section p: attachment 1 supplier cyber security risk

Oshkosh Corporation Classification: Unrestricted

Section P: Attachment 1Supplier Cyber Security Risk Questionnaire

Section P: Attachment 1 Revised: July 11, 2016

of 17


Table of Contents Supplier Cyber Security Risk Questionnaire .................................................................................................. 3

Frequently Asked Questions (FAQ) ............................................................................................................... 9

Detailed Questionnaire Walkthrough ......................................................................................................... 10


of 17


Supplier Cyber Security Questionnaire# Question

Intro:

Much of the information required for the day to day operation of Oshkosh Corporation could be extremely valuable in the hands of a competitor or a cyber security threat. As a valued supplier, you play an important role in protecting our information and networks from cyber security threats.

The Oshkosh Corporation Supplier Cyber Security Risk Questionnaire consists of approximately 21 questions designed to assess the maturity of your company’s cyber security practices. Each question has a yes/no and an open response component. Please complete all questions to the best of your ability. The yes/no questions are scored and are used to assign a Cyber Security Risk Score of high, medium, or low. The open response component of each question allows Oshkosh Corporation to better understand your cybersecurity posture and will be incorporated into the risk management process. Your Cyber Security Risk Score will be shown to you upon completion of the questionnaire.

The questionnaire is designed to automatically save your progress if you are interrupted or must close your browser. However, a printable version of the questionnaire is available in Section P of the Supplier Standards Guide (SSG) if you would prefer to first manually fill in your answers and then enter them online at a later time. All final submissions must be made through this online questionnaire.

Please provide:• Contact Name• Company Name• Supplier Number

Does your company have cyber security policies, procedures, and standards based on industry standards ( e.g. ISO 27000, NIST 800-53), and require that they be used to manage all IT devices and/or services (i.e. email, data storage, etc.) that process and/or store sensitive information received from a third-party company?

If yes, please provide an explanation of the scope and content of your cyber security policies, including any industry standards that they are based on. If no, please provide any additional information that you believe is relevant to this control.

Does your company encrypt, with a FIPS 140-2 certified encryption solution, sensitive information received from a third-party company during transmission between the owning third-party as well as other parties with whom that data is shared?

If yes, please provide an explanation of how sensitive information is encrypted in transmission. If no, please provide any additional information that you believe is relevant to this control.

1a

Yes / No

1

About you:

2a

Yes / No

2


of 17


Does your company encrypt, with a FIPS 140-2 certified encryption solution, sensitive information at rest received from a third-party company?

If yes, please provide an explanation of how sensitive information is encrypted at rest. If no, please provide any additional information that you believe is relevant to this control.

Are all devices that store or process a third-party company’s sensitive information protected from the Internet by a firewall?

If yes, please provide an explanation of how sensitive information is protected by firewalls or other perimeter defenses. If no, please provide any additional information that you believe is relevant to this control.

Does your company have empoyees or subcontracted staff dedicted to Information Technology?

If yes, please provide an explanation of your Information Technology staffing. If no, please provide any additional information that you believe is relevant to this control.

Does your company have employees or subcontracted staff dedicated to Cyber Security?

If yes, please provide an explanation of your Cyber Security staff. If no, please provide any additional information that you believe is relevant to this control.

Does your company have a cyber security user education and awareness program?

If yes, please provide an explanation of your cyber security user education and awareness program. If no, please provide any additional information that you believe is relevant to this control.

Does your company perform phishing email testing of its employees?

Yes / No

Yes / No8

7a

7

6a

Yes / No6

5a

Yes / No5

4a

Yes / No4

3a

Yes / No

3


of 17


If yes, please provide an explanation of your phishing testing program. If no, please provide any additional information that you believe is relevant to this control.

Does your company perform (at least annually) cyber security audits by objective internal employees or external 3 rd parties on IT systems/devices and IT services that store or process sensitive information?

If yes, please provide an explanation of how your company assesses the maturity of your cyber security program. If no, please provide any additional information that you believe is relevant to this control.

10 Do all devices that store or process sensitive information have, at minimum:Commercially available antivirus with current signature files?

A unique username and complex password to access the system?

Access control that is configured on a least privilege model?

All necessary ports and services disabled and have limited functions (e.g. individual devices for file servers, mail servers, ftp servers, etc. vs. single server performing many functions)?

Vulnerability scanning performed at least monthly?

