority 102 can first determine which of the target certification requirements may be applicable to the requesting entity based on a designated role. Illustratively, the roles can include a vendor of equipment (e.g., a vendor), an integrator of one or more vendor equipment (e.g., an integrator), or a service provider that configures or maintains installed equipment (e.g., a service provider). A single entity may correspond to one or more roles.
Once the target set of certification requirements has been filtered based on specified role, the certification authority 102 can then select certification requirements base on a specified level of certification. In one embodiment, the levels of certification can be hierarchically arranged. For example, a three level hierarchy may have a first, second and third level (e.g., a bronze, silver and gold level) in which the first level defines the minimal set of certification requirements, the second level incorporates all the certification requirements of the first level plus additional certification requirements and the third level incorporates the certification requirements of the first and second levels plus further certification requirements. In another embodiment, the certification requirements from each of the levels may be defined such that none of the certification requirements overlap between levels. Although the present discussion is described with regard to a three-level hierarchy, one skilled in the relevant art will appreciate that more or less levels of certification requirements may be incorporated. An illustrated data organization model for the target set of certification requirements will be described with regard to FIGS. 3A and 3B.
With reference to FIGS. 2A and 2B, various interactions of the components of the certification environment 100 will be described. With reference to FIG. 2A, an illustrative interaction for the generation of a set of requirements responsive to a request will be illustrated. In the example illustrated in FIGS. 2A and 2B, the process will be illustrated with regard to requests from an integrator 106. However, the identification of an integrator 106 is only for illustrative purposes and other roles would be equally applicable. At (1), the integrator sends a certification request to the certification authority 102. Illustratively, the certification request will specify the role of the entity (e.g., an integrator) and a desired certification level.
At (2), the certification authority 102 processes the request and determines certification requirements for the requesting entity based on the role of the entity and the desired certification level. Illustrative flow diagrams for processing the certification request will be described with regard to FIGS. 4 and 5. At (3), the certification authority 102 stores the determined certification requirements, such as in the scope requirements data store 112.
At (4), the certification authority sends the determine certification requirements to the requesting entity, integrator 106. The certification authority can publish the certification requirements or utilize various transmission mediums and protocols to send the information. Additionally, the certification authority 102 can also send information utilized to collect certification information or explanatory information.
Turning to FIG. 2B, an illustrative interaction for the evaluation of a set of requirements responsive will be illustrated. At (1), the integrator (or other requesting entity) sends a certification evaluation request to the certification authority 102. Illustratively, the certification request will specify the set of requirements that were previously provided by the certification authority 102 or include the set of certification requirements provided by the certification authority 102.
At (2), the certification authority 102 recalls any previously stored information related to the certification requirements previously determined for the requesting entity. At (3), the certification authority 102 processes the request/transmission and determines whether the certification requirements for the requesting entity based on the role of the entity and the desired certification level have been satisfied. Illustrative flow diagrams for processing the certification request will be described with regard to FIGS. 6 and 7. Illustratively, the certification authority 102 can determine whether evidence of implementation, such as warrants that specific actions or configurations are in place, correspond to sufficient evidence of implementation. The certification authority 102 can also identify whether one or more requirements have not been satisfied but may be implemented in the future, as will be described later. Illustratively, the certification authority 102 can utilize a number of thresholds that can specify a maximum number of certification requirements that have not been met, a maximum number of certification requirements that will be implemented in the future or a minimum number of certification requirements that have been implemented to determine whether the requesting entity has satisfied the certification requirements.
At (4), the certification authority sends the determine certification to the requesting entity, integrator 106. The certification authority can publish the certification or utilize various transmission mediums and protocols to send the information. Additionally, the certification authority 102 can also send information utilized to collect certification information or explanatory information.
As previously described, the target set of certification requirements may be organized in a manner that allows the certification authority 102 to filter based on a designated role of the requester. In one embodiment, the organization of the target set of certification requirements corresponds to two or more process areas. With reference now to FIGS. 3A and 3B, an illustrative data model 300 for the set of target certification requirements will be described. With reference to FIG. 3A, the data model includes four process areas 302, 304, 306, and 308 that are selected based on specific functions or processes that may be controlled by the requesting entity. The first process area 302 corresponds to an organization process area and is applicable to every role. The second process area 304 corresponds to a system capabilities process area and corresponds to a vendor role. The third process area 306 corresponds to system acceptance testing and commissioning process area and corresponds to an integrator role. The fourth process area 308 corresponds to a maintenance and support process area and corresponds to a service provider role.
