nERC CIP Security Offering Document

Public Channel / NCS Capabilities

Detailed NERC CIP Security Offering Document by NCS @2017

Share on Social Networks

Share Link

Use permanent link to share in social media

Share with a friend

Please login to send this document by email!

Embed in your website

Select page to start with

Post comment with email address (confirmation of email is required in order to publish comment on website) or please login to post comment

2. Copyright © 2016, NKSoft Corporation. The information contained in this document is the ex clusive, confidential and proprietary property of NKSoft Corporation. and is protected under the trade secret and copyright laws of the U.S. and other international laws, treaties and conventions. No part of this work may be disposed to any third party or used, reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or by any information storage or retrieval system, without first receiving the express written permission of NKSoft Corporation. Except as otherwise noted, all trademarks appearing herein are proprietary to NKSoft Corporation.

8. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 5

9. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 6

10. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 7

12. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 9 features, capabilities, and pricing, as well as in sights into future product development efforts, for most of the major North American providers.


68. Example Publication by NKSoft Team


1. NKSoft NERC/CIP Audit and Smart Security Program Capabilities F F o o r r t t h h e e U U t t i i l l i i t t y y I I n n d d u u s s t t r r y y

7. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 4 2. NERC/CIP Compliance Management Tool from NKSoft Our NERC/CIP Compliance Management tool comb ines requirements, process, procedures, security, best practices, and content to help you simplify and enhance compliance with NERC reliability standards, including NERC 693 and NERC CIP. The tool streamlines NERC compliance processes, while automating manually-i ntensive workflows. The tool also provides a collection of NERC standards, as well risk and control libraries, control tests and procedures, and reporting templates. Graphical dashboards provide compliance insights that guide and support decision-making at the highest levels of the organization.

15. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 12 4. NKSoft Payment Card Industry (PCI) Assessment Methodology PCI Compliance Services, and associated services in accordance with the requirements specified by PCI and including all provisions set forth in the accompanying documentation.

43. The National Infrastructure Protection Plan, Nati onal Strategy for Homeland Security, International Critical Information Infrastructure Protection , Performance Evaluation Model for Critical Information Infrastructure Protection Activities California Civil Code Section 1798.29 (SB 1386); Sarbanes-Oxley Act Section 404 IT General Controls, HIPAA, GLBA, Information Practices Act—Information Security and Privacy US Code Title 5 Government Organization Public Records, Title 12 Bank s and Banking Financial Privacy, Title 15 Commerce and Trade Consumer Privacy, Title 18 Crimes and Criminal Procedure Computer Fraud/Security, and Title 31 Money and Finance Privacy Certifications: Certified Information Systems Security Professional (CISSP) Certified Information Security Manager (CISM)

31. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 28 Example Resumes

16. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 13 5. NKSoft Security Program Development Methodology A successful security program requires the spon sorship and support of the company’s Board of Directors and Chief Executive Officer. The su pport by the highest executive management is paramount to implement and manage the security program. The program also requires the complete support at all levels of management . This support ensures a unified endorsement indicating to all personnel that security is an inte gral part of the business vision and plan. This also assures adherence to the program througho ut the entire enterprise enforcing uniform compliance. The security program must be comprehensive and cohesive to ensure all organizations in the enterprise are aware of their roles and resp onsibilities and understand the importance of implementing and managing the program. Ultimately, the organization assigned the responsibility to develop, implement and manage the program is accountable for its success, but no one individual or organizatio n is responsible for the security and protection of assets, including information; rather every individual employee is responsible for security. Every organization is responsible for securing and protec ting the enterprise assets and information. We have customized our proposal based on the security offering shown below:

27. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 24 8.7. PC/Workstation Accessibility 8.8. Access to Magnetic Media

28. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 25 6. Description of Standard Process Our proposed activities are based on our ESA framework which aligns with ISO/IEC 27002 standards and our methodology to develop a comp rehensive security program for Utility. We have customized our approach based on our di scussions and experience from other similar projects. The framework describes the stages of development of a successful security program, including:

60. 32. 7,010,437 Electric utility storm outage management. 33. 7,272,516 Failure rate adjustment for electric power network reliability analysis.

18. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 15 NKSoft Enterprise Security Architecture Framework This framework presents a holistic view of the se curity areas needed within an organization. Each of the main concepts presented above have se veral layers of detail that are used to execute these concepts within an organization. To help you see how security areas are addressed, we have selected our Logging, Monitoring and Report ing Blueprint within the Security Foundation area as an example. Logging, Monitoring and Reporting Blueprint The Logging, Monitoring and Reporting Blueprin t is comprised of several Security Domains that in total reflect the minimum set of areas th at should to be addressed for security logging, monitoring and reporting. In this particular example we used ISO/IEC27002 and well-known best practices as a baseline in creating a general se t of security domains. This blueprint consists of seven Security Domains: 1) Anti-Virus, 2) Event Logging, 3) IDS and Alarm, 4) Malicious Code Filtering, 5) URL Filtering, 6) Lexicon/ Word Content Filtering and 7) File Integrity.

50. Computer Experience: Operating System and Networking knowledge including: Solaris, SunOS, HP-UX 9.X-10.0, AIX 3.2- 4.1, FreeBSD, Linux, OS X, Windows NT/95/98/2000/XP/2003/2008, Novell 4.11-5.0, Cisco IOS, TCP/IP, IPX/SPX, NetBEUI, DNS, DHCP, Samba, Ethernet, SONET, FDDI, Token Ring Security software/hardware knowledge including: Nessus, Checkpoint Firewall-1, Cisco PIX and IOS, Axent Raptor, Protectix ProWall, and Lucent VPN Firewall, Gauntlet, IP Chains, Axent ESM/NetRec on/Raptor/Intruder Aler t/NetProwler, CyberCop, Tripwire, ISS Internet/System/Databa se Scanner, Checkpoint RealSecure , ManTrap , eTrust, Kane Secure Enterprise and Security Analyst, SecureNet PRO, L0pht AntiSniff, SATAN, SAINT, TauScan, Microsoft ISA 2004, Checkpoint VPN-1, Axent PowerVPN , PGP VPN, RADIUS, TACACS / TACACS+, RSA SecurID, Entrust CA and RA, SSL, IPSec Additional software knowledge including: LDAP, Microsoft Active Director y, Microsoft Exchange, Microsof t Live Communications Server, Microsoft Sharepoint, Microsoft SQL, MySQL, Postgre, Oracle, SendMail, Apache, IIS, HP OpenView, Net IQ, Vantive, Remedy, ScriptLogic, McAfee ePO Language knowledge including: Visual Basic, HTML, ASP, ColdFusion, Perl, XML, Pyth on, Shell, C++, C#, Java Scripting, PHP4, Ruby on Rails

19. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 16 LOGGING, MONIT ORING & REPORT ING BLUEPRINT Anti- Virus Event Logging IDS and Alarm Malicious Code Filtering URL Filtering Lexicon/ Word Filtering File Integrity Strategy & Concept of Operation Note: this Blueprint has not been tailo red for Utility unique requirements The Security Domains are established by mappi ng the security specific factors such as objectives, standards, strategies and concept of operation, that were identified during the security assessment and future state visionin g process (performed when defining a Common Risk Language) to the common security domain areas. Each Security Domain is defined through a Securi ty Domain Diagnostic that is defined by six Process Control Areas that are used in asse ssing, developing and deploying the Security Domains in question: 1) Policy & Standard Comple teness, 2) Technical Control Architecture, 3) Organizational Alignment, 4) Management Proce ss Enhancement, 5) Education and Awareness and 6) Assurance and Compliance. Anti-Virus (AV) Security Domain Diagnostic Anti- Virus GA TE W A Y M A I L / F I L E S E R V E R D E S K T O P A U T H O R I T Y P A T C H U P D A T E I N C I D E N T R E S P O N S E P R O D U C T I O N R E A D I N E S S M A N A G E M E N T U S E R A D M I N I S T R A T O R B A S E L I N E C O N F I G U R A T I O N P R O C E S S E F F E C T I V E N E S S P E R S O N N E L P R O F I C E N C Y STRATEGY & CONOPS A C C O U N T A B I L I T Y R E S P O N S I B I L I T Y R I S K P R O F I L E P O L I C Y & S T A N D A R D S AV The Process Control Areas are further defined through a granular set of sub-process control elements and maturity levels. Let’s use the Technical Control Architecture Process Control Area as an example to further highlight how this particular Process Control Area is structured.

24. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 21 Our methodology incorporates a holistic approach to the security policy and standard lifecycle. We use a Domain Diagnostic comprised of six fu nctional threads in assessing, developing and deploying policies and standards in order to establish a fully operational policy and/or standard: 1. Policy & Standard Completeness 2. Technical Control Architecture 3. Organization Alignment 4. Management Process Enhancement 5. Education and Awareness 6. Assurance and Compliance Our methodology and approach is executed through a four-phased solution development approach that integrates the six func tional threads identified above:

5. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 2 1.1 NERC CIP and Cyber-Security Expertise NKSoft’s NERC CIP and cyber security expertise encompasses standards and any regulations set forth by NERC, FERC, DOE, or DHS in regards to cyber security for the Electricity Sector and power grid (including Smart Grid). NKSoft has extensive knowledge and experien ce regarding the North American Electric Reliability Corporation (NERC) Critical Infras tructure Protection (CIP) standard. We are currently supporting utility clients with desi gn, implementation, and audit for NERC CIP compliance. Our experience includes: • Designing and implementing NERC CIP so lutions for generation, transmission, and energy management • Performing audit (NERC CIP Gap A nalysis/ Compliance) assessments • Performing Control System Supervisory Control and Data Acquisition (SCADA) vulnerability assessments (CIP5/7) • Performing proof of concept testing fo r NERC-compliant security solutions • Conducting Independent Validation and Verification (IV&V) of vendor NERC CIP- compliant solutions NKSoft has experience with the cyber asse ts involved with generation, transmission, distribution, and energy management systems. We have secured SCADA systems from GE, Honeywell, Custom Control, Cooper Syste ms/Cybectec, Allen-Bradley, Emerson, and Schweitzer. We have performed NERC CIP gap analysis assessment s that help our clients find issues with their NERC CIP program before an audit. Assessme nts also provide critical information when beginning a NERC CIP compliance program.

67. distribution client as well as oversaw the marketing communications service delivery for 12 other non-profits in hi-tech, manufacturing, and engineering while supervising and mentoring 20 direct and indirect reports. Languages: Speaking Reading Writing English: Excellent Excellent Excellent Spanish: Fair Good Fair Professional Affiliations & Certification: Member, NKSoft Program Management Center of Excellence Member, UTC – The Utility Technology Association Provisional Auditor, ISO 9000 Quality Management Systems Member, ASAE and the Center for Association Leadership Certified Association Executive, ASAE and the Center for Association Leadership Leadership: UTC Membership Committee, 2008 – present UTC Program Committee, 2008 - present Speaker/Presenter: “System & Technical Considerations for Extending AMI Networks to Include HAN and Smart Grid Applications,” Autovation 2009, symposium course Moderator: Quality Track, Autovation 2009 “Quality Management: From Meter Components to Back Office Solutions, ” Southern California Edison “Systems Acceptance Testing: Lessons Learned at PGE Portland,” General Electric Strategy Track Autovation 2009 “The Next Horizon: Evolution to A New Partne rship with Customers,” Pacific Gas & Electric

44. Austin Mlady, CISSP Profession: Senior Technology Consultant Years of Experience: 14 Key Qualifications: Thomas Standifur is a seasoned professional in Information Technology Systems and Management, providing technical and managerial support of production and development environments, as well as developing long-term strategic and tactical initiatives. Responsibilities include planning studies, requirements definition, system sp ecification, vendor prequalificati on, proposal evaluation, contract negotiation and resolution, design review, develo pment of test plans and test procedures, and system commissioning. His expertise includes projects involving LAN and WAN design, system security, disaster recovery and business continuity, application design and development, as well as standard application deployments. He has been involved with all aspect s of implementing IT networks and systems, from architectural design to actual implementation of software and hardware. In January 2010 he obtained his Certified Information Systems Security Professional (CISSP) certification. Mr. Standifur has also evaluated organizations that were seeking to obtain the AICPA’s (American Institute of Certified Public Accountants) WebTrust seal, a certification program that advocates business practice disclosure, transaction integrity, and information protection controls for commerce on the Internet. He has extensive experience in positions that invo lved hands-on technical expertise and solutions for several fortune 500 and other large companies, including Pacific Gas and Electric, New York Power Authority, Puget Sound Energy, Charles Schwab, Visa International, Verizon Wireless, Safeway, Novell, Bank of Hawaii, Exodus Communications, Digital Island, The Regence Group, and Selected Professional Experience:  Created and develop a handheld computer application that interfaces with an enterprise level database server used in residential and small bu siness energy audits. Th e application allows the auditor to not only perform audits more effi ciently and reduce unnecessary redundancy, but also allows the in-house analyst to immediately have access to the data for analysis.  Responsible for the design, programming and impl ementation of multiple web based surveys, for clients including Northwest Energy Efficiency Alliance, Puget Sound Energy, and New York Power Authority. Standard data collection methods of questions and answers were employed, along with advanced functionality such as answer piping, advanced question branching based upon previous answers, real-tim e data charting of past and present energy consumption, and administrative reporting and tools.

20. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 17 G A T E W A Y M A I L / F I L E S E R V E R D E S K T O P AV Three sub-process control elements have b een identified: 1) Gateway, 2) Mail/File Server and 3) Desktop. Five maturity levels are used to establish the effectiveness and completeness of the sub process control elements: 0) Nonexistent – NO evidence that the sub-process control element is understood or recognized. 1) Exists – the sub-process control element is understood, defined and documented. 2) Complete – the sub-process control element is understood, defined and documented and addresses all of the components defined by the associated best practice. 3) Followed – the sub-process control element is operational and is executed through well-defined process and procedure within specific business units. 4) Consistent – the sub-process control elemen t is operational and is executed through well-defined process and procedure consistent across the enterprise. In the example above, it is expected that an or ganization will have anti-virus protection in-place at their Internet Gateways, on their Mail and File servers and on all of their workstations and laptops. Further, in this particular exampl e, the AV control for the Gateway and Mail/File Server environments is completely defined, documented and consistently followed across the enterprise where as the AV control for the De sktop environment is completely defined and documented but is not consistently applied across the enterprise.

4. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 1 1. Executive Summary NKSoft is a leading worldwide provider of utilit y industry professional services with over 250 professionals in over 6 countries. NKSoft Enterprise Security Services (ESS) practi ce comprised of security and risk professionals is a global leader in helping utilities develop se curity procedures and control -- from the Smart Grid to the physical securities in the generation plants. We provide a broad array of services that allo w clients around the world to better measure and manage risk and control, and to enhance the relia bility of electric grid, systems and processes, throughout the enterprise. With core competenci es encompassing security consulting, security audit, and regulatory consulting, our ESS profes sionals offer a wealth of experience across a wide spectrum of security services. Our objective is to provide Utilities with professio nal services of the finest quality – our services are of the highest technical standards, independen t, objective, innovative, progressive, and fully responsive to the special needs of each client. Each engagement and project is designed to exceed our client’s expectations by: Looking beyond the obvious – recognizing that, in the end, ou r initiative and ingenuity, as well as our intellect, will set us apart from the competition. Anticipating problems – acting as your early warning sy stem, helping to avoid surprises. Communicating – keeping you thoroughly informed about the progress of the engagement. Working efficiently – bringing in the resources we need to do the job and staffing our teams with the right mix of senior and staff personnel. Reducing your risk of failure – by providing consultants wh o are trained in our proven methodologies for designing and building information systems and solutions. We believe NKSoft is particularly well qualifie d to assist Utilities needing specific security services for at least three reasons: NKSoft’s leadership in the field of utility in dustry assures you of our ability to assign qualified, knowledgeable, and often industry respected personnel, all of which have performed similar services for ot her utility clients worldwide. We have a wide range of very specialized security skills that have been honed from practical, real life technical security a ssessment and turnkey solution deployment experience. Our experience in working with you in deve lopment of the security program assessment guidelines.

39. Phu Huynh Profession: Senior Consultant Years of Experience: 19 Education: Bachelor of Engineering, New York School of Engineering, New York, NY Years with NKSoft: 2 Key Qualifications: Phu Huynh is a highly motivated and dedicated seasoned professional offering 19 years of experience in IT regulatory compliance and information security risk management in the power utility and telecommunications industries. His strength as a certified information security professional is effectively leading compliance and security programs as business enablers—business goal attainment, productivity improvement, and cost reductions. He has extensive expertise in developing, implementing, and managing information compliance and security programs and integrating with business culture and strategies. With strong leadership skills, excellent written and verbal communication skills, he is able to establish rapport with all levels of management and stakeholders. Using strong collaborative consensus- driven skills, he is able to create and lead interdepartmental/multifunctional teams in ac hieving industry standards and regulatory compliance. Mr. Huynh has held leadership and management positions in information security, corporate security, privacy management, and technology risk management. Mr. Huynh has expertise in the development and management of policy, standards, guidelines, and procedures for regulatory and national standards compliance, information security and privacy. He also has extensive experience in IT regulatory compliance programs, enterprise security architecture, PKI implementation and management, IT governance and security complian ce, and IT security risk assessments. He has successfully developed and delivered security educat ion and training courses and material, as well as awareness programs. He has strong experience in conducting criminal investigations/forensics and providing expert testimony. Mr. Huynh is committed to establishing and main taining world class compliance and information security programs using his leadership skills and management experience. Professional Experience: NKSoft, Corporation, Dallas, Texas: 2014 to Present Senior Consultant Current assignment is to assist clients develop, implement and manage compliance programs for the North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cyber Security Standards.  Providing subject matter expert services to a west coast energy client in developing, implementing and managing compliance progra m for NERC CIP Cyber Security Standards,

64.  Engaged by a venture capital firm to assess an AMI technology provider’s solution and competitive position by examining utility tech nology evaluation fact ors, market trends, regulatory influences and factor s affecting AMI systems adoption. Ernst & Young, Dallas, Texas: 1999 to 2006 Senior Manager – Management Consulting  Tucson Electric Power, (UniSource Energy) Operations Technical Information Services Roadmap: November 2004 – January 2005. Mr. Robe rts was the T&D subject matter expert for conducting a current state assessment of processe s, data, people (culture), and technology using E&Y methodology. The assessment was driven by key T&D process interviews and workshops that included representatives across organization al boundaries. This appr oach identified data, process, culture, and technology issues in several areas. The results of the assessment were compared to E&Y’s best practice reference models for T&D operations to develop recommendations and a corresponding implementation roadmap for the next three to five years. TEP will use the Roadmap to plan and fo recast technology budgets over the next five years.  NiSource Enterprise GIS: May 2004 – November 2004. Mr. Roberts managed an assessment of current gas distribution utility op erations work processes across ei ght different states that were originally part of three separate distribution co mpanies that serve a combined customer base of two million customers. The work identified process improvements with a focus on those processes that can be streamlined through the application of GIS technology, and the integration of GIS with other gas distribution operations systems and applications including work management, engineering design, network analysis, pipeline integrity, inspection and maintenance, etc. The deliverable will be fu ture state streamlined process models, with associated IT architecture plans, data conversion/migration strategy, and corresponding cost- benefit analysis and next step recommendations. The strategic roadmap plan will recommend business releases based upon potential benefits as well as any regulatory requirements and opportunities.  Cinergy CapEx Project: January 2004 – May 2004. Mr. Roberts served as an electric and gas utility T&D engineering and construction process subject matter expert on a team that reviewed existing Capital Expenditure budget and sp end processes for electric generation and transmission and electric and ga s distribution. A key area of focus for T&D was the use of GIS, OMS, and Inspection & Maintenance data in the planning and budgeting process. Areas of data quality, currency, and synchronization were addressed and evaluated. Mr. Roberts led the development of streamlined T&D electric and gas distribution future state processes. A corresponding strategic implementati on plan and supporting cost benefit business case were then developed based upon analysis and an industry best practice benchmark comparison. The project included the full capital expenditure life cycle (planning & budgeting; engineering analysis & design; construction wo rk execution, management & scheduling; as- built reporting; performance management; and financial closeout. The benchmark comparison task included leading US and European utilities. The objectives of the benchmark comparison are listed below:

62. Aubrey Roberts, III Profession: Senior Principal Consultant Years of Experience: 25 Education: Bachelor of Science, Computer Science, University of Texas, Austin, TX Years with NKSoft: 10 Key Qualifications: Aubrey Roberts is a Seni or Principal Consultant with NKSoft . A range of work experiences in manufacturing, distribution and utility industries has provided Mr. Roberts with an excellent foundation and perspective. He is known for his ability to quickly identify and define the highest value alternatives to drive process change and wo rk in partnership with clients to refine their enterprise structure and or ganizational objectives. A recognized professional in quality management systems auditing, he is a Provisional ISO 9000 Quality Management Systems (QMS) auditor and is experienced in establishing certification audit programs, reviewing QMS quality systems proces ses and performance and good manufacturing practice (GMP) conformance assessments leading to full ISO 9000 certification. In addition, Mr. Roberts has developed quality management progra ms and authored articles/presentations on process improvement, risk minimization and orga nizational alignment. He is presented AMI/SG workshops as well as served as a speaker on related topics at industry events. Throughout his career, Mr. Roberts has established himself as a change agent able to define and articulate strategic vision, build cohesive cross-fu nctional teams and align diverse business goals to achieve sustainable business objectives. Professional Experience: NKSoft Corporation, Dallas, TX: February 2006 to Present Senior Principal Consultant Project leader and team member in NKSoft’s Intelligent Networks and Communications area focusing on AMI/ Smart Grid issues, Leads engagement teams and contributes to utility project success by providing consulting expertise to a variety of technology upgrades, process improvements and market analyses.  Performed bottom-up job creation analysis for a Smart Grid Investment Grant (SGIG) award recipient. With an understanding of Departme nt of Energy reporting requirements, met with program and project leaders to determine scope of planned work, fluctuations in level of effort anticipated during the grant period, identify di rect and indirect resources and structure data collection to facilitate DOE and OMB compliance under the SGIG program.

14. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 11 3. Network Port and Service Identification – Us e of active discovery tools (such as Nmap) to discover open ports and services. Verify that only ports and services required for operations are enabled. 4. Physical Inspection – Physical inspection to verify that the network map accurately portrays the network configuration. 5. Password Policy – Review current password policy. 6. Firewall Policy – Review of firewall policies. 7. Default Accounts – Review co ntrols for default accounts. 8. Vulnerability Scanning – Use of a vulnerabi lity scanning tool to identify network accessible ports and services along with th e identification of known vulnerabilities associated with services running on those ports. 9. Software and Patch Management – Review application and operating system software installed on cyber assets and access points for outstanding patches and known vulnerabilities. 10. Wireless Scanning - Use of a wireless scanni ng tool to discover wireless signals and networks in the physical perimeter of a BES Cyber System. 11. Documentation – Document the vu lnerability assessment process. 12. Remediation – Recommendations for remediatio n and/or mitigation of vulnerabilities. 13. Action Plan – Documented results of the assessment including all findings and recommendations and an action plan for reme diation or mitigation of vulnerabilities identified during the assessment.

17. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 14 Enterprise Security Architecture Framework Our security services are designed and deliv ered using our proven Enterprise Security Architecture (ESA) Framework. Our ESA Framewor k ensures security domains of interest (e.g. network infrastructure, identity management syst ems, remote access, portals, biometrics, web and legacy applications, etc.) are designed, developed and deployed to be consistent with an organization’s overall security program and architecture. Our ESA Framework allows your organization to de velop an effective and cost efficient security operating model that is aligned with core busi ness processes and applications that matter the most. It allows a Top-Down and Bottoms-Up approach to be used in addressing security program and architecture needs. The ESA Fr amework is comprised of five key areas: Common Risk Language – Consensus on threats, vulnerab ilities and acceptable risks is established by leveraging ISO/IEC 27002, In dustry Specific Standards, and Strategic Business Drivers to create a Desired Risk Profile – everyone is on the same page . Foundational Blueprints – Standards-based, risk tolerance- based foundational blueprints are use to define, develop and implement an ente rprise-level core security architecture and business operating model – a core security program and architecture is established. Business Management Process Enhancement – Leveraging Foundational Blueprints, business management processes (e.g. System Development Life Cycle, Help Desk, etc.) are refined and calibrated to efficiently integrate security standards and expertise throughout the system development life cycle and day-to-day operations – evolutionary integration of security is achieved across the enterprise. Business Process and Architecture Enablement – Core Business Processes and Architectures are defined, developed and deployed in conc ert with the core security architecture operating model and standards-based, risk tolerance-based criteria – end-to-end transaction integrity achieved. Performance Monitoring – Dashboard is established to allow line-level and senior management to monitor and report security performance effectiveness by measuring key performance indicators of core business proc esses, architectures and business management processes – is everything ok? Our approach strives to establish cost effectiv e sustainable business pr actices. A graphical depiction of the ESA Framework is presented below:

34.  Energisa Distribution Company (Brazil): Led multiple KEMA teams in supporting this major Brazil-based utility in developing its multi-year AMI and Smart Grid program. This project included assessing business and techni cal requirements for the metering and telecommunications platforms of the AMI and DA, evaluating current state and future state business processes. Developed five comprehe nsive business cases for five distribution companies within Energisa group. Also perfor med technical analysis to reduce theft and improve grid efficiencies.  NISPCO Energy: Led KEMA teams in supporting this large investor owned utility in developing its multi-year AMI and Smart Grid program. This support included assessing business and technical requirements for the AMI and DA, telecommunications requirements, IT and OT requirements and business process change requ irements. Developed a comprehensive business case for the company and the regulators for approval.  Duke Energy: Led KEMA’s efforts to assess Smart Grid options and develop a business case and deployment strategy for this large Investor Owned Utilities in North America. This utility is under a regulatory order to assess AMI options fo r their gas and electric meter population of 4M+. The analysis included the development of options for integrating AMI into the IOUs legacy IT systems and business processes, as well as the development of its regulatory filing documentation. KEMA is continuing to assist the client in specifying requirements for significant field demonstrations projects, as well as the installation of a Meter Data Management (MDM) system to support this infrastructure.  E-On US: Led an effort to develop an AMI implementation strategy for this U.S. utility. The analysis considered multiple technology, geography, and customer deployment scenarios to create an optimal implementation strategy . The identified solution, currently under implementation, is projected to reduce annual operating costs and increase revenue by more than $10M (30% of budget). IBM Corporation Dallas, TX 2000 – 2008 Principal and Services Sales Leader - Utilities Group Provided sales leadership, developed and ma naged energy, utilities and telecom industry initiatives, managed client relationships in complex environments, developed ecosystem of industry leading partners and ISV’s, analyzed growth and cost savings through technology initiatives, ERP software deployment, application portfolio management, enterprise architecture, IT / business alignment, IT governance, IT stra tegy, and IT organization design resulting in business transformation for multiple clients.  CenterPoint Energy. Responsible for architecting the “Smart Grid” solution for CenterPoint including management strategy, plans, method ology, process and tools, including project tracking tools and change management process.  San Diego Gas and Electric: Responsible for archit ecting and deployment of a large RFID meter tracking project at Sempra Energy. Worked with the CIO’s office to develop the business case for the solution. Worked with SAP team to inte grate NetWeaver middleware into the solution. Implemented the solution with several partners and business units within IBM. Managed client project team comprised of multiple lines of business, multiple vendors and IBM resources.  Project Manager responsible for developing th e SAP support strategy for Haldex Corporation with 43 offices and 27 plants throughout the world. Developed and implemented the worldwide strategy for change management, suppo rt process, data management and system

40. Fujitsu Network Communications, Richardson, Texas: 2004 to 2014 Manager, Information Technology Advisory Services Mr. Huynh worked at Fujitsu Network Communi cations as a Manager, Network Technology Advisory Services from April 2010 to March 2014. He was a firm resource for information security in the electric sector. He also was an ad-hoc member of the North American Energy Reliability Corporation (NERC) Critical Infrastructure Pr otection Committee (CIPC) from 2010-2014. Mr. Huynh was responsible for leading a national core team of security professionals to meet the growing security needs of the Power Utilities industry. Mr. Huynh was also responsible for providing client assistance in developing, documenting, and testing IT general controls in accordance to SOX 404, as well as enhancing their information security programs.  Provided subject matter expert advice in th e development of Critical Infrastructure Protection/Critical Information Infrastructure Pr otection (CIP/CIIP) training for a client with public sector clientele. Advocated the inclusion of critical background information and issue considerations and recommendations in establishing a critical infrastructure.  In the position of a Fujitsu’s national resource, he led a core team of fifteen security and energy professionals in creating a marketing strategy and developing strong collateral for the power utility industry. Assisted five pursuit teams gain entry and build rapport with new energy clients. This effort resulted in Fujitsu’s re-establishment with and recognition by the Electric Sector as an information privacy and security advisor.  Working with the Public Sector group, led a team of four security professionals in creating a strategy and developing collateral for the Califo rnia State government. This work resulted in Fujitsu’s introduction to and recognition by State Agencies as an information privacy and security advisor. This lead to establishing tw o new security clients and $500,000 of revenue.  Assisted a California State Agency identify crit ical requirements of federal and state privacy regulations and align them with their security and privacy programs. This work resulted in increased efficiencies and cost reduction by eliminating redundant and unnecessary procedures, streamlining processes, and mapping procedures and evidentiary material to state and federal regulations facilitating reviews and audits.  Assisted power industry clients prepare for compliance with NERC/ERO Reliability Standards, including the CIP Cyber Security Standards. This wo rk resulted in increased efficiencies and cost reduction by eliminating redundant and unnecessary procedures, streamlining processes, and mapping procedures and evidentiary material to NERC/ERO Reliability Standards facilitating NERC/ERO Regional Reliability Organization reviews and audits.  Assisted large energy client with process docu mentation, test development and execution in preparation for IT General Controls SOX 404 compliance audits. This resulted in the client passing their audit by their External Auditor.  Provided auditing teams IT assistance in audi ting two western financial institutions and a service oriented client for IT General Control SOX 404 compliance.

58. 5. D.L. Lubkeman, A. El-Abiad, " Overview of Automation of Power Distribution Systems, " IEEE Southeastcon 1981 Proceedings, pp. 260-264, April 1981. 6. T. Taylor, T. Tapp, J. Wall, D. Lubkeman, " Applications of Knowledge-Based Expert Systems to Power Engineering, " Proceedings of the Eighteenth Southeastern Symposium on System Theory, April 1986, pp. 2 - 6. 7. T. Taylor, J. Wall, D. Lubkeman, " Knowledge-Based Expert Systems for Power Engineering Problems, " Proceedings of the IASTED International Symposium High Technology in the Power Industry, pp. 357-361. 8. G. Wickramasekara, D. Lubkeman, "A Rule-Bas ed Heuristic Approach to the Analysis of Distribution Feeder Harmonics, " Proceedings of the IASTED International Symposium High Technology in the Power Industry, pp. 292-295. 9. D. Lubkeman, G. Wickramasekara, "A Knowledge-Based Approach for Solving Distribution Feeder Harmonic Problems, " Proceedings of the Nineteenth Southeastern Symposium on System Theory, March 1987, pp. 106-113. 10. D. Lubkeman, T. Massey, "A Knowledge-Based Expert System for the Diagnosis of Rotating Machine Problems, " Proceedings of I EEE Southeastcon ` 87, Vol. 2 of 2, pp. 461 -466. 11. S. Civanlar, D. Lubkeman, T. Taylor, H. Yin, "A Switching Operation to Improve the Operation of Electric Distribution Systems " , Proceedings of the American Power Conference, Vol. 49, 1987, pp. 475-482. 12. D. Lubkeman, R. Gyurcsik, M. White, " Integration of Artificial Intelligence Approaches into Electric Power Distribution An alysis, Monitoring and Control, " High Technology in the Power Industry, pp. 193-1 97. 13. Uzma Siddiqi and David Lubkeman, "An Expert Sy stem Dispatchers Aid for Distribution Feeder Fault Diagnosis, " Proceedings of the Twentieth Southeas tern Symposium on System Theory, pp. 519-523. 14. Sonja Ebron, David Lubkeman and Mark White, " Neural Network Applications for Data Interpretation and Diagnostic Analysis, " Proceedings of the 1989 American Power Conference, April 24-26, 1989, Chicago, IL. 15. V.C. Ramesh, David Lubkeman, Ivan Matulic, " Decision Support Applications for Electric Power Distribution Facility Design and Management, " Second Symposium on Expert Systems Application to Power Systems Conference Proceedings, Seattl e, Washington, July 17-20, 1989, pp. 303-309. 16. David .L. Lubkeman, Chris .O. Fallon, Adly .A. Girgis, " Unsupervised Learning Strategies for the Detection and Classification of Transient Phenomena on Electric Power Distribution Systems, " Proceedings of the First International Forum on Applications of Neural Networks to Power Systems, 1991, pp. 107-111.

35. support. Worked with the NOC to implemen t automated alerts and auto-correction mechanisms. Worked with the networking team to identify bottleneck and implement Web- Accelerators to improve the response time.  At Xcel Energy developed an “Optimal Network for Utilities” strategy and roadmap. This initiative was sponsored by the CEO to develop a strategy which potentially could consolidate or replace all existing utilities network. Worked with the utilities executives and field operations to understand data requirements, mobile system s and devices being used, network architecture and business processes to develop the Optimal Network solution. Responsibilities included gathering and analyzing requirements, defining network and application components, research, working with all Xcel business units to develop the technical design documents, and developing the strategy document.  Sprint – New product development and deployme nt: Helped Sprint to develop a new product using existing wireless and wireline technology to target mobile workforce. Responsible for developing the business case for Remote Access Service (RAS) business, and architecting the complex solution. This integrated project included working with several divisions within IBM and IBM partners for hardware, software and services including offshore development. Implemented the program management office to develop the solution where Sprint, IBM and four other major vendors participated.  BJC Hospital – Responsible for developing the security and privacy policies and procedures for IT and Networks.  City of Chicago – Responsible for leading a te am to manage overall delivery of a homeland security project for the city including architecting the surveillance solution which was installed throughout the city of Chicago..  City Transit Authority – Responsible for leading to deploy a Video surveillance solution for the Chicago transit authority.  City of Fresno – Architected and deployed firs t Citywide wireless for public safety solution using Alvarion technology.  USAF (one of the largest Air force Base in th e country) wanted to improve its supply chain operations in the logistics center. Project in cluded developing a mobility strategy including selection of a handheld device. Project also incl uded implementation of federal mandated FIPS 140.2 compliant security, Intermac handheld devices, 802.11b network and Sprint 1xRTT services. Responsibilities included project management, working with the client to develop the mobility strategy, develop functional and technical architecture and developing the interfaces to logistic applications NetKnowledge Technologies, Dallas, TX 1997 - 2000 Chief Technology Office Started a “customer care and billing e-commerce” company focusing on the telecom and utilities industry. Responsible for product development, sale s, delivery and staff development. Developed the first “internet based e-billing and e-payment solution” for the telecom and utilities industry. Successfully grew the company from zero to over $5M in sales wi th market value of $30M. As a consultant, worked for Excel Communications as a Director of Call Center technologies and also helped Ericsson to start a

63.  Worked with IT and AMI teams in developing functional requirements to support product lifecycle management of AMI and Smart Grid devices. Researched use cases, as-is and future state business process models, and other work product to create hundreds of functional requirements covering device conception to retirement.  Developed a detailed request for proposal (RFP) for installation service vendors to support a large investor-owned utility’s Smart Grid Enable ment initiative. Planned, coordinated and led requirements meetings with in ternal stakeholders; created a request for information (RFI), analyzed and presented RFI responses. Develo ped RFP short-list criteria; and produced RFP evaluation criteria based on analytical hier archy process (AHP) guideline and designed the evaluation process for assessing responses for sh ort listing and selecting a qualified respondent.  Co-created a quality management system for lifecycle management of serialized AMI and Smart Grid devices at a major Midwestern electric and gas utility. The program incorporates principles of ISO 31000, ISO 9001 and ISO 17025 quality standards for risk management and process reliability review. Program elements included an auditor training and reference manual, an illustrated process guide with corresponding narrative, and lifecycle process audit tool that provides the utility with the ability to conduct AMI supplier audits, as well as track identified risks and quality control points.  Consulted with the AMI Steering Committee of a major investor-owned gas and electric utility in the preparation of a comprehensive response to its Public Service Commission Order for a technology assessment for Advanced Metering Infrastructure, including communications, metering and meter data management services.  Worked as a member of a collaborative team to assess a leading U.S. utility’s business, regulatory, strategic and technology options with respect to its entry of Smart Meter/Smart Grid initiatives. Presented conclusions regarding the utility’s potential strategic choices to directors and vice presidents, outlining a variety of implicat ions as well as risk and mitigation courses the utility could consider.  Led a team in the quality assurance risk assessment of meter and vendor companies bidding for an Australian electric IOU’s AMI deployment This effort, one of the utility’s steps in the procurement process, involved customizing asse ssment tools incorporating the utility’s needs for gauging elements of candidate companies’ corporate, quality, pr oduction and design flexibility strengths and risks.  Assisted a major electric IOU in the evaluation of its business case and technology solutions, including an assessment of the market requirem ents, home area network (HAN) device traffic and backhaul communications requirements.  Researched and wrote a report evaluating relative personal and property-related risks associated with remote connect/ disconnect switches for a major Australian electric investor-owned utility (IOU). The report results incorporated primar y and secondary research elements of companies piloting or employing remote/ connect features, the application of varying procedures for customer notification and interaction as well as conclusions reached about relative risk. This report was submitted to and accepted by the local regulatory body to comply with its request for the risk assessment.

30. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 27  Security Measures  Security Assessment/Testing Tool Recommendations  Recommendations for the Security Organization, Roles and Responsibilities Delivery: In addition to the softcopy of the do cument and appropriate flow diagrams, one hard copy of the documents titl ed “Security Program for Utility Enterprise Security” will be delivered to the Utility Project M anager in a 3 ring binder. 5. Appendix B - Project Change Control Procedures The following provides a detailed Program to follow if a change to this Proposal is required.  A Project Change Request (PCR) will be the vehicle for communicating change. The PCR must describe the change, the rationale for the change and the effect the change will have on the project.  The designated Project manager of the re questing party will review the proposed change and determine whether to submit the request to the other party.  Both Project Managers will review the prop osed change and approve it for further investigation or reject it. NKSoft will specify any charges for such investigation. If the investigation is authorized, the Proj ect Managers will sign the PCR, which will constitute approval for the investigation c harges. NKSoft will invoice Utility for any such charges. The investigation will determ ine the effect that the implementation of the PCR will have on the price, schedule and other terms and conditions of the agreement .  A written Change Authorization and/or Pr oject Change Request (PCR) must be signed by both parties to authorize impl ementation of the investigated changes.

57. 11. Jun Zhu, David L. Lubkeman, Adly A. Girgis, " Automated Fault Locati on and Diagnosis on Electric Power Distribution Feeders, " IEEE Transactions on Power Delivery, Vol. 12, No. 2, April 1997, pp. 801 -808. 12. Atish K. Ghosh, David L. Lubkeman, Matthew J. Downey, Robert H. Jones, " Distribution CircuitState Estimation using a Probabilistic Approach, " IEEE Transactions on Power Systems, Vol. 12, No. 1, February 1997, pp. 45-51. 13. Atish K. Ghosh, David L. Lubkeman, Robert H. Jones, “ Load Modeling for Distribution Circuit State Estimation, ” IEEE Transactions on Power Delivery, Vo l. 12, No. 2, April 1997, pp. 999-1005. 14. Jun Zhu, David L. Lubkeman, “ Object-Oriented Development of Software Systems for Power System Simulations, ” IEEE Transactions on Power Systems, Vol. 12, No. 2, May 1997, pp. 1002- 1007. 15. Lubkeman, D.L.; Jianzhong Zhang; Ghosh, A.K.; Jones, R.H; “ Field results for a distribution circuit state estimator implementation, “ IEEE Tran sactions on Power Delivery, Volume 15, Issue 1, Jan. 2000, Page(s):399 – 406. 16. Baldwin, T.; Renovich, F., Jr.; Saunders, L.F.; Lubkeman, D.; “ Fault locating in ungrounded and high-resistance grounded systems ,” IEEE Transactions on Industry Applications, ” Volume 37, Issue 4, July-Aug. 2001, Page(s):1152 – 1159. 17. Pahwa, A.; Xiaoming Feng; Lubkeman, D.; ” Performance evaluation of electric distribution utilities based on data envelopment analysis, ” IEEE Transactions on Power Systems, Volume 18, Issue 1, Feb. 2003, Page(s):400 – 405. 18. Baran, M.E.; Jinsang Kim; Hart, D.G.; Lubkeman, D.; Lampley, G.C.; Newell, W.F.; “ Voltage variation analysis for site-level PQ assessment, IEEE Transactions on Power Delivery, Volume 19, Issue 4, Oct. 2004, Page(s):1 956 – 1961. Conferences: 1. D. Lubkeman, G. Wickramasekara, "A Knowle dge-Based Expert System Approach for the Analysis of Distribution Feeder Harmonics, " 1987 Industrial and Commercial Power Systems Technical Conference Record, pp. 64-71. 2. M.G. Wickramasekara and David Lubkeman, " Application of Sensitivity Factors for the Harmonic Analysis of Distribution System Reconfiguration and Capacitor Problems, " Proceedings of Third International Conference on Harmonics in Power Systems, pp. 141-148. 3. B.W. Coughlan, D.L. Lubkeman, John Sutton, " Improved Control of Capacitor Bank Switching to Minimize Distribution Systems Losses, " The Proceedings of the Twenty-Second Annual North American Power Symposium, pp. 336-345. 4. David L. Lubkeman, Christopher Burnette, Adly A. Girgis, Elham B. Makram, Hoke Fortson, Automated Testing of Solid-State Watthour Meters in the Presence of Harmonic Distortion, " The Proceedings of the 5th International Conference on Harmonics in Power Systems, pp. 345-351.

49. SeeIT, San Francisco, California: 1997 to 1998 Development Manager  Directed team responsible for the creation and development of San Francisco Parks and Recreation online web services site SFrecOnline (  Responsible for all software product developm ent and life-cycle management. Some examples include: o Responsible for the design and development of the first GIS (Geographic Information Systems) database driven web enabled client tracking program designed specifically for Goodwill Industries. The software system resulted in increased donation collections throughout the United States. Barclays, Mountain View, California: 1995 to 1997 Associate  Initiated efforts for first PC network and Internet presence.  Responsible for managing customer accounts and developing new business.  Wrote proposals and qualifications in response to RFPs. Languages: Speaking Reading Writing English: Excellent Excellent Excellent German: Good Fair Fair Spanish: Fair Fair Poor Education & Certifications: CISSP, Certified Information Systems Security Professional – 2010 - Certification # 344706 CCNA, Cisco Certified Network Administrator, 2001 – 2003 Business Administration /1992/University of Washington, Seattle, WA South Puget Sound Community College/1990/Olympia, WA

6. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 3 NKSoft conducts a full range of NERC CIP and cybe r security services that are delivered by our security consultants. Our expertise focuses on the following:  Pre-Audit Assessment Gap analysis of a utility’s compliance to NERC Cyber Standards CIP-002 through CIP-10-2.  Security Architecture Review Analysis of the utility infrastructure, data handling requirements, administrative processes and business requirements to generate a gap analysis of possible availability, inte grity, and confidentiality issues.  Security Policies and Procedures Review Gap analysis of your security policies and procedures against the appropriate requir ed and/or recommended best practices.  Network Vulnerability Assessment Identify and assess the Electronic Security Perimeter (ESP) access points and devices with in the ESP. We will provide two options – a tabletop paper review, or the network devi ce information can be determined passively or actively to determine responses and availa ble ports and services and vulnerabilities. A security profile is then created base d on a risk analysis of the findings.  Penetration Testing Electronic Security Perimeter access points are actively engaged for exploitation of vulnerabilities, services, co nfigurations, and applications as determined available in the Network Vu lnerability Assessment.  Server Configuration Assessment Analysis of permissions, file structure, access control lists, ports and services to determine appropri ate measures to harden critical servers.  Firewall Configuration Assessment Analysis of security policy rule sets and structure, network and host definitions, network a ddress translation (NAT ) rule structure, IPS/IDS feature configuration, and administrative access controls.

32. John Chowdhury Profession: Senior Principal Consultant Years of Experience: 26 Education: Computer Science, 1988, University of Tulsa, Tulsa, Oklahoma MBA, 1997, University of Texas Dallas, Dallas, Texas Certified Information Systems Security Professional (CISSP)/2007 Utility Industry Involvement: Advisor to Masters of Energy Progra m, University of Tulsa, Tulsa, Oklahoma: 2012 - Present Board Member, UTC Smart Network Council Board Member, NERC Technology Group Key Qualifications: John Chowdhury is a seasoned professional in Information Technology providing technical and managerial support of production and development environments, as well as developing long-term strategic and tactical initiatives. Expertise includes projects involving Smart Metering LAN & WAN design and security, Smart Grid Cyber Plan development as well as planning studies, requirements definition, system specification, vendor prequalifi cation, proposal evaluati on, contract negotiation and resolution, design review, development of test plans and test procedures, factory acceptance testing, and system commissioning. As a senior information security and compliance consultant with NKSoft, responsibilities include Critical Infrastructure Protection (CIP) read iness assessments, process, policy and procedure development, security validation services, an d client training programs. In addition, Mr. Chowdhury provides Global Information Security plan development and implementation, as well as leading vulnerability/penetration testing efforts in North American locations. . Professional Experience: NKSoft Corporation, Dallas, Texas: 2008 to Present Specific Project Experience:  Oklahoma Gas and Electric: Performed NERC cyber security compliance assessment. Developed comprehensive security implementation plan.  Conectiv Energy : Performed NERC cyber security compliance assessment.  Constellation Energy : Performed various NERC CIP compliance related services.  Allegheny Energy : Performed NERC cyber security compliance assessment and Vulnerability Assessment services.

59. 17. A.A. Girgis, D.L. Lubkeman, " Integration of Distributed Transient Measurement Technology into Power System, Control and Protection, " Proceedings for Workshop on Real-Time Control and Operation of Electric Power Systems, Oak Ri dge National Laboratory, 1991, pp. 149-159. 18. Adly A. Girgis, David L. Lubkeman, Danny E. Julian, Christopher Fallon, " Incorporating Mutual Coupling and Intermediate Loads into Fault Location Techniques using Digital Fault Recorder Data, " Proceedings of Seventh Annual Confer ence for Fault & Disturbance Analysis, Texas A&M University, 1992. 19. D.L. Lubkeman, A. Ghosh, J. Zhu, " Object-Oriented Programming for Power Engineering Education, " Proceedings of the Twenty-Fifth Southeastern Symposium on System Theory, 1993, pp. 69-73. 20. A.K. Ghosh, T.B. Dixon, D.L. Lubkeman, A.A. Girgis, "A PC-Based System to Assist Researchers in Electric Power Distribution Systems Analysis, " Proceedings of the 13th IEEE Transmission and Distribution Conference, 1994, pp. 227-232. 21. David L. Lubkeman, Atish K. Ghosh, " Automated Classification and Analysis Strategies for Electric Power System Disturbance Waveforms, " Proceedings of Second Annual Joint Conference on Information Sciences, 1995, pp. 440-443. 22. Lubkeman, D.; Julian, D.E., “ Large scale storm outage management, ” IEEE Power Engineering Society General Meeting, 2004, 6-10 June 2004, Page(s):1 6 – 22, Vol.1. 23. Tsai, S.S.; Li Zhang; Phadke, A.G.; Yilu Liu; Ingr am, M.R.; Bell, S.C.; Grant, I.S.; Bradshaw, D.T.; Lubkeman, D.; Tang, L.; “ Study of global frequency dynamic behavior of large power systems, ” IEEE PES Power Systems Conference and Exposition 2004, 10-13 Oct. 2004, Page(s) :328 – 335, vol.1. 24. Jorgen Hasselstrom, David Lubkeman, Fa ngxing Li, John Wang, and Yuan Liao, " Web-based Asset Management Tools " , Proceedings of DistribuTech Conference, February 2003. Patents: 25. 6,760,670 Crossover fault classification for power lines with parallel circuits. 26. 6,741,943 Crossover fault classification for power lines with parallel circuits. 27. 6,738,719 Crossover fault classification for power lines with parallel circuits. 28. 6,721,670 Crossover fault classification for power lines with parallel circuits. 29. 6,466,031 Systems and methods for locating faults on a transmission line with multiple tapped loads. 30. 6,466,030 Systems and methods for locating faults on a transmission line with a single tapped load. 31. 6,988092 Method for evaluation of energy utilities.