Patches deployed for high risk operating system and third-party application vulnerabilities within industry best practices (i.e. 48 hours) and medium/low risk patches deployed in <= 30 days?

If yes, please provide an explanation of how you perform the above controls. If no, please provide any additional information that you believe is relevant to these controls.

11 Do all laptops that store or process sensitive information have, at a minimum:Data-at-rest encryption?

The ability to remotely track and wipe the device?

10.2

10.1

10a

10.6

10.5

10.4

11.1

11.2Yes / No

10.3

Yes / No

Yes / No

Yes / No

Yes / No

Yes / No

Yes / No

Yes / No

Yes / No

9a

9

8a


of 17


If yes, please provide an explanation of how you encrypt laptops and other portable devices and recover lost devices. If no, please provide any additional information that you believe is relevant to these controls.

12 Do all mobile devices (e.g. smartphones, tablets, etc.) that store sensitive information have, at minimum:

A centrally managed configuration management/device management system?

An access control enforced (PIN, complex password, etc.)?

The ability to be remotely wiped?

Encryption by default?

If yes, please provide an explanation of how you perform the above controls. If no, please provide any additional information that you believe is relevant to these controls.

When your company must share sensitive information, does your company require those suppliers to follow policies and procedures for cyber security based on industry standards (e.g. ISO 27000, NIST 800-53)?

If yes, please provide an explanation of how your company securely shares sensitive information with suppliers. If no, please provide any additional information that you believe is relevant to this control.

Does your company require 2-factor authentication for remote access?

If yes, please provide an explanation of how your company has implemented multifactor authentication for remote access. If no, please provide any additional information that you believe is relevant to this control.

Does your company require 2-factor authentication for privileged users (IT admins, database admins, etc.)?

Yes / No

12a

12.3

12.2

12.1

11a

12.4Yes / No

Yes / No15

14a

14

13a

13

Yes / No

Yes / No

Yes / No

Yes / No


of 17


If yes, please provide an explanation of how your company has implemented multifactor authentication for privileged users. If no, please provide any additional information that you believe is relevant to this control.

Does your company perform industry standard logging and monitoring on devices that store or process sensitive information?

If yes, please provide an explanation of how your company logs and monitors devices to detect intrusions. If no, please provide any additional information that you believe is relevant to this control.

Does your company control web access based on the risk of the sites being visited?

If yes, please provide an explanation of how your company controls access to high risk websites. If no, please provide any additional information that you believe is relevant to this control.

Does your company have the capability to detect and block malicious email prior to delivery to the end user?

If yes, please provide an explanation of how your company protects against malicious emails. If no, please provide any additional information that you believe is relevant to this control.

Does your company have tools and process to mitigate Advanced Persistent Threat (APT) attacks?

If yes, please provide an explanation of any security controls which are capable of mitigating advanced attacks. If no, please provide any additional information that you believe is relevant to this control.

Has your company signed the Controlled Unclassified Information (CUI) Supplier Acknowledgement Letter?

17

16a

16

15a

20

19a

19

18a

18

17a

Yes / No

Yes / No

Yes / No

Yes / No

Yes / No


of 17


Does your company receive, store, or process Controlled Unclassified Information (CUI) from Oshkosh Corporation?

Does your company have policies and procedures in place for handling and protecting Oshkosh Corporation CUI in accordance with the flow down requirements of DFARS 252.204-7012 which mandates compliance to NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organzations?

If yes, please provide an explanation of the controls your company has in place to handle and protect Oshkosh Corporation CUI in accordance with the referenced requirements. If no, please provide any additional information that you believe is relevant to this control.

Complete

Thank you for your time in filling out the Oshkosh Corporation Supplier Cyber Security Risk Questionnaire. As a valued supplier, you play an important role in protecting our information and networks from cyber security threats. Your score can be found below. If you have questions regarding this questionnaire, please refer to the Frequently Asked Questions (FAQ) document in section P of the SSG. The FAQ contains a walkthrough of each question and provides a starting point for how you can improve your Supplier Cyber Security Risk score.

22a

22

21Yes / No

Yes / No


of 17


Frequently Asked Questions (FAQ)# Question/Answer

Why is my company being asked to fill out the Cyber Security Questionnaire?

