Saep 99

Engineering Procedure
SAEP-99 29 October 2015

Process Automation Networks and Systems Security
Document Responsibility: Plants Networks Standards Committee
Saudi Aramco DeskTop Standards

Table of Contents
1 Scope............................................................. 2
2 Conflicts and Deviations................................. 3
3 Applicable Documents.................................... 3
4 Definitions....................................................... 5
5 Instructions..................................................... 9
6 Responsibilities............................................ 30
7 Training........................................................ 31
8 Appendix……………………………………… 32
Previous Issue: 06 November 2014 Next Planned Update: 29 October 2018

Page 1 of 33
Primary contact: Ouchn, Nabil Joseph (ouchnnj) on +966-13-8801365
Copyright©Saudi Aramco 2015. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
1 Scope
1.1 Purpose
This procedure provides the minimum mandatory security requirements for

Process Automation Systems (PAS), including its communication and networking
infrastructure. This procedure addresses “general” Plant operational security
requirements. More specific non-retroactive security requirements can be found
in relevant system standards such as SAES-Z-001, SAES-Z-004, or SAES-Z-010.
1.2 Application
This procedure applies to the plant IT managed firewall(s) and all PAS
components below it. The scope of this procedure includes, but not limited to:
1.2.1 Information Networks and Systems hardware and software such as

Process Automation Network (PAN), Distributed Control Systems
(DCSs), Emergency Shutdown Systems (ESD), Programmable Logic
Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic
sensing systems, Power Monitoring System (PMS), Vibration
Monitoring (VMS), Multivariable Control applications (MVC), Smart
Valve Monitoring System (SVMS), Process Gas Chromatograph Data
(PGCD), Corrosion Monitoring System (CRMS), Closed-Circuit
Television (CCTV), Domain Controller (DC) and other monitoring,
diagnostic and related industrial automation and control systems.
1.2.2 Associated internal, human, network, or machine interfaces used to

provide control, safety, maintenance, quality assurance, and other
process operations functionalities.
1.2.3 Firewall equipment used to interface PAN to corporate network.
1.2.4 The plant DMZ and all of its components per SAES-T-566.
1.3 Exclusions
1.3.1 Any requirement that is not supported by the system shall constitute the
implementation of mitigating controls that are approved by the plant
manager. These mitigation controls shall be based on a formal risk
assessment/business impact analysis.
1.3.2 This procedure does not cover Saudi Aramco Industrial Security
requirements such as gate access, door thickness, lock types or concrete
structure.
Page 2 of 33
1.3.3 Applications or systems that are not utilized for any process automation
function and not connected to the PAN.
1.4 Responsible Organizations
This procedure is retroactive in nature and applies to all Saudi Aramco Plant
organizations for existing installations. Additional responsibilities are
highlighted in Section 6 of this document.
1.5 The security requirements address the following eight security domains:
o Access Control Systems and Methodology.
o Communications and Networks Security.
o Security Management Practices.
o Applications and Systems Development Security.
o Security Architecture and Models.
o Operations Security and Management.
o Disaster Recovery Planning (DRP).
o Physical Security.
2 Conflicts and Deviations
2.1 Any conflicts between this procedure and other applicable Saudi Aramco
Engineering Standards (SAES's), Materials System Specifications (SAMSS's)
Standard Drawings (SASDs), or industry standards, codes, and forms shall be
resolved in writing to the Manager of Process & Control Systems Department
(P&CSD) of Saudi Aramco, Dhahran.
2.2 Direct all requests to deviate any mandatory security requirement from this
procedure in writing to the Manager of P&CSD of Saudi Aramco, Dhahran in
accordance to SAEP-302.
3 Applicable Documents
The requirements contained in the following documents apply to the extent specified in
this procedure.
3.1 Saudi Aramco References
Saudi Aramco Engineering Procedures

SAEP-302 Instructions for Obtaining a Waiver of a Mandatory
Saudi Aramco Engineering Requirement
Page 3 of 33
SAEP-707 Risk Assessment Procedure for Plants Networks and

Systems
Saudi Aramco Engineering Standards

SAES-T-566 Plant Demilitarized Zone (DMZ) Architecture
SAES-Z-001 Process Control Systems
SAES-Z-004 Data Acquisition (SCADA) Systems
SAES-Z-010 Process Automation Networks Connectivity
Saudi Aramco Engineering Report

SAER-6123 Process Automation Networks Firewall Evaluation
Criteria
Saudi Aramco Engineering Best Practice
SABP-Z-070 Process Automation Systems Cybersecurity

Obsolescence Management
Saudi Aramco General Instructions

GI-0710.002 Classification of Sensitive Information
GI-0299.120 Sanitization and Disposal of Saudi Aramco Electronic
Storage Devices and Obsolete/Unneeded Software
GI-0431.001 Protection of Intellectual Property
Saudi Aramco Information Protection Standards and Guidelines

Information Protection Manual version 2013-10
Corporate Policy
INT-7 Data Protection and Retention
3.2 Industry Codes and Standards
Institute of Electrical and Electronics Engineers, Inc.