Each process area 302, 304, 306, 308 includes a grouping of process area subgroups 310, 312, 314, 316. The process area subgroups 310, 312, 314, 316 correspond to a further definition of the process area. With reference now to FIG. 3B, each process area subgroup, generically 352, is further defined by one or more process area subgroup are base practice objectives 354, 356 that are fulfilled to meet the definition of the process area subgroup. Each base practice objective 354, 356 then define one or more certification requirements 358, 360 that are to be met to satisfy the base practice objective. As illustrated in FIG. 3A, each of the certification requirements 358, 360 is associated with a certification level that allows the certification authority 102 to determine if the certification requirement is applicable to the requesting entity based on a designated certification level. By way of illustrative example, in a hierarchical certification level embodiment, an entity requesting a “bronze” level certification would only have to satisfy any certification requirements associated with the bronze level. However, an entity requesting a “gold” level certification would have to satisfy all certification requirements including all bronze, silver and gold levels. As illustrated in FIG. 3B, the certification requirements are associated with individual certification requirements under the base practice objectives 354, 356 but the base practice objectives (or other higher organizational components) are not associated with individual certification requirements.
Although the data model 300 has been described with illustrative four process areas, one skilled in the art will appreciate that additional or alternative process areas, process area subgroups, or base practice objectives may be incorporated by the certification authority 10. Appendix A includes an identification of process areas and process area subgroups in an illustrative embodiment. In other embodiments, the certification authority may implement a modified data model or alternative data models.
Turning now to FIGS. 4 and 5, illustrative routines 400, 500 for the generation of a set of certification requirements from a target set of certification requirements will be described. For illustrative purposes, routines 400, 500 will be described as being implemented generally by the certification authority 102 regardless of whether such implementation may involve multiple components associated with the certification authority. With reference to FIG. 4A, at block 402, the certification authority 102 obtains certification selection criteria. Illustratively, an entity, such as a potential vendor 104, integrator 106 or service provider 108, sends a certification request to the certification authority 102. Illustratively, the certification criteria included in the request will specify the role of the entity (e.g., a vendor) and a desired certification level (e.g. silver).
Upon receipt of the request, the certification authority 102 processes the request and determines certification requirements for the requesting entity based on the role of the entity and the desired certification level. In the embodiment illustrated in FIGS. 4A and 4B, the certification authority 102 can implement an iterative process to select appropriate certification requirements based on role and certification level. More specifically, at block 404, the certification authority 102 processes certification requirements for the organization process area 302 (FIG. 3A). As previously described, the organization process area may be applicable to all roles. An illustrative sub-routine 500 for processing the requirements according to a specific process area will be described with regard to FIGS. 5A and 5B.
At decision block 406, a test is conducted to determine whether the designated role corresponds to a vendor role 104. If the role of the requester is a vendor, the certification authority 102 will identify certification requirements for each component to be provided by the vendor. Accordingly, the certification authority 102 enters an iterative loop to select a next component at block 408 and process the certification requirements for systems capability process area 304 (FIG. 3A), which is applicable to for entities that are in a vendor role. Blocks 408 and 410 will repeat for multiple components.
At decision block 412, a test is conducted to determine whether the designated role corresponds to an integrator role 106. If the role of the requester is an integrator, the certification authority 102 will process the certification requirements for systems acceptance testing and commissioning process area 306 (FIG. 3A), which is applicable to for entities that are in an integrator role. In one embodiment, the integrator role may require the utilization of vendors that have been certified by the certification authority 102.
Turning now to FIG. 4B, at decision block 412, a test is conducted to determine whether the designated role corresponds to a service provider role 106. If the role of the requester is a service provider, the certification authority 102 will process the certification requirements for systems maintenance and support process area 308 (FIG. 3A), which is applicable to for entities that are in a service provider role. In one embodiment, the integrator role may require the utilization of vendors and integrators that have been certified by the certification authority 102. At block 420, the routine 400 terminates. Upon the termination of routine 400, the certification authority 102 may store the determined certification requirements, transmit the determined certification requirements, publish the determined certification requirements and the like.
