Information Security, Industry Control Systems security assessment

Project Description Scope: Preparing a security assessment that will combine 5 different security standards related to Information Security, Industry Control Systems, and the convergence between them to be presented into one excel checklist sheet that will be used to review compliance with an objective of evaluating and mitigating risks in various types of organizations, this includes creating policies, standard operating procedures in line with the start up company initiatives Standards Name of Standards: 1) Local Governing Authority (Standard pdf. Available, you are required to convert it to excel assessment sheet) List of Standards falling user the purview of Local Governing Authority. Will be provided by my end 2) NESA - National Electronic Security Authority (excel checklist available & I will be providing it) UAE-NESA 3) NIST - National Institute of Standards & Technology (NIST SP 800-53 R5 & NIST SP 800-82 R2 available, you are required to convert it to excel assessment sheet) 4) International Electrotechnical Commission (IEC-62443 series, you are required to convert it to excel assessment sheet, and provide the pdf. document for verification and ensure ) the IEC needs to be obtained by you. 5) ISO 27001 (excel checklist available & will be provided) combine the requirements of the above checklist with ISO checklist/ standards 27001:1 and 27001:2 All these standards needs to have the specific reference line, page, chapter etc Main Framework The checklist will start with ISO 27001 to evaluate the structure and framework of the respective organization a.27001:1 b.27001:2 Standards applicable for ICS only: a) IEC-62443 series b) NIST c) Local Government Authority Standard Standards applicable for both ICS & IS: ● NESA standard –UAE NESA Any other standard that can be compatible for both IS and ICS can be added Standard applicable for Information Security only: ● NESA Standard will be used for clients seeking Information Security compliance assessments Note: Recommendation of using another suitable ISO framework for the project can be discussed ex: 9001:2015 - NA All the compiled standards needs to have the ability to be filtered on the workbook directly based on the application above Policies: Creating company policies & procedures, SOPs in line of being ISO certified. ISO 27001 SOP’s: ● Company Standard Operating Procedure –Dedicated checklist for IT and IT & OT – with guidelines for Assessor and client in separate column ● Initial Assessment Procedure Assessing if the audit is applicable or not. Determining the type of the customers industry (IT or OT) Determining which standard is applicable (ICS merged or IS only) ● Assessment Process: (SOP)- 1- Providing excel sheet for client to fill out all applicable points with providing evidence and sharing it with assessor 2- The client submits the filled out excel to the assessor 3- Finally, the assessor checks the compliance level and ask for extra details if required 4- Provide feedback based on findings in customers’ existing set up 5- Provide compliance report and suggestions for enhancements Objective: Ensuring organizations comply with the standards and provide feedback for enhancements. Tasks & Expectations: 1) Ensuring that all processes, documentation and templates are compliant with the ISO standards with an objective of being ISO Certified. 2) Provide insight of IEC-62443 controls 3) Compiling all standards in one assessment on excel sheet 3a) Organizing the checklist to ensure best professional practice and sequence 3b) Adding a column to show references for each checkpoint 4) Creating required Policies & Procedures for respective roles. ( for the assessment and company) 5) Creating required Standard Operating Procedures (SOP) for respective roles. 6) Create Project Scoping templates 7) creating audit initial, in progress and final reports