IEEE 1394 Standard for a High Performance Serial Bus
National Institute of Standards and Technology

NISTIR 7977 NIST Cryptographic Standards and Guidelines
Development Process (Second Draft)
Page 4 of 33
4 Definitions
4.1 Abbreviations
ACL Access Control List
AD Active Directory
ANSI American National Standards Institute
CSA Computer Security Administration
DC Domain Controller
DCS Distributed Control System
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Service
DRP Disaster Recovery Planning
DSS Decision Support System
ESD Emergency Shutdown Systems
FTP File Transfer Protocol
GOI General Operating Instructions
IOS Internetwork Operating System
IPS Intrusion Prevention System
MOC Management of Change
NDA Non-Disclosure Agreement
NIST National Institute of Standards and Technology
PAN Process Automation Network (also: Plant Information Network)
PAS Process Automation System
PIB Process Interface Buildings
PCN Process Control Network
PCS Process Control Systems
P&CSD Process & Control Systems Department
PLC Programmable Logic Controller
PMS Power Monitoring System
RDP Remote Desktop Protocol
SAES Saudi Aramco Engineering Standard
SCADA Supervisory Control and Data Acquisition
Page 5 of 33
SDH Synchronous Digital Hierarchy

SIEM Security Information and Events Management
SLA Service Level of Agreement
SOC Security Operation Center
SSH Secure Shell
TCP/IP Transmission Control Protocol / Internet Protocol
TLS Transport Layer Security
TMS Terminal Management System
USB Universal Serial Bus
VLAN Virtual Local Area Network
VMS Vibration Monitoring System
VPN Virtual Private Network
WAN Wide Area Network
4.2 Definitions
Access Control: Means of controlling and regulating access to computing

resources and information.
Asset: An asset is anything that has value to the organization and which
therefore requires protection. Bear in mind that a plant system consists of more
than just hardware and software.
Authentication: The process of verifying the identity of a user through a code

such as a password.
Authorization: A right or a permission that is granted to an entity to access a

system or a resource.
Backup: A data image stored separately from the original, for use if the
original becomes lost or damaged.
Confidentiality: The process of ensuring that information is not disclosed to

unauthorized individuals, processes, or devices.
Configuration Baseline: A system configuration that has been approved at a

point in time and should be changed only through a formal change control
procedure. The configuration baseline can be used as basis for future changes.
Firewall: An inter-network connection device that controls data communication

traffic between two or more connected networks.
Page 6 of 33
Firewire: An IEEE 1394 high performance serial bus standard for connecting
devices to computers.
Hardware Key: A physical key or dongle that is used to regulate access to a

system or an application.
Integrity: The process of ensuring data accuracy and authenticity.
Logs: Files or prints of information in chronological order.
Non-Disclosure Agreement: A contract that restricts the disclosure of

confidential information or proprietary knowledge under specific circumstances.
PAN: A plant wide network interconnecting Process Control Networks (PCN)

and provides an interface to the WAN. A PAN does not include proprietary
process control networks provided as part of a vendor's standard process control
system.
PAN Administrator: A system administrator that performs day-to-day

maintenance activities on the PAN devices (e.g., administration, configuration,
upgrade, monitoring, etc.). He also performs additional functions such as
granting, revoking, and tracking access privileges for PCS operating systems
and applications.
Password: Sequence of characters (letters, numbers, symbols) used as a secret

key for accessing a computer system or network.
Plant Main Gate(s): Physically restricted access points through perimeter

security fencing into Saudi Aramco process facilities. Such points, when
manned, are typically controlled by Saudi Aramco Industrial Security
Operations (ISO) organizations via identification, privilege validation and
logging. While both manual and electronic procedures are in still in use, the use
of electronic ID card readers has become the prevalent methodology.
Primary Assets: Are those assets whose compromise will, in any way possible,
hinder the organization from accomplishing its business objective(s):
 Information
 Core Business Processes
Process Automation System (PAS): A network of computer-based or

microprocessor-based electronic equipment whose primary purpose is process
automation. The functions may include process control, safety, data acquisition,
advanced control and optimization, historical archiving, and decision support.
Page 7 of 33
Process Control Network (PCN): A proprietary process control networks