With reference to FIGS. 5A and 5B, a sub-routine 500 for determining process areas requirements for a defined process area will be described. With reference to FIGS. 4A and 4B, sub-routine 500 may be implemented multiple times, such as at block 404, 410, 414 or 420. Illustratively, the certification authority 102 implements an iterative process of examining each process area subgroup for a specified process area. In turn, the certification authority 102 then examines each base practice objective for each of the identified process area subgroups. Still further, the certification authority 102 then examines each of the individual certification requirements for each identified base practice objective.
With reference to FIG. 5A, the certification authority 102 identifies the next process area subgroup for the defined process area at block 502. At block 504, the certification authority 102 selects the next base practice objective. At block 506, the certification authority 102 selects the next certification requirement for the current base practice objective.
At decision block 508, a test is conducted to determine whether the certification level associated with the current certification requirement meets or is less than the certification level specified in the request from the entity. For example, a specified desired level for silver certification would encompass all certification requirements associated with a bronze or silver level of certification. If the current certification requirement meets or is less than the certification level specified in the request, at block 510, the certification requirement is added to the certification scope (e.g., the set of required certification requirements). If not, the current certification requirement may be omitted.
At decision block 510, a test is conducted to determine whether additional certification requirements are identified for the specified base practice objective. If so, the sub-routine 500 returns to block 506 until all the requirements for the current base practice objective have been evaluated or alternatively until one requirement is determined not be required.
Turning to FIG. 5B, once all the certification requirements for the current base practice objective have been satisfied, at decision block 514, a test is conducted to determine whether additional base practice objective are defined for the current process area subgroup. If so, the sub-routine 500 returns to block 504 to process the next base practice objective for the current process area subgroup. Portions of sub-routine 500 then repeat until all the base practice objectives for the current process area subgroup have been evaluated.
At decision block 516, once all the base practice objectives for a current process area subgroup have been evaluated, a test is conducted to determine whether additional process area subgroups remain to be evaluated. If so, the sub-routine 500 returns to block 502 to process the next process area subgroup for the specified process area. Portions of sub-routine 500 then repeat until all the process area subgroups for the specified process area have been evaluated. Upon the completion of the evaluation all process area subgroups (and corresponding base practice objectives and certification requirements), the sub-routine 500 returns the identified certification requirements at block 518.
Turning now to FIGS. 6 and 7, illustrative routines 600, 700 for the evaluation of a set of certification requirements will be described. For illustrative purposes, routines 600, 700 will be described as being implemented generally by the certification authority 102 regardless of whether such implementation may involve multiple components associated with the certification authority. With reference to FIG. 6A, at block 602, the certification authority 102 obtains certification scoping information from the request entity. Illustratively, an entity, such as a potential vendor 104, integrator 106 or service provider 108, sends a certification request to the certification authority 102. Illustratively, the certification information include the identification of the set of certification requirements previously determined by the certification authority (FIGS. 4A and 4B) along with evidence of implementation. The evidence of implementation may vary according to specific certification requirements and will be generally referred to as warrants.
Similar to routine 400, upon receipt of the request, the certification authority 102 processes the request and determines certification compliance for the requesting entity based on the role of the entity and the desired certification level. In the embodiment illustrated in FIGS. 6A and 6B, the certification authority 102 can implement an iterative process to select appropriate certification requirements based on role and certification level. More specifically, at block 604, the certification authority 102 processes certification analysis for the organization process area 302 (FIG. 3A). As previously described, the organization process area may be applicable to all roles. An illustrative sub-routine 700 for processing the requirements according to a specific process area will be described with regard to FIG. 7.
At decision block 606, a test is conducted to determine whether the designated role corresponds to a vendor role 104. If the role of the requester is a vendor, the certification authority 102 will identify certification analysis for each component to be provided by the vendor. Accordingly, the certification authority 102 enters an iterative loop to select a next component at block 608 and process the certification requirements for systems capability process area 304 (FIG. 3A), which is applicable to for entities that are in a vendor role. Blocks 608 and 610 will repeat for multiple components.