36. business consulting business. Deve loped partnerships with Microsof t, IBM, Ericsson and other key vendors/partners. Evaluated prospective customer specifications, analyzed customers' needs, and determined if any special or custom software was required.  Lead a sales and development team to design and develop first web based customer care and billing solution for the Southern Union Gas Company. Late r, this solution was implemented at Mercado Gas Company and Kansas City Power and Light Company.  Lead a sales team and development team to design and deploy a property management solution with property service order and invoicing system. Ernst & Young Management Consulting , Dallas, TX 1992 - 1997 Senior Manager Started as a manager and promoted to Senior Manage r. Responsible for sales, delivery, recruiting and staff development. Responsible for selling over $5 M yearly and successfully delivering business process re-engineering and package implementation projec ts including SAP, Oracle, AMDOCS, PeopleSoft packaged solutions. Responsible for implementing program management strategy, plans, methodology, process and tools, including project tracking tools and change management process. On a weekly basis measured the program progress, providing project ma trices to the stakeholders and project sponsors.  For Oklahoma Gas and Electric, with SAP America, developed the SAP CIS-U solution for the utility industry vertical. Overall responsibilities included providing the industry best practices, working with SAP design and development team to test the functionalities of the new system and how it was integrated to the existing module.  For Oklahoma Gas and Electric, managed the overall deployment of the SAP Energy solution for this large utility company. Job responsibilities included setting up the program management office, tools to manage the program office, change management process and training the tools and techniques to the project managers. Managed a team of E&Y cons ultants, SAP consultants and four other vendors with totaling 110 resources.  Excel Communications – Call Center Re-engineering: Instrumental in selling this multi-million dollar call center re-engineering project with over 1500 call center resources in three geographic locations. Identified over $125M worth of savings for the company. Implemented PeopleSoft ERP and Customer Care solu tion for Excel.  LisaFrank – JDEdwards ERP solution implementati on: Developed detailed requirements for an ERP solution for this children’s toy company. Helped customers select the ERP vendor and implemented the solution within budget.  Atmos Energy – Responsible of audit of CIS package selection and implementation plan. Price Waterhouse Management Consulting , Dallas, TX 1989 - 1992 Senior Consultant Worked as a senior consultant, de veloping and deploying large customer care, billing, and inventory management software for the Utilit y industry. Responsible for overal l deployment of the consulting projects, business process re-engineering and pack age implementation including Service 2000 and PeopleSoft packaged solutions. Responsible for im plementing program manage ment strategy, plans, methodology, process and tools, including project tracking tools and change management process.

25. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 22 Policy Diagnostic and Implementation Methodology Consistent with NIST and CIP Code, our approach allows a company to emphasize a policy structure around Confidentiality, Integrity and Availability of information resources. The example below illustrates areas that can be in cluded as part of the policy content. EXAMPLE POLICY CONTENT 1. POLICY STATEMENT 2. POLICY OBJECTIVES 3. SECURITY PRINCIPLE (S) 4. DETAILED DESCRIPTION 5. TARGET ENVIRONMENT 6. SECURITY MECHANISMS 7. RESPONSIBILITY AREAS 8. VARIABLES 9. EXCEPTION CRITERIA 10. FREQUENTLY ASKED QUESTIONS 11. RELATIVE POLICIES AND STANDARDS 12. HOW TO ASSESS COMPLIANCE 13. COMMENTS 14. POINT OF CONTACT

56.  Member of Power Engineering Society  Paper Reviewer for Power Engineering Society  Proposal Reviewer for Nati onal Science Foundation  CIGRE Member Professional Journals: 1. D.L. Lubkeman, G.T. Heydt, " Transient Stability Enhancement in Multimachine Power Systems Using Braking Resistors, " Electric Machines and Power Systems, Vol. 9, No. 1, Jan-Feb 1984, pp.1-12. 2. D.L. Lubkeman, G.T. Heydt, " The Application of Dynamic Programming in a Supplementary Control for Transient Stability Enhanc ement of Multimachine Power Systems " , IEEE Transactions on Power Apparatus and Systems, Vol. PAS-104, No. 9, Sept. 1985, pp. 2342-2348. 3. T. Taylor, D. Lubkeman, " Applications of Knowledge-Based Programming to Power Engineering Problems, " IEEE Transactions on Power Systems, Febr uary 1989, Vol. 4, No. 1, pp. 345-352. 4. Tim Taylor and David Lubkeman, " Implementation of Heuristic Search Strategies for Distribution Feeder Reconfiguration, " IEEE Transactions on Power Delivery, Vol. 5, No. 1, January 1990, pp. 239-246. 5. Sonja Ebron, David Lubkeman and Mark White, " Neural Net Processing Approach to the Detection of High Impedance Faults, " IEEE Transactions on Power Delivery, Vol. 5, No. 2, April 1990, pp. 905-914. 6. Ivan Matulic and David Lubkeman, "A Decision Support Approach for Considering Reliability Criteria in the Protective Coordi nation of Distribution Feeders, " Electric Power Systems Research, 19 (1990), pp. 47-56, Elsevier Science Publishing. 7. Uzma Siddiqi, David Lubkeman, "An Automated Strategy for the Processing and Analysis of Distribution Automation Data, " IEEE Transactions on Power Delivery, Vol. 6, No. 3, July 1991, pp. 1216-1223. 8. David L. Lubkeman, Edward R. Collins, " Hypermedia-Based Courseware Development for Power Engineering Education, " IEEE Transactions on Power System s, Vol. 6, No. 3, August 1991, pp. 1259-1265. 9. Adly A. Girgis, Christopher M. Fallon, David L. Lubkeman, "A Fault Location Technique for Rural Distribution Feeders, " IEEE Transactions on Industry Applications, November/December 1993, Vol. 29, No. 6, pp. 1170-1175. 10. Atish K. Ghosh, David L. Lubkeman, " The Classification of Power System Disturbance Waveforms Using a Neural Network Approach, " IEEE Transactions on Power Delivery, Vol. 10, No. 1, January 1995, pp. 109-115.

65.  Develop an appropriate measurement framework for benchmarking the capital expenditure planning & execution processes.  Collect and validate critical productivity and service-level data pursuant to developing a comprehensive performance profile of top performing companies  Identify new and immediate opportunities to improve processes.  Discover innovative and leading practices within the scope of the effort.  UGI Utilities: December 2003 – February 2004. Mr. Robe rts served as Project Executive for the project initiation of NKSoft services to assist with the implementation of UGI’s FLAME (Field Level Asset Management Environment) project. The detailed design requirements phase were delivered during June 2004. The purpose of the pr oject is to have accurate and current facility data available to the field and to also have as-built gas distribution network changes reflected in the GIS with minimal data posting latency. The projected improvement in data integrity is also expected to result in significant benefits in the One Call ticket screening and locating process.  National Grid, US Transmission (August 2003 – November 2003) – Transmission GIS Implementation RFP, and Ve ndor Selection Assistance: Mr. Roberts directed and participated in the development of the RFP for expansion of the National Grid US Transmission GIS. The RFP included definition of requirements to in tegrate the Transmission Line Engineering and Transmission Line Services (Real Estate and Forestry) Property and Asset Management data and applications within a common GIS. The work included the use of NKSoft’s RFP scoring and vendor selection methodology. Scoring template s were created based upon the RFP and used by National Grid Project Team members as they evaluated four vendor responses. The resultant scores were input into a decision support tool and reviewed and discussed during a vendor selection workshop conducted by NKSoft. The work resulted in the selection of the optimal vendor for the implementation work.  TVA – Power Systems Optimization Project: July 2003 – September 2003. Mr. Roberts provided i Advantage TM methodology guidance and was resp onsible for planning, organizing, and staffing of Part B of this project. The effort associated with Part B is designed for Value Capture and is focused on changing TVA Generation and Transmission Operations work processes to produce and use additional source s of new data to impr ove overall operations efficiency.  National Grid, US T&D (January 2003 – June 2003) – ERP and WMS Implementation and Integration Project: NKSoft served as a subcontractor to a global systems integrator. Mr. Roberts’s role was Project Director, Project Le ad for a team of three NKSoft subject matter experts, and as a utility operations process subject matter expert. The deliverables for this project included the functional requirements definition for the integration of National Grid’s new Worksuite WMS and iScheduler with GIS, Graphic Work Design, OMS, PowerPlant and PeopleSoft. The project kickoff was in Nove mber 2002. NKSoft resources developed and delivered functional and detailed design document s for the operations systems interfaces in the mid January 2003 to mid June 2003 period. The interfaces will be implemented using an EAI approach.  National Grid, US Distribution (November 2002 – February 2003) – Common Outage Management Process Model: Mr. Roberts was the Project Director and Executive Consultant for the development of a common OMS process mode l for National Grid. Through the result of multiple acquisitions National Grid had different processes for their OMS process. E&Y utilized

48. Parapet Security, Santa Rosa, California: February 2002 to July 2003 Senior Consultant Firm no longer operational  Senior technical consultant to various businesses and organizations located in the California bay area.  Projects involved network design and impl ementation, disaster recovery and business continuity planning, and systems security development and testing for small to medium sized businesses. Deloitte & Touche, San Francisco, California: 1998 to 2001 Titles: Senior Technical Specialist, Consultant 50 Fremont St # 31 San Francisco, CA 94105-2238  Technical consultant to various Fortune 500 co mpanies, businesses, and organizations located throughout the United St ates and Pacific Rim.  Projects involved IT internal auditing, disaster recovery and business cont inuity planning, policy and procedure development, evaluating business and technology risks, internal controls which mitigate risks, and related opportunit ies for internal control improvement.  Performed security penetration testing for multiple clients using Black Box and White Box testing, in accordance to National Institute of Standards and Technology (NIST) methodology. Provided detailed and confidential reports on the findings, which resulted in significant security upgrades. Some detaile d examples include: o Performed outward facing open and unsecured port testing for Bank of Hawaii firewalls using both commercial and open source tools and methods. o Performed network perimeter testing for Banque de Tahiti (on behalf of Bank of Hawaii as part of their due diligence process necessar y for acquisition) using several open source and commercially available tools. Provided a detailed report on my findings, as well as a series of logical and technical security recommendations.  Helped design and create a secure intranet a pplication for Visa International which allowed the Internal Audit department to manage and trac k their security audits and schedules. This included the method and tools used for th e application change management process.  Participated in an RSA SecurID product testing and trial, including but not limited to, system design and configuration. The goal was to be come familiar with the practical day-to-day implementation and operation as well as the security impacts of two-factor identification and authorization.  Worked on several large client projects, in unison with their internal audit departments, in order to assess HIPPA readiness and compliance. Delivera bles included assessment reports, mitigation recommendations, compliance roadmap, and success benchmarks.

46. o Helping in the development of tools and practices to assist clients accurately and correctly interpret the NERC Cyber Securi ty (CIP) Standards, Requirements, and Measures. o Assisting in the developing security strategies and solutions for advanced Smart Grid technologies such as Smart Meters , AMI, System Automation, etc.  In charge of the redevelopment of the Visualize-IT software application, managing its Software Development Lifecycle. Visualize-IT is designed to help explore, summarize and analyze time series interval data. Managing the software language porting from Visual Basic to C#, development of the graphical user interface, and the implementation of additional features and functionality. Dell Analytics, San Francisco, California: September 2003 to December 2009 Title: Information Technology Ma nager; Chief Technology Officer 179 Main Street, Middletown, CT 06457  Managed IT operations and infrastructure budgets. Directed and managed data communications infrastructure for the purpose of meeting cu rrent and strategic long-range information processing needs of clients. o Some examples of technologies implemented and administered include: Microsoft (MS) Active Directory, MS SQL, MS Exchange, MS IIS, MS Live Communications Server, Asterisk, MySQL, Apache, Coldfusion, Comdial, Avaya IP systems, Sonicwall and Cisco firewalls, and many other open source technologies and applications. o Responsible for all aspects of internal/external/user access controls: administrative, physical, and technical. Including implementation, enforcement, monitoring, and auditing.  Lead day-to-day operations of the networ k/systems administration and data center management operations. Provided IT leadersh ip, project management, and budget planning. Developed and applied policy and translated goals into programs/projects. Some detailed examples include: o Responsible for all aspects of technical and physical security of all user and network computer systems, telecommunications syst ems, and other business related hardware (i.e.- printers, scanners, copiers, data loggers , etc). This included the implementation and management of honeypots, Intrusion Protecti on System, firewalls, security cameras, alarm systems, fire-suppression systems, etc. o Designed and managed all aspects of business continuity and disaster recovery planning; business impact analysis, data and facility recovery, preventative measures, and the testing and maintenance of all plans. o Duties included managing, reviewing, and resolving all system logs for errors, faults, and suspicious activity.  Responsible for network administration, technolo gy acquisitions and deployments, budgeting, and performance improvement. Evaluated existing technologies and defined capacity planning requirements.