provided as part of a vendor's standard process control system.
Process Control System (PCS): The integrated system which is used to

automate, monitor and/or control an operating facility (e.g., Plant process units).
The PCS consists of operating area DCS and their related Auxiliary systems
which are connected together at the PCN and PAN level to form a single
integrated system.
Remote Access: The ability of a user to connect to a network asset (system, device
or application) from distant location. When connected, the user can monitor or
manipulate the configuration to modify or update the asset’s capabilities.
Secure Room: A room within plant premise, i.e., CCR or Server rooms, where
physical security controls such as access identification, authorization and
logging is applied.
Separation (Logical): Logical separation is indicated by the virtual isolation of

network assets by means of multiplexing or the use of software emulation
technologies such as VLAN, VPN or SDH dedicated circuits.
Separation (Physical): Physical separation is indicated by the comprehensive

isolation of network assets such as switches, medium and housing cabinets to
achieve highest level of security.
Server: A dedicated un-manned data provider.
Service account: An account used by a process running on a computer

operating system in a non-interactive mode.
Service Level Agreement (SLA): Contract between a service provider and a

customer, it details the nature, quality, and scope of the service to be provided.
Supporting Assets: Assets servicing ‘Primary Assets’ and typically include:

 Hardware
 Software
 Network
 Personnel
User Account: An established relationship between a user and a computer,

network or information service such as Operating System and Applications.
Vulnerability: A flaw or weakness in a system's design, implementation,

operation or management that could be exploited to violate the system's integrity
Page 8 of 33
or security policy.
5 Instructions
In this procedure, the terms “must”, “shall”, “should” and “can” are used. When must
or shall is used, the item is a mandatory requirement. When should is used, the item is
strongly recommended but not mandatory. When can is used, compliance may further
enhance the system security but compliance is optional.
The following instructions shall be adhered to:

a. The user of this procedure must exercise sound professional judgment concerning
its use and applicability under user's particular circumstances.
b. The user must also consider the applicability of any government regulatory and
Saudi Aramco standards before implementing this procedure.
5.1 Access Control Systems and Methodology
5.1.1 Access to PAN devices (e.g., switches, routers and Plant-managed

firewalls) should be restricted to PAN administrators.
5.1.2 Access to PCS operating systems and PCN devices for administration
purposes shall be restricted to PAN administrators.
5.1.3 Access to PCS applications for Plant operation and control purposes
shall be restricted to Plant authorized Operators and Operations
Supervisors.
5.1.4 Access to PCS applications for monitoring and diagnostics purposes

shall be restricted to authorized Engineers and Maintenance technicians.
5.1.5 Access to PCS applications for PCS configuration purposes shall be

restricted to Plant authorized engineers and authorized PCS maintenance
technicians.
5.1.6 Authentication and Authorization
Passwords shall be the minimum authentication methodology.

The logon/logoff process shall not cause system interruptions.
5.1.7 For systems with password authentication, the following shall apply:
a. Passwords shall have a minimum length of eight characters.
b. The system shall be configured to enforce password uniqueness.
A minimum of six unique passwords must be entered before a
Page 9 of 33
password can be re-used.

c. The system shall be configured to enforce password complexity
rules as follows:
A password must contain at least three of the following four
characteristics: lower case characters a-x, upper case characters A-Z,
Digits 0-9, and punctuation characters e.g. ! @ # $ % ^ & * , etc.
d. The system shall enforce password change for individual user IDs as
follows:
i. The change must be executed by the user.
ii. Upon password expiry, the system shall not cause an account
lockout.
iii. Every three months, if the system utilizes centralized account
management.
iv. Every 6 months, if the system utilizes local account
management.
e. Shared operator account passwords are recommended to be changed
manually every 12 months. The password change shall be
communicated to the Operators using the account.
f. Service account passwords should be changed every 12 months.
g. Accounts shall be locked for 24 hours or until the PAN administrator
unlocks the account after five consecutive failed logon attempts.
Operator stations in attended areas are exempted from this requirement.
h. Passwords shall be masked on the screen while being entered.
i. Passwords shall be guarded to prevent unauthorized access.
j. All vendor-supplied default passwords and SNMP community
strings for predefined accounts shall be changed immediately after
installation or upgrade.
k. In order to change user account passwords, users should always be
required to provide both their old and new passwords.
l. The primary administrative privileged account and password shall
always be stored in a sealed envelope in a safe and made available
for immediate retrieval in emergencies. A new set of passwords
shall be configured and stored in the envelope once the old envelope
seal is broken. A password log tracking expiration and usage of
Page 10 of 33
master passwords shall be maintained possibly in a notebook locked