Companies rely on suppliers to be successful in delivering products and services to customers. Cybersecurity threats are real and a reliable avenue to compromise sensitive information. Companies are being targeted for the sensitive intellectual capital they possess. As companies like Oshkosh Corporation have enhanced their cybersecurity defenses, threats have expanded across the entire supply base. Suppliers vary in their capabilities to address these threats and protect sensitive program information. It is imperative to engage proactively with suppliers to better understand their level of cybersecurity maturity, build awareness, and reduce risk. This engagement is designed to help suppliers mature in cybersecurity. It is also to help program and capture team members understand how to better manage program risk and lower costs. The cybersecurity questionnaire provides leading indicators of a supplier’s cybersecurity maturity. It is an indicator of a supplier’s ability to protect sensitive information shared with the supplier. A supplier’s answers are one criterion in guiding companies to manage overall risk.

Will filling out the Cyber Security Questionnaire make me a preferred supplier?

The cybersecurity questionnaire provides one input to manage risk. A supplier’s increased cybersecurity maturity directly correlates with its ability to secure sensitive information, engenders confidence, and can create competitive advantage. Those suppliers with a lower cybersecurity maturity, raise questions, require more risk mitigation, and possibly drive increased costs.

How will my answers to the Cyber Security Questionnaire be used?

The answers to the cybersecurity questionnaire provide leading indicators of cybersecurity maturity. The Supplier Cybersecurity indicators are one criterion in guiding companies to manage overall risk. It is an indicator of a supplier’s ability to protect sensitive information and a “No” response could indicate a risk to a supplier’s ability to protect sensitive information.

What will happen if I make investments to improve my cyber security maturity?A supplier that focuses resources on improving its cybersecurity maturity can be better prepared to meet cybersecurity threats. A supplier’s increased cybersecurity maturity directly correlates with its ability to secure sensitive information, engenders confidence, and can create competitive advantage.Do you have any recommendations for an approved system?Please see the page entitled “How to improve Cybersecurity maturity”How does this questionnaire affect contracts?

This survey does not affect contracts. It does not constitute a change to any contracts and shall not serve as the basis for any claim against contracts. Completing the survey does not relieve your company from compliance with any term of contracts.

Will money be provided to the supplier to pay for cyber security protection improvements?No. Cybersecurity protections are not chargeable to contracts.How do I find my supplier number?

1) Log into OSN at https://osn.oshkoshcorp.com and select one of the following roles, depending on system access: ISP_OSHCorp_Supplier OR Supplier

2) Navigate to “Admin” tab and locate “Supplier Number” under “Organization Name”

Can we have additional information and guidance on the specific cyber security questions?There are many resources that can help a supplier set up a cyber security risk management program. Some useful resources are found below:

• SANS (SysAdmin, Audit, Network, Security) Institute o www.SANS.org• OWASP (Open Web Application Security Project) o www.owasp.org• NIST (National Institute of Standards and Technology) – Computer Security Division – o http://csrc.nist.gov/• ISO (International Organization for Standardization) o http://www.iso.org/iso/ o search ISO 27001 and 27002

Q7:

Q8:

Q9:

Q1

Q2:

Q3:

Q4:

Q5:

Q6:


of 17


Detailed Questionnaire Walkthrough# Question

Does your company have cyber security policies, procedures, and standards based on industry standards ( e.g. ISO 27000, NIST 800-53), and require that they be used to manage all IT devices and/or services (i.e. email, data storage, etc.) that process and/or store sensitive information received from a third-party company?

Does your company encrypt, with a FIPS 140-2 certified encryption solution, sensitive information received from a third-party company during transmission between the owning third-party as well as other parties with whom that data is shared?

1

The cyber security threat of adversaries stealing information is real and sensitive information must be protected. Creating a cyber security risk management program to protect this sensitive information is important whether a supplier manages their own IT services or outsources them. A cyber security risk management program should be set up in a way that if a person outside your company performed a cyber security assessment they would be able to say that you were exercising due diligence in securing sensitive information. ISO and NIST are recognized standards organizations and provide a good foundation for policy development, other sources such as CoBIT, COSO, PCI, and BITS Shared Assessments can be used as well to help guide a cyber security risks management program.

• NIST Cybersecurity Framework o http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf o Created through collaboration between industry and government, the Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

• NIST 800-53 o http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updatederrata_05-01-2010.pdf o The National Institute of Standards and Technology (NIST) provides many valuable industry resources. Included in those resources are guides to information or cyber security. Resources include cyber planning, information security standards and other related materials. To leverage the cyber security planner for small businesses, consult the NIST website, located at http://www.fcc.gov/cyberplanner.

