Speaker
Dr
Vasu Vuppala
(NSCL, MSU)
Description
Recent incidents have emphasized the importance of security and operational continuity for achieving the quality objectives of an organization, and the safety of its personnel and machines. However, security and disaster recovery are either completely ignored or given a low priority during the design and development of an accelerator control system, the underlying technologies, and the overlaid applications. This leads to an operational facility that is easy to breach, and difficult to recover. Retrofitting security into the control system becomes much more difficult during operations.
The Electronics Department at NSCL wanted to address security in a holistic manner, and decided to implement ISO/IEC 27001 Information Security standard. The ISO/IEC 27001 standard and the related code of practice (ISO 27002) cover a broad set of topics such as risk assessment, asset management, human resources, physical security, communication and operations, , application development and maintenance, access control, disaster recovery, security incident management, and legal and regulatory compliance.
In this paper we describe our experiences in implementing the ISO 27001 standard (we are not certified yet). We describe our risk assessment methodology, the identified risks, the selected controls, and their implementation. We also describe our documentation structure for the various policies, procedures, guidelines, and standards. We illustrate problems faced with securing low-level controls, infrastructure, and applications. We also illustrate how we are using this experience in the design of FRIB's (Facility for Rare Isotope Beam) global database.
Author
Dr
Vasu Vuppala
(NSCL, MSU)
Co-authors
Mr
Jay Kusler
(NSCL, MSU)
Dr
John Vincent
(NSCL, MSU)
Mr
Kelly Davidson
(NSCL, MSU)