in a vault or safe.
m. Passwords shall only be transmitted between networks using secure
protocols (i.e., SSH, TLS or VPN)
n. An automatic message should be sent to users notifying them about
passwords to be expired within 10 days.
o. Users shall maintain their own passwords and keep them
confidential.
p. Group passwords shall be kept within the group members only.
q. All password records (e.g., paper, software file, etc.) should be
avoided unless they are stored securely in a safe and approved by
the Plant manager. They should be encrypted if electronically
stored.
Commentary Note:
Unless specified, encryption wherever mentioned in this document

shall be aligned with NISTIR 7977 as a minimum.
r. Passwords shall be changed whenever there is an indication of

possible password compromise.
s. Application account passwords should be used in
encrypted/protected and encapsulated form and shall not be coded
into the application in plain text.
5.1.8 For systems with hardware key authentication, the following shall apply:
a. The shift coordinator or his delegated shift supervisor shall be
responsible for keeping and issuing the keys.
b. The keys should be restricted to authorized individuals.
c. The use of hardware keys shall be logged.
d. The key shall be securely stored within the facility and be available
after regular working hours.
e. The keys should only be used for the duration required.
f. Key logs should be reviewed on an annual basis to ensure that keys
are appropriately secured and accounted for.
g. The hardware key shall not be used for administrative purposes.
Page 11 of 33
5.1.9 User Accounts

a. Individual accounts are mandatory for all accounts such as,
Administrators, Supervisors, Maintenance Technicians, Operations
Supervisors, Superintendents and Engineers.
b. Shared Operating System accounts can be used for systems with the
following criteria:
i. User Management / Access Control function implemented
within the application with event logging
ii. The availability of controls safeguards such as logon scripts or
profile settings to protect against potential system bypass or
intrusions.
iii. The application is not intended to Administer or perform any

privileged action on the system, PCN or PCS.
c. GUEST accounts shall be removed or disabled on all systems.
d. The use of administrative accounts shall be limited for system
administration, configuration, support, diagnostics, and not for
day-to-day plant operation. These accounts shall be reviewed every
12 months to ensure their continued legitimacy for business and
shall be locked when not needed.
e. Shared operator accounts shall be restricted to those authorized by
the Plant management. The use of such accounts shall be
documented and reviewed/verified annually.
f. Shared “view only” accounts, if required, shall be restricted to those
authorized by the facility management. The use of such accounts
shall be documented and reviewed annually.
g. Individual accounts are mandatory including Operators for un-
attended areas such as PIBs. Shared Operator account can be used
in attended areas such the Central Control Room.
h. Operator accounts shall have a restricted user profile to prevent
from installing/uninstalling programs, changing software
configuration, or accessing floppy disk drives, CD drives or ports
(e.g., Firewire, USB, Ethernet, Serial, etc.) that enable
communication with computer peripherals (e.g., personal media
players, flash drives, external hard drives, or any other portable
media, etc.).
Page 12 of 33
i. Operator and Service accounts shall be excluded from automatic

password change policy; however, the PAN administrator shall
make sure that Service account passwords are changed manually
every 12 months.
j. Operators, Plant engineers and Maintenance personnel should not be
granted access to administer networks or perform operating system
configurations.
k. As part of processing the access request form, the PAN
administrator shall communicate all password requirements as
specified in section 5.1.7 to the user being granted access to the
plant system prior to the user account creation.
l. Concurrent user sessions shall not be allowed.
5.1.10 User Account Format
All individual User IDs formats should conform to corporate guidelines

as highlighted in Section 11.2.1.7 “USER ID CONSTRUCTION” in
Saudi Aramco Information Protection Manual.
5.1.11 System Access

a. System Login scripts, if any, shall be configured to prevent a user
bypassing them.
b. Repeated login failures shall be logged with the component name,
date, time and user account.
c. Upon logon failure, the system shall not indicate to the user
whether the failure is caused by the wrong user name or password.
d. When logging into a system, the user should be given information
reflecting the last login time and date.
e. Auto-logoff feature shall be configured for all systems excluding
those at operators' consoles.
5.1.12 Remote Access

a. Remote access from across the plant/IT firewall is not allowed.
b. RDP protocol can be used from within the plant network provided
the following requirements are met:
i. The default administrative account is changed from
“Administrator” to a less guessable account name.
Page 13 of 33
ii. The traffic communication should be encrypted using the

built-in Microsoft encryption algorithm.
iii. It is recommended to use Windows firewall in systems to
limit the access using RDP session to only authorized
administrative systems.
iv. The RDP session is associated with the LSA (Local Security
Authority) which stores credentials into memory. Rebooting
the system when the session is over is recommended
whenever possible.
v. RDP sessions shall be logged.
5.1.13 User Account Management