Communications Encryption To protect all of the information that is being sent from one computer to another using the internet, a standard practice is to encrypt all of the communication between the two parties. A company can store the sensitive data on a server and protect the communication of that data by purchasing an encryption certificate from a well-known vendor such as VeriSign, Symantec, Thawte, or others, then apply that certificate to the server’s network communications. Any parties that would need to access the sensitive data either through e-mail or web communications would provide authentication information and a valid key response (certificate) for mutual authentication.

Email EncryptionE-mail traffic encryption can be configured by use of TLS (Transport Layer Security) encryption settings within the e-mail server software. E-mail servers can be configured to use TLS over SMTP (Simple Mail Transport Protocol) and TLS over POP (Post Office Protocol) to provide protection of information being sent through e-mail.

File Transfer EncryptionFile transfer solutions can be used to securely transmit files between employees, suppliers, business partners, etc. Potential solutions include SFTP solutions, box.com, sharefile.com, hightail.com, and many more. The important thing to keep in mind for any of these solutions is that files are encrypted during transmission.

2


of 17


Does your company encrypt, with a FIPS 140-2 certified encryption solution, sensitive information at rest received from a third-party company?

Are all devices that store or process a third-party company’s sensitive information protected from the Internet by a firewall?

Does your company have empoyees or subcontracted staff dedicted to Information Technology?

Does your company have employees or subcontracted staff dedicated to Cyber Security?

6 Protection of sensitive information in IT systems is critically important. A supplier that does not have dedicated cyber security staff is raising risk to its information and that of its customers. A lack of cyber security staff prevents the development of a cyber security risk management program which adds value to a supplier’s offerings. Cyber security plans can include but are not limited to a documented security plan, a cyber security awareness program, a patching plan, and an audit program

It is understood that Information Technology (IT) is not the core business of many suppliers, but IT is a fundamental component to the competitive advantage of many companies and needs to be focused on. There is a concern that if a supplier does not devote focused resources to IT then that function will not be as efficient in maintaining system and network integrity. Staffing companies can provide short term IT contractors to help supplement your current IT staff and allow for the design and deployment of cyber security protection measures. Additionally, consulting firms can work with your organization to help provide needed information security professionals

5

Sensitive information stored or processed on a device that is not protected from the Internet by a firewall is considered by many industry standards as at high risk of compromise.

Firewall technology is available from a variety of well-known vendors including:

• Cisco o http://www.cisco.com• Checkpoint o www.checkpoint.com/ • SonicWall/Dell o http://www.dell.com • Barracuda Networks o https://www.barracudanetworks.com

Firewalls from most vendors are delivered with a very restrictive firewall policy. Either trained employees or reputable consultants should configure the firewall to ensure security as well as availability to meet business needs.

4

Disk Encryption

Sensitive data can be protected by encrypting the entire hard disk or removable media. Full disk encryption solutions are transparent to the user, but if a laptop is lost or stolen, sensitive data is fully encrypted and at very low risk of being accessed. Many solutions exist for implementing full disk encryption. Most notably, Microsoft Windows has native functionality (BitLocker) that provides full disk encryption. Other solutions are available from McAfee, Symantec, etc.

File Encryption

Using an encryption product to scramble or encrypt an individual document or set of documents. This prevents anyone who might intercept the information from being able to read it. Examples of encryption products would include PGP, WinZip, Secure Zip, 7ZIP or other similar products. The sensitive document or documents would be compressed into a single password protected file. It is recommended that the strongest encryption available through the product be utilized. If the product is capable of compressing and encrypting the documents using AES-256-bit encryption that should be preferred over a 128-bit encryption algorithm. Then a complex password for the encrypted document or documents could be given to receiving party in a phone call.

3


of 17


Does your company have a cyber security user education and awareness program?

Does your company perform phishing email testing of its employees?

Does your company perform (at least annually) cybersecurity audits by objective internal employees or external 3 rd parties on IT systems/devices and IT services that store or process sensitive information?

8Phishing e-mail testing is one method to assess and educate a company’s user community about malicious e-mail and their ability to defend against it. The company cyber security staff sends suspicious (yet harmless) test emails to employees to see if they will respond in a proper and safe manner. Follow-up training is often provided to employees as warranted. Continual use of the technology is often required to maintain training effectiveness. There are variety of methods of executing this type of awareness testing and evaluation. While a third party can be utilized to automate this type of testing, phishing tests can be self-administered by IT staff sending the messages and following up with training.