47. o Designed and implemented all aspects of company-wide networks for four offices throughout the United States, as well as a central server collocation facility. Including, but not limited to, topology design, hardware and software implementation, VPN tunnels, remote VPN access, access control, internal and DMZ segmentation, public facing serves and services, etc.  Successfully grew and brought stability to the RLW computing and infrastructure environment, implemented inter-office and remote connectivity, and various security and monitoring measures to prevent network intrusions or viru s outbreaks. Some detailed examples include: o Implemented and managed an Intrus ion Prevention System (IPS). o Implemented and managed access control via Microsoft Active Directory and LDAP authentication for other services. o Created and enforced security policies and pr ocedures, both high level (i.e.- Acceptable use policies, non-disclosure agreements, proc edures for account activation/deactivation, etc) and low level (i.e. – system hardenin g, minimum and strong password standards, account and password aging, etc).  Responsible for all operations security, including but not limited to, configuration management, network and resource availability, email an d communication security, asset management, remote access security, and vulnerability testing.  Helped design and implement a secure online data viewer for the California Lighting and Appliance Saturation Study, on behalf of Pacific Gas and Electric Company, Sacramento Municipal Utility District, San Diego Gas and Electric Company, Southern California Edison, and Southern California Gas Company. The tool was created so that utility program planners, evaluators and other interested parties can query the databases online. It calculates all averages to reflect the characteristics of interest and the underlying sampling, so that the resulting statistics are representative of the population of residences in California. The software also calculates sample sizes and error bounds (at the 90% level of confidence).  Created, designed and managed an internal application used by the payroll department for entering and tracking all employees time and expenses. This included the full software development lifecycle and change management process.  On occasion worked with utility clients provid ing Information Technology related consulting services. o Developed a survey tracking tool for New York Power Authority. o Provided security recommendations for both an internal SAS server as well as an external facing SQL database server for a mid-sized utility client. Including, but not limited to, server hardening, monitoring, si zing, access control, and hardware/software recommendations.  Created multiple data entry, viewing, and reporting tools for analytical and statistical staff, using Microsoft Access, Microsoft SQL, Coldfusion, Alpha 5, PHP, and Visual Basic.

51. David L. Lubkeman, Ph.D. Profession: Associate Principal Consultant Years of Experience: 25 Education: Ph.D./1983/Electrical Engin eering/Purdue University M.S.E.E./1980/Purdue University B.S.E.E./1979/Purdue University Years with NKSoft: 2 (Dr. Lubkeman assist in our projects as needed) Key Qualifications:  Over 25 years’ experience in electric power systems engineering.  8 years of R&D project management experience within ABB.  While at university faculty, initiated and manage d a wide variety of research projects directly with electric utilities and industry.  Broad background in various aspects of electr ic power distribution systems operations and analysis, with emphasis on distribution automation.  Active participant in power engineering technical ac tivities, resulting in over 40 publications in power systems.  Proficient in software programming languages and techniques required to develop applications for distribution analysis. Selected Professional Experience:  Consulting Studies: Dr. Lubkeman’s focus at NKSoft has b een on performing consulting studies related to distribution system modeling, reliabilit y, analytics and automation. Past projects while at NKSoft have included modeling the impact of distributed generation/storage devices on electric distribution grids, characterizing the pe rformance of a large-scale battery storage system, providing expertise on smart grid applications for medium-voltage distribution systems, and performing reliability studies for distribution automation upgrades.  Product Development: While at ABB, Dr. Lubkeman had served as team leader and project manager on a number of projects in the corp orate development center. His primary focus had been on the development of tools for evaluating and implementing system s solutions for utility distribution networks and support ing utility asset management activities. Most recent projects have included developing architecture for advanced feeder automation and developing asset management embedded modules for substation au tomation. Past projects at ABB have also included configuration tools for feeder automati on devices, large storm damage assessment for distribution outage management, distribution cont ingency analysis, asset failure rate prediction, distribution utility performance analysis, and transmission/distribution system fault location.

52.  Technology Development: Before joining ABB, Dr. Lubkeman was an associate professor at Clemson University and was involved in a number of R&D projects with electric utilities. During this time, he conducted an R&D project with Empire State Electric Energy Research Corporation (ESEERCO) on a prototype electric po wer distribution system state estimator. Dr. Lubkeman was also involved in an R&D project with Duke Power Company for developing a fault location system for electric power distribu tion systems. A second project area with Duke Power pertained to evaluating and modeling the impact of voltage power quality on industrial manufacturing. Before joining Clemson University, Dr. Lubkeman was an assistant professor at North Carolina State University. During this time , he pursued a number of research projects involving applications of artificial intelligence to power system problems . Projects included the application of neural networks to distribution fa ult diagnosis and the use of a rule-based system for feeder reconfiguration.  Technical Training : Dr. Lubkeman has taught a number of undergraduate and graduate level courses including: Introduction to Power Systems, Power Electronics, Electric Machinery, Power System Stability and Control, Power System Oper ation and Control, Electric Power Distribution Systems, Power System Transients, and Comput ational Methods for Power Systems Analysis. He also taught a power systems analysis re view designed to prepare engineers for the Professional Engineering (PE) Exam, was a lectur er on power system operations at the Modern Power Systems Analysis short-course held at Auburn, and was an instructor at the North Carolina Electric Meter School, covering basics of electric power circuits and revenue metering. Professional Experience: Research Professor, University of North Carolina, Raleigh, North Carolina: December 2007 to Present Associate Consultant at NKSoft Dr. Lubkeman’s focus at NKSoft is on distribution system modeling, reliability, analytics and smart grid automation. Dr. Lubkeman also serves as coordinator of NKSoft’s Energy Storage Practice Area and has been engaged in the testing and evaluation of large-scale battery energy storage systems. Past project tasks have included modeling the impa ct of distributed genera tion/storage devices on electric distribution grids, characterizing the perf ormance of a large-scale battery storage system and providing expertise on Smart Grid applications for medium-voltage distribution systems. Specific Project Experience:  High-Penetration PV Impact Study for Northeastern Utility: Studied impact and feasibility of interconnecting large-scale ph otovoltaic generation on se veral candidate circuits.  Vectren – Smart Grid Deployment: Developed distribution automation specifications and request for proposal content for smart grid deployment plan.  NIPSCO Smart Grid Strategy and Business Case: Developed a cost-benefit model for distribution automation based on circuit parameters and historical reliability.  KEMA, Raleigh, NC: July 2007 to December 2010 Senior Principal Scientist

45.  Developed macros and code base used for quality assurance on various datasets, including end- use, time-interval, and data entry data.  Designed and developed an online timesheet and ex pense system for time tracking, billing, cost accounting, and payroll. Features include the ability to record billable and non-billable hours from any capable web browser, the ability for managers to submit/un-submit/approve timecards, custom reports used for invoicing cl ients, project budget management, subcontractor management, and project data centralization.  Created and administered a Wiki used for knowledge management of SAS base code, engineering and statistical data, reports and whitepapers, and technical “tips and tricks”.  Designed and created an intranet browser based application used for tracking logger and meter reading equipment. Assets can be individually or bulk assigned to a project and/or taskcode (linked to the time and expense database), logger data can be uploaded, and reports generated. Professional Experience: NKSoft Corporation, Dallas, Texas: January 2014 to Present Title: Senior Technology Consultant  Currently responsible for (developed by NKSoft) compliance management systems, including but not limited to, applicat ion servers, email and communications systems, inter-office private networks, project and legacy data, and end user and back office hardware. Some detailed duties include: o Established and maintain inter-network VPN tunnels between NKSoft and o Assisted in the determination of user and group access controls for NERC CIP employees. o Responsible for the physical and environm ental security of all servers. o Assessed and recommended the recovery and restoration plan, BCP implementation strategy, and plan maintenance for migrated servers. In addition, responsible for the creation and proper storag e of all backup and disaster recovery data and equipment.  Senior technical consultant current ly specializing in Smart Grid technologies with an emphasis on cyber-security. Recent examples of CBK related experience includes: o Evaluated and provided information security and technical recommendations for Burbank Water and Power’s Department Of Energy’s FOA-58 federal funding grant proposal, taking care to make sure the prop osal was in line with NERC (North American Reliability Corporation) CIP (Critical Infrastructure Prot ection) standards.  A member of NKSoft’s Cyber Security Practice Area whose mission is to be the primary Critical Infrastructure Protection partner for the Electric ity Sector power companies in order to provide cyber security consulting services in such a way to help clients meet their obligations to comply with mandated standards and regulations so that the reliable operability of the bulk electric system (including Smart Grid) is maintained. Some detailed efforts include:

11. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 8 2.1 Introduction to the NKSoft Utility Team NKSoft is a worldwide leader in planning, desi gning, and implementing security, advanced communications, Advanced Metering Infrastruc ture (AMI), distribution and substation automation, and Smart Grid. We also provide project management experience to oversee the integration of these automation and change management efforts into utility operational systems. To date, NKSoft’s consultants have implemented numerous such projects and are presently supporting the implementation of some of the largest initiatives in North America, including programs for Duke Energy, Con Edison, Southern California Edison, Public Service Electric & Gas, CenterPoint Energy, and Portla nd General Electric, as well as other smart metering or smart grid projects in Australia, Europe and Brazil. Our services include (but are not limited to) the following general processes:  NERC CIP Audit Assessment  Strategic planning and financial studies  Technical and business requirements analysis and development  Stakeholder management  System design and specification  Deployment strategy development for systems and functional components  Procurement management  Implementation management  Acceptance testing  Performance enhancement  Demand Side Management  “Utility of the Future” thought leadership NKSoft’s Intelligent Networks and Communications team has established itself as a key partner for a number of the leading Smart Grid and AMI programs in North America and internationally. Our practice is comprised of bo th business strategists and technical specialists who together form a capability to understand all aspects of the business. With a rich combination of direct utility “hands on” experience, strong leadership and participation in industry consortia, and years of consulting proj ect service, our consultants are well-versed in metering and communications technology, indust ry standards, regulatory/legislative trends and the strategies and solutions of most of the leading suppliers. Using past and current client engagements, we have developed a library of knowledge regarding specific technology

13. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 10 3. NKSoft NERC CIP Assessment Methodology Work product created during the NERC / CIP A ssessment shall meet or exceed the applicable requirements of NERC CIP Standard 010-1 R3 –V ulnerability Assessments. Additional guidance should come from NIST Special Publication 800-115. NKSoft considers the following developing the project plan: 1. Assess current policies, processe s, and security requirements 2. Work with stakeholders to verify the accura cy of the identified critical cyber assets; identify and assess management and policy controls 3. Review policies, procedures, and practices for employee hiring, training, and access management 4. Assess personnel awareness of the standards and training 5. Review current state of compliance progra m, including organizational and operating structure 6. Assess the critical asset network for type and placement of electronic security perimeter(s) and identify gaps with NERC CIP requirements; eval uate entry and exit points into the electronic security perimeter 7. Conduct communication reviews of onsite te chnologies (PLCs, HMIs, RTUs) to assess their capabilities (availabilit y, security, and so on) in meeting the requirements 8. Evaluate practice s for remote access ar chitectures as well as network and system management practices 9. Review the current physical access securi ty plans, controls, and procedures 10. Review the current level of logging, asse t monitoring, incident response, and log retention policies 11. Review business continuity plans as well as backup and restore procedures for critical cyber assets 12. Review compliance program’s roadmap and ability to scale to newer versions of the standard 13. Readiness Assessment Report 14. The readiness assessment report details ga ps in the utility environment for compliance with NERC/CIP requirements 15. Recommendations for addressing find ings through mitigation planning 16. Recommendations for readiness in transitio n and migration to future versions of NERC/CIP Work Steps including: 1. Use of active discovery tool s to discover active device s and identify communication paths in order to verify that the disc overed network architecture matches the documented architecture. 2. Vulnerability Scanning – Scanning and docume ntation of potential vulnerabilities.

23. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 20 NKSoft Approach We leverage our proven Enterprise Security Architecture (ESA) Framework for developing comprehensive, operationally focused policie s and standards. Our ESA Framework ensures policies and standards are designed, developed and deployed to be consistent an organization’s overall security program and architecture. We use a phased, deliverables-driven approach that is designed to maintain tight linkage between an initial situation diagnostic and so lution implementation. The methodology and approach are flexible to allow for granular deliver ables that meet the Utility’s particular needs. In addition, our approach:  Employs a complete solution development lifecycle that emphasizes operational aspects of policies, standards and procedures.  Uses an ISO/IEC 27002 standards foundation that is augmented with NIST and CIP and corporate specific requirements.  Emphasizes the development of an audi t trail for compliance with regulatory requirements and policies such as NIST, CIP, HIPAA, GLBA, Homeland Security, etc. as well as to support and organizati on’s performance monitoring objectives. Several key components and considerations drive our approach for developing and implementing security policies, standards and procedures: Key Components Key Considerations Strategy & Vision o Business enablers o Protection from loss and disclosure o Legal and fiduciary responsibilities Policy and Procedure Development o Reporting and ownership o Roles and responsibilities o Legal and cultural alignment Policy Infrastructure o Policy development and approval Distribution and communication o Maintenance and interpretation self- service Active executive participation High-level, comprehensive and limited revisions required Balance between tactical remediation and strategic advancement Address issues of cu rrent relevance and concern to the organization Minimum baseline to formalize core capabilities for mitigating enterprise information security risks Automation to ease administrative burdens and facilitate policy compliance

53.  California Public Utilities Commission – Impact Evaluation for the California Solar Initiative: Evaluated impact of California Solar Initiative photovoltaic systems on utility distribution circuits.  Assessment of Storage System Technology and Controls for Large Wind Developer: Provided independent engineering support with regard to evaluation of proposed storage technology and controls for energy storage system designed for meeting wind farm interconnection requirements.  North Delhi Power Limited (NDPL) – Network and Automation Reliability Study: Analyzed impact of automation on NDPL 11 kV distribution system reliability. Provided automation roadmap with regard to reliabil ity analysis strategy and recommended automation solutions.  AES Corporation – Battery Energy Storage Testing: Developed a test plan and wrote test report for a 1 MW Battery Energy Storage System based on lithium-ion battery technology. Test plan was used to verify proper operation and performa nce characteristics of a prototype unit situated at a utility substation. Final report included content regarding compliance to utility interconnection standards, unit energy storage capacity and rating, unit efficiency characteristics and ability to carry out frequency regulation applications.  Hawaiian Electric Company – Lanai PV Station Interconnection Study: Analyzed the impact of adding a large-scale photovoltaic station to an island medium-voltage electric grid. Study provided interconnection requirements for the PV Station including disturbance ride-through and ramp rate response restrictions. Modeling consisted of both steady-state and dynamic analysis.  The United Illuminating Company – Distribution System Vegetation Management Review: Benchmarked UI’s vegetation management program against industry standard practices. Asea Brown Boveri (ABB) Lake Mary, FL: January 2007 to December 2007 Product Manager  Responsible for management of f eeder automation product portfolio. This includes monitoring of customer needs and competitors, monitoring of product line performance, development of market requirements, business plans and paybac k calculations. Support product promotion, marketing material creation and development of sales tools. Owner of product life cycle and IP- related issues. Asea Brown Boveri (ABB), Raleigh, NC: July 1999 to December 2007 Senior Principal Scientist  Directed internal R&D projects to support ABB business unit needs. De veloped prototypes for new hardware and software products. Participated in field pilots with customers. Project topics included: distribution automation, predictive equipment maintenance monitoring, utility transmission and distribution asset management performance benchmarking, storm outage crew planning, distribution system reliability analysis, industrial power quality. Lead R&D consultant for distribution automation and reliability. Corporate research university relations contact for US power system programs. Specific Project Experience:

42.  Assisted in the development, implementation an d management of techni cal security standards for multiple platforms in areas including: o Network Security o Access Control o Back Up and Recovery/Business Continuity/Emergency Response o Remote Dial-in Security o Server Security o Antivirus and PC Security o Information Asset Classifi cation and Protection o Acceptable Use o Privacy o Cryptographic Requirements (pub lic key infrastructure, Certificate Policies, Certification Practice Statements) for secure systems.  Integrated security program with the Department of Homeland Security threat levels, as well as with the Electric Sector-Information Sharing Analysis Center.  Developed the information security incident re sponse program and integrated it with the emergency preparedness program and business continuity plan. Professional Affiliations: Information Systems Audit and Control Association (ISACA) Information Systems Securi ty Association (ISSA) Professional Development: MS Office (Word, Excel, PowerPoint, Access , Outlook), SharePoint, Documentum, Acrobat, Symantec (Norton PC antivirus, firewall, and anti-spam) Business skills training in Leadership and Management, Team Building, Project Management, Total Quality Management, Training Development and Delivery, Assessments and Audits. Enterprise Information Security Architecture, Capability Maturity Model, Zachman Framework, Continuity of Operations and Cont inuity of Government (COOP/COG) Control Objectives for Information and relate d Technology (COBIT), Committee of Sponsoring Organizations of the Treadway Commission (COSO), IT Information Library (ITIL) NERC Critical Infrastructure Protection (CIP) Cyber Security Standards ISO/IEC 27001 Information Security Management Systems — Requirements, ISO/IEC 27002 Code of Practice for Information Security Manageme nt, NIST-800 Security Standards Series

41. California Independent System Operator (CAISO) – Through Accenture, Folsom, California: 1997 to 2004 Information Security Policy Manager (2002-2004) Information Security Manager (2000-2002) Senior Information Secu rity Lead (1997-2000) Mr. Huynh worked at the California Independent Sy stem Operator (CAISO) from December 1997 to April 2004. As a member of the start-up manage ment team, he instrument ed a rapid-development policy and standards program to secure CAISO as part of the National Critical Infrastructure resulting in the establishment of communication links and reporting procedures with the Electric Sector-Information Sharing and Analysis Center (E S-ISAC), InfraGard (link with the FBI), NERC and the Federal Regulatory Energy Commission (FERC). Mr. Huynh also helped develop, implement an d manage the Cryptographic Universal Design Architecture (CUDA-ISO) at CAISO, which in troduced the first commercial energy use of cryptography, smart cards and digital certificates. As the Information Security Policy Manager, he oversaw information security policy and controls management, information security process documentation and mapping, security awareness and training, and industry liaison, as well as assisted with the development of the Urgent Action Standard 1200 (information security standards) as a member of the NERC Critical Infrastr ucture Protection Advisory Group (CIPAG).  Jump started and managed the information security program during company start-up, which included: o Establishing process to harden and monitor existing and new servers going online o Securing web-based applications o Establishing network security o Integrating information security into th e system development life cycle, change management process, computer oper ations, and employee life cycle o Implementing security training curricul um and continuous awareness programs.  Developed and delivered presentations to Califor nia Energy Market Participants and established the Energy Market Security Alliance Forum (EMS AF) to discuss security related issues and facilitate the implementation of the security program.  Assisted in the design, implementation and mana gement of a PKI in the California ISO known as the Cryptographic Universal Design Architecture (CUDA-ISO®) introducing the first commercial energy use of cryptography, smart cards and digital certificates to: o Energy Management System/Supervisory Co ntrol and Data Acquisition (EMS/SCADA) o Firms Transmission Rights (FTR) o Meter Data Acquisition System (MDAS) o Automated Dispatch System (ADS).  Developed, implemented and managed information security policies, standards and procedures in alignment with the ISO/IEC 27001 and NERC 1 200 security standards (which evolved into the CIP Cyber Security Standards), as well as pertinent federal and state laws. Developed a Policy Road Map linking job functions with policies and standards.

55.  Developed data acquisition system for studying the impact of harmonic voltages and currents on revenue meter accuracy for a large US utility.  Worked with large US utility on several projects pertaining to impact of voltage power quality on industrial manufacturing.  Courses developed and taught include: ECE 36 0 Introduction to Power Engineering, ECE 807 Computer Methods in Power Systems, ECE 817 Po wer System Transients, ECE 416/616, Electric Power Distribution System Engineering, EC E 816 Electric Power Distribution System Engineering.  Instructor for Modern Power Systems Analysis sh ort course sponsored by Southeastern Electric Exchange at Auburn University, 1988-1996.  Instructor for Clemson Continuing Engineer ing Education PE Review Program on Power Systems Analysis, 1992-1999. North Carolina State University, Raleig h, NC: August 1983 to July 1989 Electrical and Computer Engineering Department Assistant Professor  Taught classes in power systems analysis, supe rvised graduate students and conducted R&D projects with electric utilities. Topics of projects included: distribution circuit reconfiguration for performance improvement, placement and contro l of capacitors on di stribution circuits, detection of high-impedance faults, application of artificial intelligence techniques for distribution circuit monitoring. Taught review courses at local electric meter school. Specific Project Experience:  Supervised utility-sponsored project on use of heuristic techniques for reconfiguring distribution feeders to eliminated overloads and reduce losses.  Supervised utility-sponsored project on first application of neural network-based classification to high impedance faults on elec tric power distribution circuits.  Courses developed and taught include: ECE 305 Electric Power Systems, ECE 632 Power System Stability and Control, ECE 457 Semiconductor Power Conversion, ECE 454 Electric Machinery, ECE 550 Power System Operation and Control, ECE 633 Computer Analysis of Large-Scale Power Systems.  Instructor for North Carolina Electric Meter Scho ol, Basics of Electric Power Circuits and Revenue Metering, 1986 -1989. Languages: Speaking Reading Writing English: Excellent Excellent Excellent Professional Affiliations:  Registered Professional Engineer in State of South Carolina  Senior Member of IEEE

33.  Kansas City Power & Light : Performed NERC cyber security assessment for three in-house EMS’s. The final analysis identified the do cumentation gaps between compliance and the current situation.  Southern California Edison : This project concentrated on getting SCE ready for their upcoming compliance audit and involved considerable procedural development.  Austin Energy: Performed NERC cyber security compliance assessment.  Seminole Electric Cooperative, Inc: Completed EMS Staffing Analysis and Operations Network security report. Fujitsu Network Communications, Richardson, Texas: 2012 to 2016 Director, Utility Industry  Provided worldwide direction and technical support services for the Utility industry clients.  Responsible for Smart Grid network security de sign, technology acquisitions and deployments, budgeting, and performance improvement. Ev aluated existing technologies and defined capacity planning requirements.  Accountable for the strategy & deployment of a Global Infrastructure Monitoring project including technical escalation & support processes. KEMA, Pennsylvania: 2008 to 2012 Director, Smart Grid Acted as a subject matter experts for AMI, DA, Re liability, Efficiency and Security, As Smart Grid Specialist is responsible for developing, establishing and maintaining Smart Grid standards, cyber security standards, policies, and guidelines on the use of Smart Grid technologies, systems and deployments while mini mizing the negative impact of security on business efficiency.  Portland General Electric: Project Manager for this ongoing EMS upgrade project. This project included development and EMS requirements, prequalification of vendors, and development of the statement of work for the new EMS.  OG&E: Led KEMA team in supporting this large investor owned utility in developing its enterprise wide security program for its CIP, NERC and Cyber-Security mandate. The security program also included OG&E’s AMI and Smart Grid program.  Lincoln Electric: Led project teams in developm ent of the Distribution Automation process, selection of automation technologies, networks and management systems.  CPS Energy: Led multiple KEMA teams in supporting this large municipality owned utility in developing its multi-year AMI and Smart Grid deployment program. This support included assessing business and technical requirements for the AMI and DA, communications infrastructure requirements, IT and OT requirements and business process change requirements. Developed a comprehensive business case for the company and the regulators for approval.  Kansas City Power and Light – Assisted KCP&L in developing of its enterprise wide security program for its CIP, NERC and Cyber-Security mandate. The security program also included KCP&L’s AMI and Smart Grid, WMS and OMS/OA S system integration and implementation.

54.  Interface to North American Power Systems Engi neering faculty. Responsible for organizing summer intern program and coordinating university research contracts.  Worked with Distribution Automation business in developing new architecture for Advanced Feeder Automation based on peer -to-peer network communications.  Developed pilot prototypes for new substation automation applications related to providing cost-effective asset management of substations and feeder components.  Lead project team in development of advanced fe eder automation configuration tool for setting relays.  Developed prototype of large stor m outage planning program that can be used as an add-on to ABB’s CADOPS outage management system.  Lead project team in development of models for estimating the failure rates of distribution components based on condition assessment.  Developed and taught one week short course on Electric Distribution Power Quality at CFE in Mexico  Developed new transmission and distribution cont ingency analysis engine used in Performance Advantage for Distribution (PAD) tool by dist ribution systems consulting group for grid reliability analysis.  Lead project team in development of Utility Performance Analysis tools used for benchmarking operation & maintenance performance. Tool rolled out globally by distribution systems group and used in various utility studies. Clemson University, Clemson, SC: August 1989 to July 1999 Electrical and Computer Engineering Department Associate Professor  Taught classes in power systems analysis, supe rvised graduate students and conducted R&D projects with electric utilities. Topics of projects included: distribution circuit measurement estimation, distribution circuit fault location for crew direction, industrial power quality modeling, and new techniques for electric ci rcuit disturbance classification. Served as department graduate progra m coordinator, which includ ed admissions and program promotions. Taught professional engineering re view courses on basic power systems analysis. Specific Project Experience:  Lead an R&D project with Empire State Electric Energy Research Corporation (ESEERCO) on a prototype electric power distribu tion system state estimator.  Supervised an R&D project with Duke Power Company for developing a fault location system for electric power distribution systems.  Supervised National Science Foundation project on use of artificial intelligence techniques for classifying disturbances on electr ic power distribution systems.  Working as a consultant, programmed and delivered an electric power distribution power flow and short-circuit package for use in a commercial environment for a large US utility.