a. An up-to-date, accurate and comprehensive procedure relating to
user account management (user registration, de-registration and
allocation of access rights and associated privileges) shall be
documented, approved by Plant Management, communicated to
support staff and effectively implemented.
b. A formal authorization procedure shall be in place by which
standardized access request forms are completed, reviewed by
appropriate Supervisors based on business and security
requirements, approved by the Plant Superintendent and retained
for future reference, to grant requester access to the PAS
components. Approved access request forms should exist for all
types of accounts, including system and application accounts.
Manager approval is required for non-plant personnel.
c. Access shall not be provided until the authorization procedure has
been completed.
d. Access privileges assigned should be commensurate with the user’s
business roles and responsibilities.
e. Users shall sign statements indicating that they understand the
terms and conditions of access (this may be included with the
access request forms).
f. All accounts and their associated access level shall be reviewed for
appropriateness every 12 months.
g. A process shall be documented and in place to notify PAN
administrators to modify or revoke access as follows:
i. Seven day for job/role changes.
Page 14 of 33
ii. Three days for termination of employment.

h. Unneeded/unused accounts shall be removed rather than being
locked.
i. Standard user access profiles should be created for common job
roles (e.g., operator, process area supervisor, maintenance engineer
/ technician, etc.) to facilitate the creation of individual user access
privileges based on user role or user group to which they are
assigned.
j. Centralized user authentication and account management
methodology is highly recommended.
5.2 Security Management Practices
5.2.1 Security Policies
In addition to this procedure, the following are applicable Saudi Aramco

documents for plant information security policies:
a. Management Statement of Policy “INT-7“
(URL: http://corpplan/LRPD1/corporat.htm)
b. Classification of Sensitive Information “GI-0710.002“,
dated February 1st, 2008 (URL: http://gi/html/data/0710_002.pdf).
c. Sanitization and Disposal of Saudi Aramco Electronic Storage
Devices and Obsolete/Unneeded Software “GI-0299.120,”
dated March 1st, 2010 (URL: http://gi/html/data/0299_120.pdf).
5.2.2 Security Awareness
Security awareness refers to the general, collective awareness of an

organization's personnel of the importance of security and security
controls. Plant management shall ensure that their personnel have an
adequate understanding and awareness of PAS security in addition to
general comprehension of corporate standards and procedures purpose
and use. This can be done through:
a. Interactive Presentations:
Security awareness presentations as part of organizations
communication meetings on an annual basis.
b. Publishing and Distribution:
Page 15 of 33
Posters, email, updates, alerts, etc., sent from plant management to

their PAS user community.
Saudi Aramco departments, such as P&CSD, IT Information Protection

Awareness Group or Industrial Security, can be contacted for assistance
in obtaining awareness material for this purpose.
5.3 Applications and Systems Security

a. Applications must log all successful and unsuccessful logon attempts and
timestamp of logons. It must also log sensitive transactions and sensitive
changes as defined by the application owner. The log shall identify what,
when and who made the change.
b. During the development of in-house application, all special access paths,
back-doors and short-cuts used to bypass the application security
mechanism shall be removed prior to moving the application to
production.
c. Security configuration baseline shall be obtained from PAS vendors,
including those of the PAN equipment. The provided vendor baselines
shall not lower the security posture of a system below SAEP-99
requirements.
d. In coordination with responsible vendors, a security baseline shall be
thoroughly tested and modified as required to ensure that the security
settings will not adversely impact operations.
e. A Security configuration baseline shall be implemented on all existing
PAS components, in coordination with responsible vendors, utilizing a
formal change management process.
f. The implemented configuration settings shall be periodically monitored to
ensure compliance with the latest vendor approved baseline.
g. Security configuration baselines shall be adjusted whenever required
(e.g., software upgrades) and re-applied.
h. Up to date documentation including as built drawings, logical network
design, and systems information (Operating System version, Serial
Number, etc…) shall be maintained.
i. Appropriate backups of the systems and/or applications must be performed
prior to any patch installation.
j. Up-to-date, accurate and comprehensive procedures relating to Security
and Operational Upgrade and Patch Management for each PAS shall be
Page 16 of 33
documented, approved by Plant Management, communicated to support