9

Cybersecurity audits of objective evidence are industry accepted practice to ensure that sensitive information is being properly protected and a company’s IT infrastructure is well maintained. Both external and internal auditing provides possible methods to ensure consistent application of information security controls. A variety of organizations provide IT security auditing services and can be located through professional Information Security organizations such as ISACA or by contacting a professional auditing organization such as Ernst &Young, KPMG, Deloitte or PricewaterhouseCoopers.

Cybersecurity audits can be performed by internal staff that is knowledgeable in audit practices. It is not always necessary to engage external IT auditors as long as:

• The individuals selected to perform the audit are able to assess from an objective standpoint • Security policy and audit objectives have been previously established • A repository for audit artifacts has been established with security controls that prevent tampering • A process for remediation of audit findings or a process for risk assumption has been agreed upon with management

Various organizations provide templates for performing cyber security audits. Templates can be obtained from such organizations as: • www.nist.gov • www.sans.org • www.ISC2.org

Educating a supplier’s employees on cyber security principles is important. Cyber security education and awareness programs help employees understand the cyber threats that could be levied against them and they will be in a better position to protect sensitive information.

Various organizations provide free, informative information for educating employees about dangerous online behaviors. These materials can be used as part of a program to educate staff about safe web browsing, safe email use, and resisting social engineering attempts. Some of the resources are located at:

• SANS Securing the Human o http://securingthehuman.sans.org/• DHS Cyber security resources o http://www.dhs.gov/topic/cybersecurity • National Cyber Security Alliance o http://www.staysafeonline.org/business-safe-online/ • Microsoft Internet Safety for Enterprise & Organizations toolkit o http://www.microsoft.com/en-us/download/details.aspx?id=10484#overview • Sophos IT Security o http://www.sophos.com/en-us/security-news-trends/it-security-dos-and-donts.aspx• Symantec o http://www.symantec.com/theme.jsp?themeid=small-and-medium-business-information-center

7


of 17


10 Do all devices that store or process sensitive information have, at minimum:

Commercially available antivirus with current signature files?

A unique username and complex password to access the system?

Access control that is configured on a least privilege model?

All necessary ports and services disabled and have limited functions (e.g. individual devices for file servers, mail servers, ftp servers, etc. vs. single server performing many functions)?

10.3

Limiting sensitive information access to only those people that really need that information is industry accepted practice. Information about this concept and the concept of separation of duties can be found at:

• http://en.wikipedia.org/wiki/Principle_of_least_privilege

Implementation of least privilege within a Microsoft Windows environment relies on the use of auditable processes and procedures to:

1. Identify individuals who require system access 2. Identify the responsibilities that a given individual has as part of their job duties (system use, system maintenance, system security) 3. Assign role categories to different sets of responsibilities (user, administrator, backup operator) 4. Identify the levels of system access required to perform or execute responsibilities that meets business needs 5. Assign individuals to roles that would permit the execution of duties associated with system operation 6. Validate requirements for system access on a repeating periodic basis.

10.4

Allowing only needed ports and services to be running on a device is an industry accepted practice and will help minimize risk. Even in cloud, virtualized, and shared environments devices or instances of devices can be limited to only needed functions based on the risk to sensitive information. It is important to understand the services that are needed for a given computing system.

Examples of un-needed services: • A windows server that is only used as a file server, database server or web server does not need the Windows Audio Service •A windows system that is connected to an Ethernet based network and does not fax documents does not need the faxing service.

Having a unique username and complex password to access devices that store sensitive information is industry accepted practice. A complex password contains a minimum of 8 characters and contains 3 of the following 4 characteristics:

1. Uppercase characters (A through Z) 2. Lowercase characters (a through z) 3. Numbers (0 through 9) 4. Special characters (Examples: !, $, #, %)

10.2

Malware and Viruses are a common cyber threat. Antivirus software can help keep a company’s systems clean. Commercially available antivirus tools often have more features and are better maintained than free versions. Commercially available antivirus tools include, but are not limited to:

• Malwarebytes Antivirus & Antiexploit • McAfee • Symantec

Continued protection from viruses and other malware depends on: • Regular updates to the anti-virus product itself, often called the engine. • Regular updates to anti-virus signatures or DAT files

10.1


of 17


Vulnerability scanning performed at least monthly?

Patches deployed for high risk operating system and third-party application vulnerabilities within industry best practices (i.e. 48 hours) and medium/low risk patches deployed in <= 30 days?

