You need to be signed in to add your comment.

Sections 4.12.4, Security practices, 4.12.5, Security training and qualification and 4.12.6, Cyber security

Security practices

The application should describe the measures in the security program that ensure administrative and technical measures are implemented, maintained and documented in a security program.

The applicant should describe how access to prescribed equipment and information is limited to those workers having the appropriate security clearance and a valid need-to-know basis.

Security training and qualification

The application shall describe measures in place to ensure response workers are trained and capable of performing the duties described in section 30 of the Nuclear Security Regulations and in accordance with training requirements specified in REGDOC‑2.12.2, High-Security Facilities, Volume I: Nuclear Response Force [19]. The application should describe realistic drills and exercises to test the performance of security systems, processes, procedures and workers.

The application should describe the duties of the security officers. The applicant should demonstrate that the security officers are adequately equipped to perform their assigned duties and tasks.

The application should describe the process that ensures that the required documentation and necessary medical, physical and psychological certification of a person is obtained before that person can be authorized to act as a nuclear security officer.

Cyber security

The application should describe a cyber security program that ensures cyber assets that are subject to cyber security requirements are protected from cyber attacks. The application should address internal and external cyber threats.

The application should describe how the cyber security program is designed, implemented and maintained as an effective program. The application should provide information on the following program elements, including but not limited to:

·       defensive strategy and security architecture

·       policies and procedures

·       asset identification and classification

·       roles and responsibilities of the involved parties

·       security controls

·       awareness and training

·       configuration management

·       coordination with other programs

·       incident response, reporting and recovery plan

·       program review and maintenance

·       lifecycle approach to cyber assets

comment
Reply notification settings
Submitting your comment
Cancel

Consultation has concluded

    <span class="translation_missing" title="translation missing: en-US.projects.forum_topics.show.load_comment_text">Load Comment Text</span>