At decision block 612, a test is conducted to determine whether the designated role corresponds to an integrator role 106. If the role of the requester is an integrator, the certification authority 102 will process the certification analysis for systems acceptance testing and commissioning process area 306 (FIG. 3A), which is applicable to for entities that are in an integrator role. In one embodiment, the integrator role may require the utilization of vendors that have been certified by the certification authority 102.
Turning now to FIG. 6, at decision block 612, a test is conducted to determine whether the designated role corresponds to a service provider role 106. If the role of the requester is a service provider, the certification authority 102 will process the certification analysis for systems maintenance and support process area 308 (FIG. 3A), which is applicable to for entities that are in a service provider role. In one embodiment, the integrator role may require the utilization of vendors and integrators that have been certified by the certification authority 102. At block 620, the routine 600 terminates. Upon the termination of routine 600, the certification authority 102 may store the determined certification, transmit the determined certification, publish the determined certification and the like. Illustratively, the determined certification can include a determination that certification is complete or incomplete.
With reference to FIG. 7, a sub-routine 700 for determining whether certification requirements for a defined process area will be described. Sub-routine 700 may be implemented multiple times, such as at block 604, 610, 614 or 620. Illustratively, the certification authority 102 implements an iterative process of examining each process area subgroup for a specified process area.
At block 702, the certification authority 102 identifies the next certification requirement for the defined process area. At block 704, the certification authority 102 obtains the warrant information corresponding to the information submitted by the requester that is purportedly evidentiary of satisfaction of the selected system requirement.
At decision block 706, a test is conducted to determine whether the certification requirement has been met. If so, the certification authority 102 designates the certification requirement as satisfied at block 708 and may increment a counter related to a number of certification requirements satisfied. In some embodiments, the certification authority 102 and requesting entity may have any number of supplemental interactions related to an establishment of whether the certification requirement has been implemented.
In some embodiments, the certification authority may allow some portion of the certification requirements to be designated as future implementations. For example, one or more certification requirements may not be able to be satisfied until a minimum number of sales or installations occur. In another example, the certification authority may allow the requester some time period to implement one or more certification requirements. Accordingly, in this embodiment, if at decision block 706 the certification requirement is not satisfied, at decision block 710, a test is conducted to determine whether the certification criteria is associated with time criteria that will allow the certification requirement to be implemented in the future. If so, at block 712, the certification authority 102 designates the certification requirement as a future implementation and may increment a counter related to a number of future implementations.
If the current requirement is not associated with time criteria, at block 714, the certification authority 102 designates the certification requirement as not satisfied and may increment a counter related to a number of failed certification requirements.
At decision block 716, a test is then conducted to determine whether additional certification requirements exist. If so, the sub-routine 700 returns to block 702 to select the next certification requirement. Alternatively, the sub-routine 700 returns the results at block 718.
As discussed with regard to FIG. 2B, once all the certification requirements have been evaluated, the certification authority 102 can utilize multiple threshold to determine whether certification is appropriate and at what level. In one example, the certification authority may utilize a threshold that indicates that maximum number of certification requirements that are designated as not satisfied or a list of certification requirements that must be satisfied. In another example, the certification authority may utilize a threshold that identifies a maximum number of future implementation. In another embodiment, the certification authority may also utilize weighing schemas in which certification requirements are associated with weights according to priorities or importance. In this embodiment, the analysis of the certification would include a determination of an overall score based on average weights of the individual certification requirements or a sum total of the weights of the satisfied certification requirements. Other analysis techniques may also be implemented.
While illustrative embodiments have been disclosed and discussed, one skilled in the relevant art will appreciate that additional or alternative embodiments may be implemented within the spirit and scope of the present disclosure. Additionally, although many embodiments have been indicated as illustrative, one skilled in the relevant art will appreciate that the illustrative embodiments do not need to be combined or implemented together. As such, some illustrative embodiments do not need to be utilized or implemented in accordance with the scope of variations to the present disclosure.
Conditional language, such as, among others, “can,” “could,” “might,” or “may,” unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or steps. Thus, such conditional language is not generally intended to imply that features, elements and/or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without user input or prompting, whether these features, elements and/or steps are included or are to be performed in any particular embodiment.
