Chemical Sector Cyber Security Program

Security Policy Solutions for compliance with the Chemical Sector Cyber Security Program

The Chemical Information Technology Council (ChemITC)™ released their latest guidance on cyber security for the chemical industry in May 2006. The document, entitled Guidance for Addressing Cyber Security in the Chemical Sector, Version 3.0 evolved out of early work completed by the Chemical Industry Data Exchange (CIDX). The Chemical Sector Cyber Security Program aligns with the overall objectives of the Chemical Sector Cyber Security Strategy, which forms one of the critical infrastructure components of the National Strategy to Secure Cyberspace.

The new 3.0 guidance breaks cyber-security practice into sixteen separate topic domains, many of them based on the ISO 1-7799:2000 information security standard. The overall management system proposes a continuous approach to information security using the "Plan-Do-Check-Act" method of implementation. Written information security policies form the critical foundation for this approach, providing formal documentation for each step in the lifecycle as it relates to planning, building, deploying and auditing information security. To support this, the first section in the guidance document is entitled 5.3 Security Policy.

Information Security Policies Made Easy provides a complete set of pre-written information security policies and standards that cover each key security control area. According to the guidance: "Integration of a consistent policy management framework is essential. The policy management framework consists of people, roles, processes for identification, development and review, and communication and enforcement mechanisms." Specific benefits include:

• Over 1300 pre-written security policies and standards ready to customize.
• Complete information security policy coverage for all 16 key assessment areas.
• Policies organized around the ISO 17799 standard for easy gap-analysis.
• Policies and advice covering employee education and awareness.
• Detailed implementation advice to create an effective security environment.
• Policies targeted at different organizational roles (management, technical, end-user).
• Policies organized for different risk environments, facilitating a control maturity model.

Information Security Roles and Responsibilities Made Easy provides expert guidance and templates for building an effective security organization. The good practice guidance for the chemical industry has clear requirements for defining and documenting information security roles and responsibilities. For example, Section 5.4.3 General Baseline Practices states that "Personnel are assigned responsibility for information and systems security [...] " and that "A company-wide security team (or organization) provides clear direction, commitment, and oversight."

• 40 pre-written job description with detailed security requirements for each job function.
• Pre-written organization charts that map security roles and reporting relationships.
• Detailed implementation advice to create an effective security environment.
• Advice on proper staffing and budgeting for security roles.
• Standard practices that have been shown to be effective at over 125 organizations around the world .

"Integration of a consistent policy management framework is essential. The policy management framework consists of people, roles, processes for identification, development and review, and communication and enforcement mechanisms."
- Section 5.3.1 Statement of Management Practice

"Senior leadership can emphasize a commitment to continuous improvement through published policies that are provided to employees, contractors and third-parties. The policies can be reviewed regularly to ensure they remain appropriate."
- Section 5.3.1 Statement of Management Practice

"An overall security team is responsible for both information and physical assets. In this hierarchical structure, security is under a single organization with separate teams responsible for physical and information systems."
- Section 5.4.4 How Chemical Companies Are Approaching Organizational Security