staff and effectively implemented, including but not limited to:
i. Responsibilities for identifying, evaluating, testing and installing
software upgrades and patches.
ii. Identification of patches and software upgrades upon release by the
vendor, such as subscribing to vendor mailing lists and/or reviewing
vendor websites.
iii. Evaluation and testing of the applicability of the patch or software
upgrades in consultation with the vendor. Software upgrades and
patches are installed only after they have been tested and certified by
the vendor as being compatible with the PCS software.
iv. Defined timeframes for implementation of the patch or update.
v. Rolling out the patch or software upgrade.
k. Security and Operating System upgrades and patches for each PAS shall
be identified and implemented in compliance with vendor
recommendations within six months from availability. Software (e.g.,
operating systems, IOS, etc.) and patches shall only be obtained from
relevant vendors.
l. Unattended PAN equipment shall have appropriate protection, such as
configuring connection/session timeouts for consoles. For equipment not
supporting session timeout, the user shall terminate all active sessions or
log off from the equipment when finished.
m. Unused network ports shall be disabled on the device or disconnected on
the patch panel.
n. Upon logon, systems shall be configured to display a warning banner with
the following text “This Computer is for Company business use only.
This system may be monitored as permitted by law. Unauthorized use may
result in criminal prosecution, termination or other action”. For operator
consoles, a printed sticker may alternatively be used.
o. Approved anti-virus software shall be installed on all Windows-based PAS
servers and workstations. The following shall be considered when
applying Anti-Virus software:
i. Up-to-date, accurate and comprehensive procedures relating to anti-
virus management including proper installation, configuration and
software update shall be documented in accordance with PAS vendor
Page 17 of 33
recommendations, approved by Plant Manager, communicated to

support staff and effectively implemented.
ii. Timeframes for updating software version and virus definition files
shall be in line with PAS vendor recommendations.
p. Anti-virus software shall be configured according to PAS vendor
recommendations, including the different configuration options within the
scanning software such as On-Access Scanning, Full Scanning, Buffer
Overflow Protection, Directories to be excluded from scanning, etc.
q. The Antivirus application shall be configured so it cannot be disabled by
users.
r. Whitelisting application is recommended for all PAN and PCS
workstations and servers.
s. Unsecure protocols, such as SNMP and HTTP, are not allowed unless
deemed required.
t. Relevant hardening procedures shall be applied on all plant networks and
computer systems. Change management process shall be followed.
Commentary Note:
Hardening procedures can be obtained from P&CSD published hardening

best practices (SABP-Z-050 through SABP-Z-066) in the absence of
vendor supplied hardening guidelines.
u. SABP-Z-070 shall be used to identify obsolete systems and the mitigation

controls that shall be applied.
5.4 Security Architecture and Models
5.4.1 Communication and Network Security Controls

a. Ensure physical and logical separation between PAS and Corporate
networks inside plant fence.
b. The intent of the Physical space requirement is to provide a clear
equipment identification to prevent it being serviced
unintentionally by another organization. Table 1 below provides
further details on the minimum requirements:
Page 18 of 33
Table 1
Physical Space Network
Locked Cabinet Remote Site Connectivity

In-Plant
for Shared Information &
Connectivity Control
Rooms Monitoring
The cabinets Dedicated Fiber optic Transmission
shall have cables for strands for circuit (i.e., SDH)
identification both primary primary and SDH
plates with and backup for secondary
contact
Cables shall be
information
tagged and
secured
c. Network segmentation within the plant shall be implemented by

interconnecting different systems communicating with each other
utilizing a network firewall. Segmentation shall be implemented at
the autonomous system as a minimum.
d. PAN shall not interface to other networks without the use of a
firewall.
e. The firewall represents a security and functionality boundary, thus,
in the event of a connection loss to the corporate network, full
functionality of plants networks and systems shall be maintained
internally. For this purpose, plant systems shall not be configured
to rely on IT provided services such as File / Print Sharing, e-mail,
Internet / Intranet, DNS, AD and Anti-Virus.
f. Static IP addresses shall be used on all networked P&NS components.
g. Private IP addresses are allowed for internal PAS components such
as PCS. Those IP addresses shall not be routed beyond the PAN.
5.4.2 Firewalls Filtering, Blocking, and Access Control
Plant to DMZ firewall(s) shall be configured with Intrusion prevention

functionality (detection mode). Corporate network to DMZ Firewalls
shall:
a. Control and regulate access into/out of the DMZ.
b. Enable information logging for traffic monitoring and intrusion
detection.
Page 19 of 33
c. Dedicated firewall hardware shall be used to interface a PAS to the