Any process descriptions, elements, or blocks in the flow diagrams described herein and/or depicted in the attached figures should be understood as potentially representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process. Alternate implementations are included within the scope of the embodiments described herein in which elements or functions may be deleted, executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those skilled in the art. It will further be appreciated that the data and/or components described above may be stored on a computer-readable medium and loaded into memory of the computing device using a drive mechanism associated with a computer-readable medium storing the computer executable components, such as a CD-ROM, DVD-ROM, or network interface. Further, the component and/or data can be included in a single device or distributed in any manner. Accordingly, general purpose computing devices may be configured to implement the processes, algorithms and methodology of the present disclosure with the processing and/or execution of the various data and/or components described above. Alternatively, some or all of the methods described herein may alternatively be embodied in specialized computer hardware. In addition, the components referred to herein may be implemented in hardware, software, firmware or a combination thereof.
It should be emphasized that many variations and modifications may be made to the above-described embodiments, the elements of which are to be understood as being among other acceptable examples. All such modifications and variations are intended to be included herein within the scope of this disclosure and protected by the following claims.
APPENDIX A
|
|
Process Area
|
Categories
PA
BP ID
Base Practice Objective
|
|
Organizational
PA01: Prepare
BP.01.01
Requirement recognition and
|
Process Areas
and Inform
enforcement
|
Personnel
BP.01.02
Ensure alignment
|
BP.01.03
Protect sensitive documentation
|
BP.01.04
Background checks
|
BP.01.05
Competent personnel
|
BP.01.06
Confidentiality and user
|
agreements
|
PA02: Designate
BP.02.01
Nominate the role
|
a Security
|
Contact
|
PA03: Specify
BP.03.01
Standards employed
|
Base Practices
BP.03.02
Security certificates
|
System Capability
PA04: Harden
BP.04.01
Document requirements
|
Process Areas
the System
BP.04.02
Manage 3rd party software
|
BP.04.03
Conduct 3rd party security
|
architecture reviews
|
BP.04.04
Declaration of trusted interfaces
|
BP.04.05
Strengthen Protocol
|
PA05: Protect
BP.05.01
Support anti-virus software
|
from Malicious
BP.05.02
Proper installation instructions
|
Code
BP.05.03
Virus-free equipment
|
PA06: Implement
BP.06.01
Policy documentation
|
Patch
BP.06.02
Patch qualification
|
Management
BP.06.03
Provide patch list
|
BP.06.04
Prompt patch notification
|
BP.06.05
Audit tools
|
BP.06.06
Patching documentation
|
PA07: Secure
BP.07.01
Multiple default passwords
|
Account
BP.07.02
Removable default accounts
|
Management
BP.07.03
Minimum password strength
|
BP.07.04
Password lifetimes and reuse
|
restrictions
|
BP.07.05
Persistence of special accounts
|
BP.07.06
Role-based access for network
|
devices
|
BP.07.07
Unified account management
|
BP.07.08
Maintain account logs
|
PA08: Support
BP.08.01
Backup documentation
|
Backup/Restore
BP.08.02
Backup process
|
PA09: Increase
BP.09.01
Security monitoring protocols
|
Network Visibility
BP.09.02
Management Information Base
|
PA10:
BP.10.01
Historian data collection
|
Standardize
BP.10.02
Data warehouses
|
Historian
BP.10.03
Log and event management
|
Interfaces
|
PA11: Verify
BP.11.01
Operator acknowledgement
|
Operations
BP.11.02
Automated Operations
|
PA12: Connect
BP.12.01
Approved standards
|
Wirelessly
BP.12.02