11 Do all laptops that store or process sensitive information have, at a minimum:

Data-at-rest encryption?

The ability to remotely track and wipe the device?

12 Do all mobile devices (e.g. smartphones, tablets, etc.) that store sensitive information have, at minimum:

A centrally managed configuration management/device management system?

11.1 Sensitive information must be protected. Encrypting sensitive information on a laptop is often a good way to lower the risk of the information being compromised. Encrypting the entire hard drive (Full Disk Encryption) or targeted file encryption are both industry accepted practices. Tools such as Microsoft BitLocker, McAfee Endpoint Encryption, and Symantec Endpoint Encryption can be used to encrypt sensitive data on a disk

11.2Tools such as Computrace and LoJack for Laptops allow IT organizations to track, lock, and wipe, and recover lost or stolen devices. The primary concern should be whether or not data is encrypted, but wiping or recovering the device is an important control.

12.1

Central management of mobile devices often helps companies be more efficient and provide more security than non-centrally managed mobile devices. There are several Mobile Device Management or MDM products on the market today in response to the need. Here are a sample of some of the MDM product vendors:

• Microsoft Intune• MobileIron• AirWatch • MaaS360 • IBM

Note: (If you do not have mobile devices or your mobile devices do not have sensitive information from a third party company on them then answer "Yes" to this question)

10.5Vulnerability scanning and remediation of those vulnerabilities is an industry accepted practice to help maintain a company’s devices and infrastructure. The most important function of vulnerability scanning is to prioritize which patches and fixes should be deployed first in the environment. If possible, systems should be set to automatically patch or distribute patches as soon as possible to minimize the number of vulnerabilities in the environment.

Options for selecting products or solutions can include commercial or free sources. Free sources can be freeware or open source. It is important to research and understand the licensing requirements applicable to each category of software

10.6 Patch management is an industry accepted practice that helps keep a company’s devices and infrastructure well maintained. Microsoft and other vendors provide patches either directly downloadable from the vendor’s website or can be downloaded to a central patching server and distributed to individual computer systems. If possible, applications and operating systems should be configured to automatically download and install patches to ensure timely patching. Internet Browsers (Internet Explorer, Chrome, Firefox, etc.) and highly vulnerable applications (Adobe, Java, etc.) are of special concern and should be patched immediately.


of 17


An access control enforced (PIN, complex password, etc.)?

The ability to be remotely wiped?

Encryption by default?

When your company must share sensitive information, does your company require those suppliers to follow policies and procedures for cyber security based on industry standards (e.g. ISO 27000, NIST 800-53)?

12.4 Sensitive data must be protected. Mobile devices are frequently lost or stolen, which may leave sensitive data at risk. In many cases, implementing a password, passphrase, or PIN number automatically encrypts the device (e.g. Apple devices are automatically encrypted if a password is enabled.)

12.2Access control to a device that contains sensitive information is an industry accepted practice. Access control can take the form of a PIN number, a complex password, a fingerprint scanner, etc

Note: (If you do not have mobile devices or your mobile devices do not have sensitive information from a third party company on them then answer "Yes" to this question).

12.3

Mobile devices are sometimes lost or stolen. The ability to delete sensitive information from the device is one way to reduce risk. MDM products as mentioned above have the ability to remotely wipe the device or at least a container on the device that would contain sensitive information. However, many phone manufacturers (Apple, Android, etc.) have this ability built into the phone’s operating system and this control can be achieved by ensuring that this is turned on in mobile devices that contain sensitive information.

Note: (If you do not have mobile devices or your mobile devices do not have sensitive information from a third party company on them then answer "Yes" to this question)

13

The cyber security threat of adversaries stealing information is real and sensitive information must be protected. Creating a cyber security risk management program to protect this sensitive information is important whether a supplier manages their own IT services or outsources them. A cyber security risk management program should be set up in a way that if a person outside your company performed a cyber security assessment they would be able to say that you were exercising due diligence in securing sensitive information. ISO and NIST are recognized standards organizations and provide a good foundation for policy development, other sources such as CoBIT, COSO, PCI, and BITS Shared Assessments can be used as well to help guide a cyber security risks management program.