corporate network.
d. The fundamental policy for configuring firewalls in plant
automation networks shall be “DENY UNLESS SPECIFICALLY
PERMITTED”.
e. Intrusion Prevention functionalities shall be installed on firewall(s)
to the corporate network and DMZ.
f. Patch management policy shall be developed and maintained in
order to help identifying the latest signature files and upgrades.
g. A procedure should be developed in order to help properly change
the firewall(s) Access Control List (ACL) based on information
collected from the Intrusion Prevention System (IPS).
h. Network traffic through the firewall shall be limited to server-to-
server communications and filtered based on source/destination IP
addresses and TCP/UDP ports. Blocking shall be enabled for both
inbound and outbound communications.
i. A PAN comprising of multiple scattered (PANs), should interface
with the Corporate Network via a centralized firewall.
The consolidated PANs shall be connected together in order to
establish one PAN utilizing the corporate transmission
infrastructure (i.e., SDH dedicated bandwidth or Dark Fiber).
j. For consolidated networks, the PAN backbone switch can be located
in an IT controlled facility provided that an SLA is established with
IT to govern the switch operation and the PAS equipment adheres to
the physical space requirements specified in this document.
k. The firewall filter rules shall not allow insecure services such as
Telnet and FTP to traverse the firewall.
l. Firewall change request forms shall be approved by Plant Manager
prior to firewall rules implementation.
m. SAER-6123, “Process Automation Networks Firewall Evaluation
Criteria” provides additional guidelines for firewall configuration
and hardware selection.
n. To minimize the number of open TCP/IP ports on the firewall, it is
recommended to install an application proxy inside the plant.
Page 20 of 33
5.5 Operations Security and Management
5.5.1 Security Monitoring

a. Up-to-date, accurate and comprehensive procedures relating to
monitoring security audit logs shall be documented, approved by
Plant Manager, communicated to support staff and effectively
implemented.
b. All available networks, systems and applications logs shall be
examined and monitored. The PAN Administrators shall control
and validate the access to these log files.
c. The PAN administrator shall perform and retain annual
documented reviews for the following:
i. All accounts to ensure continued legitimacy for business
needs, and those inactive users are revoked.
ii. Logs of internal devices such as firewalls and switches.
iii. Firewall penetration test log.
iv. Firewall filter rules to ensure rules accuracy and adequacy.
d. A documented security audit logs review shall be performed on a
monthly basis.
e. A document defining the requirements for retention and archival
of security audit logs shall be developed in accordance with
Corporate Data Protection and Retention INT-7 policy.
The following requirements should be considered:
i. The retention period for audit logs shall be set for 12 months
as a minimum.
ii. Mechanisms to secure the audit logs from unauthorized access.
For example, audit logs could be stored in a central log
archiving server or a media to prevent unauthorized alteration.
iii. The parties authorized to access the audit logs.
iv. That the storage capacity of the log file media shall be
adequate for one (1) year to avoid failure to record events or
over-writing of past recorded events.
f. PAS component suspected of security breach shall not be tampered
with to allow CSA to gather evidence and perform an effective
investigation.
Page 21 of 33
g. The following events within PAS audit policies shall be enabled

with timestamp:
i. System Events
ii. Security Events (i.e. logon events, privileged activities, user
ID, user type, transaction and log source, etc.)
h. PAS components times should be synchronized.
5.5.2 The PAN administrator shall utilize an automated (SIEM) solution that
securely integrates with Saudi Aramco corporate SOC to monitor and
analyze security log events.
5.5.3 A process shall be implemented, in accordance with vendor

recommendations, to proactively monitor the performance and availability
of plant networks and systems equipment, with the following parameters:
(a) Utilization of disk space, network connection, memory and CPU.
(b) System event logs (i.e., system faults).
(c) Availability (i.e., Ping).
5.5.4 The release of classified information to a third party must be governed

by a Non-Disclosure Agreement (NDA) approved by Saudi Aramco Law
department. Intellectual Asset Management shall be consulted prior to
the exchange of any intellectual property, intangible research data, or
confidential information as governed by GI-0431.001.
5.5.5 Reporting of Computer Security Incidents
The reporting of a computing incident must be done promptly. It is the

responsibility of the proponent plant management, their designated staff,
or the PAN administrator, to write a memorandum, detailing any
computer irregularity incident to Corporate Security Services/Computer
Security Administration (CSA). In the case of hardware theft, the
incident must be reported to plant management who will then report it to
Industrial Security.
a. If any user or organization suspects a computer security incident
implicating an individual, and where a formal investigation might
be required they must contact their PAN administrator. The PAN
administrator will evaluate the incident and, if warranted, report it
to CSA via “Incident Reporting” on http://csa.aramco.com.sa
b. Any suspicious activity that maybe revealed while examining
system event logs shall be immediately reported to Saudi Aramco
Page 22 of 33
Security Operations Center Group (SOC) part of Saudi Aramco

Information Protection Department via telephone number 8800000
or email address: ITSOC@aramco.com
PAN administrator shall also report these computer security incidents to