Configuration methods
|
PA13: Fortify SIS
BP.13.01
Configuration key switch
|
Connectivity
BP.13.02
Third-party assessment
|
BP.13.03
Communications integrity
|
BP.13.04
Layer 3 connections
|
BP.13.05
DCS communications
|
BP.13.06
SIS EWS
|
PA14: Provide
BP.14.01
Remote access applications
|
Remote Access
BP.14.02
Remote update applications
|
PA15: Protect
BP.15.01
Protect data at rest
|
Data
BP.15.02
Protect data in transit
|
BP.15.03
Encryption
|
System Acceptance
PA16: Manage
BP.16.01
Risk assessment
|
Testing &
the Deployment
BP.16.02
Inventory register
|
Commissioning
BP.16.03
Temporary account removal
|
Process Areas
BP.16.04
Network scan
|
BP.16.05
Relevant processes
|
BP.16.06
Timely notification
|
PA17: Harden
BP.17.01
Hardened system demonstration
|
the System
BP.17.02
Firewall use
|
PA18: Protect
BP.18.01
Quality definition files
|
from Malicious
BP.18.02
General anti-virus policy
|
Code
BP.18.03
Portable media procedure
|
BP.18.04
Anti-virus management
|
BP.18.05
Anti-virus demonstration
|
PA19: Implement
BP.19.01
Up-to-date systems
|
Patch
|
Management
|
PA20: Secure
BP.20.01
Individual accounts
|
Account
BP.20.02
Default passwords
|
Management
BP.20.03
Minimum password strength
|
BP.20.04
Password lifetimes and reuse
|
restrictions
|
BP.20.05
Persistence of special accounts
|
BP.20.06
Role-based access for network
|
devices
|
BP.20.07
Workstation session lock
|
PA21: Support
BP.21.01
Regular backups
|
Backup/Restore
BP.21.02
Backup demonstration
|
PA22: Implement
BP.22.01
Architecture drawings
|
the Architecture
BP.22.02
Network layer separation
|
BP.22.03
Time synchronization
|
PA23: Connect
BP.23.01
Service Set Identifier (SSID)
|
Wirelessly
BP.23.02
Wireless device maintenance
|
BP.23.03
Safeguarding functions
|
BP.23.04
Secure accounts
|
BP.23.05
Wireless workers and CSAD
|
BP.23.06
Architecture documentation
|
PA24: Provide
BP.24.01
Remote access documentation
|
Remote Access
BP.24.02
Connection approval and review
|
PA25: Protect
BP.25.01
Protect data at rest
|
Data
BP.25.02
Protect data in transit
|
BP.25.03
Encryption
|
BP.25.04
Encryption key management
|
BP.25.05
Digital certificate management
|
Maintenance &
PA26: Manage
BP.26.01
Risk assessment
|
Support Process
the Deployment
BP.26.02
Inventory register
|
Areas
BP.26.03
Temporary account removal
|
BP.26.04
Network scan
|
BP.26.05
Relevant processes
|
BP.26.06
Timely notification
|
PA27: Harden
BP.27.01
Harden system demonstration
|
the Systems
BP.27.02
Firewall use
|
PA28: Protect
BP.28.01
General anti-virus policy
|
from Malicious
BP.28.02
Portable media procedure
|
Code
BP.28.03
Anti-virus management
|
PA29: Implement
BP.29.01
Up-to-date systems
|
Patch
|
Management
|
PA30: Secure
BP.30.01
Individual accounts
|
Account
BP.30.02
Minimum password strength
|
Management
BP.30.03
Password lifetimes and reuse
|
restrictions
|
BP.30.04
Persistence of special accounts
|
BP.30.05
Role-based access for network
|
devices
|
BP.30.06
Workstation session lock
|
PA31: Support
BP.31.01
Regular backups
|
Backup/Restore
BP.31.02
Backup prior to change event
|
BP.31.03
Backup demonstration
|
PA32: Implement
BP.32.01
Architecture drawings
|
the Architecture
BP.32.02
Network layer separation
|
PA33: Connect
BP.33.01
Service set identifier (SSID)
|
Wirelessly
BP.33.02
Wireless device maintenance
|
BP.33.03
Safeguarding functions
|
BP.33.04
Secure accounts
|
BP.33.05
Wireless workers and CSAD
|
BP.33.06
Architecture documentation
|
PA34: Provide
BP.34.01
Remote access documentation
|
Remote Access
BP.34.02
Connection approval and review
|
PA35: Protect
BP.35.01
Protect data at rest
|
Data
BP.35.02
Protect data in transit
|
BP.35.03
Encryption
|
BP.35.04
Encryption key management
|
BP.35.05
Digital certificate management
|
|