• NIST Cybersecurity Framework o http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf o Created through collaboration between industry and government, the Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk. • NIST 800-53 o http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updatederrata_05-01-2010.pdf o The National Institute of Standards and Technology (NIST) provides many valuable industry resources. Included in those resources are guides to information or cyber security. Resources include cyber planning, information security standards and other related materials. To leverage the cyber security planner for small businesses, consult the NIST website, located at http://www.fcc.gov/cyberplanner.


of 17


Does your company require 2-factor authentication for remote access?

Does your company require 2-factor authentication for privileged users (IT admins, database admins, etc.)?

Does your company perform industry standard logging and monitoring on devices that store or process sensitive information?

Does your company control web access based on the risk of the sites being visited?

14

Using 2-factor authentication when starting a remote access session to a company’s information technology environment is an industry accepted practice.

Two factor authentication means having something you know (i.e. a password) and having something additional in your possession (i.e. a token, phone, etc.). Some examples include: • One Time Password Devices • Common Access Card • Soft Tokens

There are also solutions that use mobile (cell) phone devices to deliver One Time Passwords that are used in conjunction with a user’s password as a second factor of authentication.

Microsoft, Google Authenticator, Symantec ViP, Indentropy, DigiPass and RSA are a few companies that provide products and services to companies that need stronger authentication than just a user ID and password.

15 In addition to remote users, users with elevated permissions (IT Admins, Database admins, Application administrators, computer services, etc.) in the IT environment pose a greater risk. Because of the greater permissions available to these people, their accounts can be much more dangerous if comprimised by an attacker. 2-factor authentication is a mitigation for this risk, requiring a second form of authentication (physical one time password token, soft token, mobile phone, etc.).

17

Monitoring and controlling the flow of information and traffic in and out of a company’s infrastructure is an industry accepted practice and can help protect sensitive information. Web filters can be configured to protect employees from accessing dangerous or malicious content.

Products like Bluecoat, Panda Security’s GateDefender, and Barracuda Network’s Web Filter appliance provide additional web access security to enterprise and SMB customers.

• Bluecoat o http://www.bluecoat.com • Forcepoint/Websense o https://www.forcepoint.com/product/web-filtering/websense-web-filter-security • Panda Security o http://www.pandasecurity.com • Barracuda Networks o https://www.barracudanetworks.com/

16

Logging and monitoring a company’s devices and infrastructure is a good way to maintain and secure a company’s IT environment. It also helps protect sensitive information. ISO and NIST provide good guidelines on how to implement an industry accepted logging and monitoring program. There are a variety of companies or organizations that provide applications that are capable of either storing or storing and evaluating event logs:

• Splunk o http://www.splunk.com/download?r=header • IBM QRadar o http://www-03.ibm.com/software/products/en/qradar-siem • AlienVault o https://www.alienvault.com/solutions/siem-log-management • LogRhythm o http://LogRhythm.com • McAfee Enterprise Security Manager o http://www.McAfee.com


of 17


Does your company have the capability to detect and block malicious email prior to delivery to the end user?

Does your company have tools and process to mitigate Advanced Persistent Threat (APT) attacks?

Has your company signed the Controlled Unclassified Information (CUI) Supplier Acknowledgement Letter?

21 Does your company receive, store, or process Controlled Unclassified Information (CUI) from Oshkosh Corporation?

If yes, Does your company have policies and procedures in place for handling and protecting Oshkosh Corporation CUI in accordance with the flow down requirements of DFARS 252.204-7012 which mandates compliance to NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organzations?

18

Malicious e-mail is a common cyber threat in today’s environment. Detecting and blocking these malicious emails before they are delivered to a company’s users is an industry accepted practice to help maintain the integrity of company’s IT infrastructure, can help minimize damage, better protect sensitive information, and can minimize a user’s downtime. The following vendors provide small and large solutions to the e-mail security challenge.

• Microsoft Secure Email Gateway o https://products.office.com/en-us/exchange/microsoft-exchange-online-protection-email-filter-and-anti-spam-protection-email-security-email-spam • Sophos o http://www.sophos.com/en-us/products/email.aspx • McAfee E-mail & Web Security o http://www.mcafee.com • Symantec MessageLabs o https://www.symantec.com/products/threat-protection/messaging-gateway

20

Have you signed the Controlled Unclassified Information (CUI) Supplier Acknowledgement Letter located in the Supplier Standards Guide?

22

NIST SP 800-171 can be found at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

19

The cyber security threat is maturing. Having a trained team, tools, and formal processes to analyze, monitor, and respond can help mitigate the maturing threat and secure sensitive information.


of 17

section p: attachment 1 supplier cyber security risk

Documents