66. the i Advantage TM methodology for interactive process modeling to document current OMS processes in New England and New York, includin g regional differences. A key part of the process modeling effort focused on data. The da ta areas assessed included the Smallworld GIS (circuit connectivity and customer to transformer relationships) which are critical for the OMS, the event codes used to classify outages, and permanent circuit changes initiated /executed by Operations (tap phase changes and normal switch positions). Data was also discussed from a regulatory reliability reporting perspective. The current processes were vetted against E&Y’s leading practices reference model to determine a common end-state target for a common OMS pr ocess. A phase I interim process was then developed to improve OMS process prior to th e ERP/WMS project rollout. An implementation project schedule and budget were developed compared to the OMS budget developed as part of the original E&Y “Operations Process and Tec hnology Systems Roadmap” project from 2002.  National Grid, US Transmission – Transmis sion Design and Construction Process Gap Analysis: August 2002 – January 2003. Mr. Roberts di rected this study to determine how the recently completed Distribution “Operations Process and Technology Systems Roadmap” could be leveraged for National Grid Transmission US. This study had the following deliverables:  Technology integration context recommend ations for transmission design and construction.  Identification of the gaps between the prev iously recommended distribution technology context and the transmission technology context recommended in this study.  A recommended action plan to address the gaps.  National Grid, US - Operations Process and Technology Systems Roadmap: December 2001 – May 2002. Mr. Roberts was the Project Manager for an Operations Process and Technology Systems Roadmap project that was initiated as a result of National Grid’s acquisition of Niagara Mohawk (electric and gas). The work included a review of a previously developed desired operations end-state from both a process and a technology standpoint for outage management, work management, graphic work design, engi neering system analysis, and field force automation. The work consisted of the following tasks:  England or NE) and Niagara Mohawk (New York or NY)  A confirmation and validation of the operations process and technology vision  A review and validation of the end-state operational business process model  Gap analysis between where they are and the envisioned end-state  System architecture development and techno logy evaluation and selection (included a review of vendor offerings in each application area)  Review and improvement of key performance metrics  A project implementation roadmap along with a cost analysis, a benefits analysis, and a risk assessment. SmithBucklin Corp., Chicago, Illinois: 1983 to 1991 Account Executive  Maintained simultaneous responsibilities for the administrative mana gement of a wholesale

38.  Association of Brazilian Utilities (ABRADEE), 2009, 2010  IBM Management Leadership Forum, 2002-2008  Customer Care and Billing Conferences, 1995-2004  Published articles and contributed to a Smart Grid books, 204-2010 Key Courses and Training  AMI Networking – ITRON  Mesh Networking – Silver Spring Networks  IBM Solution Consulting and Integration Core Methodology  IBM Network Security with Network Ar chitecture and Design Methodology  IBM Executive Management Development  IBM Commitment To Standards fo r on Demand Communications  IBM on Demand Workplace  VoIP Essentials  Cisco and Point to Multi Point Wireless Technologies  Alvarion WiMAX Systems Design Certification  Cisco Wireless LAN Networking and Site Design

21. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 18 Security Methodologies We use proven security assessment and system s engineering methodologies as part of our security architecture and oper ational assessments and security solutions. Our security assessment methodology is designed to assist or ganizations in identifying risk and developing practical risk mitigation strate gies. Our system analysis and design methodology is structured to assist organizations through the requirem ents analysis solution synthesis process. Security Assessment Methodology Assessment Objectives Input Establish Assessment Parameters • Requirements • Strategy • Timing • Constraints • Workplan • Tools Assess Gap Assess Current Security State Define Future Security State • Business / IT Security Vision • IT Security Strategy • Potential Security Tools • Strategic Alignment • Threat • Information & Asset • System Architecture and Management Respond to Immediate Risks • Technology Gap • Risk/Benefit Analysis • Initiatives Customer Agree? Customer Agree? Develop Roadmap • Business Case • Change Readiness • Improvement Portfolio • Portfolio Management Approach • Transition Plan Critical Risks Risks Yes No Output Security Strategy Approved Roadmap

37.  Team Lead responsible for implementation of a Se rvice Order Management system for a large water utility company. The SO module was integrated with MDSI mobile solution. Worked with client’s IT staff at all stages of the project from requir ements to implementation and solution support. Technology used: MDSI, DB2, CICS, COBOL.  Team Lead responsible for implementation of a Meter Management System for a large utility company. Worked with client’s IT staff at al l stages of the project from requirements to implementation and solution support. Technology used: DB2, CICS, COBOL, Micro Focus Cobol.  Northwest Water, UK – Customer Information Syst em implementation. Developed requirements for the Finance module. Captured requirements using ADW Case tools. Designed the solution and GUI interfaces. Developed key training re quirements and deployment strategy.  Based in Northwest England, PMO responsible fo r implementation of PWC’s Service 2000 CIS application by the teams from multiple vendors. Over 75 full time resources worked on this engagement. Job responsibilities included setting up the program management office, tools to manage the program office, change management proc ess and training the tools and techniques to the project managers.  Equitable Gas – Programmer analyst responsible for modifications and implementation of a CIS system based on PW Actron System. Williams Natural Gas , Tulsa, OK 1987 - 1989 Programmer Analyst Design and developed first 4GL Gas Accounti ng System for Williams Natural Gas. CERTIFICATIONS & MEMBERSHIPS Certified Project Manager IBM Consulting Institute, Dallas, TX Certified Information Systems Security Professional (CISSP) – in process of recertification Certified Information Se curity Manager (CISM) – in process of recertification Certified Wireless Network Professional (CWNP) Certification for Certified Wireless Network Administrator (CWNA) IEEE Member : Institute of Electrical and Electr onics Engineers Communications Society IEEE 802.16 Standards : Member of Standards Committee IEEE 1667 BPL Standards : Member of Standards Committee Speaking and Article Engagements:  International Metering Conference 2009, 2010, 2011 – Miami, Bogota and Rio  Smart Grid Conference 2011, 2012 - Singapore  Innovation Leaders Confer ence 2010, Dallas, Texas  KEMA Utility of the Future Conference 2009, 2010  Ministry of Energy and Mines, Peru, 2010

3. Table of Contents June 11, 2015 i 1.   Executive Summary ............................................................................................................... 1   1.1   NERC CIP and Cyber-Security Expertise ..................................................................... 2   1.2   Introduction to the NKSoft Utility Team ...................................................................... 8   2.   NKSoft Security Program Development Methodology ....................................................... 10   Enterprise Security Architecture Framework ...................................................................... 14   Security Methodologies ....................................................................................................... 18   NKSoft Approach ................................................................................................................ 20   Sample Deliverable .............................................................................................................. 23   3.   Description of Standard Process .......................................................................................... 25   Appendix A - Deliverable Guidelines ......................................................................................... 26   4.1   Biweekly Status Report .............................................................................................. 26   4.2   Enterprise Security Program Report ........................................................................... 26   5.   Appendix B - Project Change Control Procedures ............................................................... 27   Example Resumes ....................................................................................................................... 28    

22. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 19 System Analysis and Design Methodology Business Requirements Input Understand Concept of Operations at Appropriate Decomposition Level • System • Subsystem • Component • Software Module Consider trades on • Hardware • Software • Reliability • Maintainability • Availability • Performance • Cost • Schedule • Testing, etc. Synthesize Physical Solution Perform Functional Analysis   Define Performance Requirements • Performance • Physical • Constraints, etc. Evaluate Risks and Failure Modes Output Specification Reassess Business’ Needs Accept Solution? Customer Agree? Yes No Business Requirements Input Understand Concept of Operations at Appropriate Decomposition Level • System • Subsystem • Component • Software Module Consider trades on • Hardware • Software • Reliability • Maintainability • Availability • Performance • Cost • Schedule • Testing, etc. Synthesize Physical Solution Perform Functional Analysis   Define Performance Requirements • Performance • Physical • Constraints, etc. Evaluate Risks and Failure Modes Output Specification Reassess Business’ Needs Accept Solution? Customer Agree? Yes No

29. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 26 Appendix A - Deliverable Guidelines 4.1 Biweekly Status Report Purpose: NKSoft will provide a Biweekly Status Re port during the project to describe the activities that took place during the reporting period. Significant accomplishments, milestones, and problems will be described. Content: The report will consist of the following, as appropriate:  Activities performed during the reporting period  Activities planned for the next reporting period  Hours summary  Project change control summary  Problems, concerns, and recommendations  Other items of importance Delivery: One hard copy of the Biweekly Status Report will be delivered to Utility Project Manager within 3 working days following the reporting period. 4.2 Enterprise Security Program Report Purpose: NKSoft will develop and formally docume nt the new Program using the Security Program methodology outlined in section 2 of this document. Content: The Program Report will consist of the following, as appropriate:  Purpose  Intended Audience  Owner  Version Number  Approval Date  Revision History  Revision Program  Program Flow Diagram  Current State Analysis  Future State Design  Gap Analysis  Security Principles  Security Processes and Procedures  Security Roadmap  Security Rider Projects

26. NERC/CIP Security Offering Copyright @2010-2016 NKSoft Corporation April 22, 2016 23 Sample Deliverable A sample IT Security Policy Outline and an e-Ma il Security Policy excerpt created on previous engagements is provided below. IT Security Policy Contents 1. Introduction 1.1. Overview 1.2. Scope and Purpose of the IT Security Policy 2. Security Objectives and Principles 2.1. Objectives 2.2. Principles 3. Security Organization/Infrastructure 3.1. Responsibilities 3.2. Security Policies 3.3. Security Incident Reporting 4. IT Security/Risk Analysis and Management Strategy 4.1. Introduction 4.2. Risk Analysis and Management 4.3. Security Compliance Checking 5. Information Sensitivity and Risks 5.1. Introduction 5.2. Information Marking Scheme 5.3. Organization Information Overview 5.4. Organization Information Values/Sensitivity Levels 5.5. Threats/Vulnerabilities/Risks Overview 6. Hardware and Software Security 6.1. Identification and Authentication 6.2. Access Control 6.3. Event Logging and Audit Trail 6.4. Information Disposal/Deletion 6.5. Malicious Software 6.6. PC Security 6.7. Laptop Security 7. Communications Security 7.1. Introduction 7.2. The Networking Infrastructure 7.3. Internet 7.4. WAN 7.5. Dial-up 7.6. Wireless 7.7. Encryption/Message Authentication 8. Physical Security 8.1. Introduction 8.2. Location of Facilities 8.3. Building Security and Protection 8.4. Protection of Building Services 8.5. Protection of Supporting Services 8.6. Unauthorized Occupation 8.9. Protection of Staff 8.10. Protection against the Spread of Fire 8.11. Water/Liquid Protection 8.12. Hazard Detection and Reporting 8.13 Lightning Protection 8.14 Protection of Equipment against Theft 8.15 Protection of the Environment 8.16 Service and Maintenance Control 9. Personnel Security 9.1. Introduction 9.2. Terms of Employment 9.3. Security Awareness and Training 9.4. Employees 9.5. Self-employed people under contract 9.6. Third parties 10. Document/Media Security 10.1. Introduction 10.2. Document Security 10.3. Storage of Media 10.4. Disposal of Media 11. Business Continuity Management 11.1. Introduction 11.2. Backup and Recovery 11.3. Business Continuity Strategy 11.4. Business Continuity Plan(s) 11.5. Disaster Recovery Strategy 11.6. Disaster Recovery Plan(s) 12. Teleworking 13. Outsourcing Policy 13.1. Introduction 13.2. Security Requirements 14. Change Control 14.1. Feedback 14.2. Changes to the Security Policy 14.3. Status of the Document Appendices A List of Security Standards B List of Security Guides C IT Security Officer Terms of Reference D Terms of Reference for IT Security Committee E Contents of an IT System Security Policy


  • 1844 Total Views
  • 1598 Website Views
  • 246 Embeded Views


  • 0 Social Shares
  • 0 Dislikes

Share count

  • 0 Facebook
  • 0 Twitter
  • 0 LinkedIn
  • 0 Google+

Embeds 4

  • 5
  • 1
  • 1
  • 1