CSA by phone via the numbers for “CSA Head” or “Computer Security
Investigation” listed in the “Contacts” section of the CSA website.
The “Incident Reporting” facility on CSA's website should be used to
document and confirm the PAN Administrator's report by phone.”
5.6 Disaster Recovery Planning (DRP)
The following are the requirements for Disaster Recovery Planning (DRP) for
Saudi Aramco PAS:
a. The Plant organization is responsible for developing a DRP that covers all
PAS installed in the plant.
b. The PAS DRP shall be developed based upon a formal Risk Assessment or
Business Impact Analysis.
c. The DRP document shall provide instructions on restoring the plant
operation and resuming production promptly without impacting safety and
the impeded investment of plants assets and personnel.
d. A team within each plant organization shall be established and well trained
to develop, implement, test, use and maintain the DRP.
e. Key personnel list shall be clearly identified including plant personnel,
support organizations and vendors.
f. The DRP shall define the data backup strategy identifying the systems to
backup, files to backup, the storage media, the locations of the storage and
the storage retention.
g. The DRP shall be addressed as part of the overall plant process disaster
response plan.
h. The PAS DRP shall be reviewed, updated, tested and approved once a
year, documenting such reviews in writing.
i. If change(s) to PAS infrastructure take place within the annual review
cycle, the DRP shall be reviewed, updated, tested, and approved as soon as
possible after the changes are commissioned. Accordingly, the new test
date will be one year from the last revision.
j. Testing of the recovery procedure shall be documented. The DRP
document shall be updated to reflect and resolve any new issues arising
Page 23 of 33
during the recovery test.

k. The testing of the DRP plan should be done off line in a testing
environment and not on the actual system if the off line systems are
available. Testing the recovery procedure should be documented.
l. A distribution list shall be defined for the PAS DRP and kept up to date.
A distribution process shall be defined that distributes the PAS DRP to all
recipients and locations on the distribution list.
m. The PAS DRP shall be approved by the Plant Manager.
5.7 Systems Backup and Restore

a. Up-to-date, accurate and comprehensive procedures relating to backup,
recovery and backup restoration testing for each PAS shall be documented,
approved by Plant Manager, communicated to support staff and effectively
implemented. The documented procedures should include, for each PAS
component:
i. Responsibilities for performing backups and monitoring their success
or failure if automated.
ii. Detailed step-by-step procedures to perform a backup and subsequent
restore in accordance with vendor recommendations.
iii. Procedures to perform restoration testing and maintenance of
restoration test results after performing backups.
iv. Procedures to verify the success or failure of a particular backup.
v. Procedures for media library management relating to retention,
rotation, transmittal, labeling and inventories.
b. It is highly recommended to fully automate the data backup operation to
avoid human errors and ensure integrity. However, backup logs need to be
monitored for backup failures.
c. A minimum of two (2) copy sets, maximum 6 months old, of the most
recent backup and recovery data shall be stored and maintained at secure
locations with one set being at an off-site location.
d. At least one copy of the backup and recovery data on removable media shall
be stored in locked fire-safe cabinets located outside the plant main gate.
e. PAS components with dynamic data change shall be backed up on weekly
basis. The data required for complete backup and restore shall be archived
to removable media at least once every six months.
Page 24 of 33
f. Networks and systems configuration files shall be backed up every six

months.
g. Access to backup and recovery data shall be restricted to persons with
legitimate company business needs.
h. A logbook shall be maintained at each storage location for the purpose of
monitoring access to the backup media. Entries shall be recorded in the
logbook whenever a media is removed/added from/to the designated
storage location. The logbook shall contain the following:
i. Date & Time of removal/addition.
ii. Name and Badge number of employee responsible for
removing/adding the media.
iii. Purpose of removal/addition.
iv. Specific data which was removed/added such as number of CD's,
DVD's, tapes.
v. Estimated time the data will be removed from the location.
vi. The employee's signature at check-out of data if using hard copy log
book.
vii. Date & Time when data is returned to the location.
viii. The employee's signature when the data is returned to the safe
location if using hard copy log book.
5.8 Physical Security

a. Security perimeters around informational assets should be clearly defined
and carefully monitored on a daily basis for evidence of penetration or
tampering attempts.
b. Ensure that sensitive documents and other media material that are no
longer needed are destroyed completely.
c. Visitor access to facilities housing PAS components shall be authorized by
Operations, documented and securely maintained with purpose of visit,
date and time of entry and exit.
d. Tag all physical inventories with tamper-resistant labels to prevent
removal of property.
e. PAS workstations, servers and network equipment shall be located in plant
controlled facilities such as a data center or server room.
Page 25 of 33
f. The following conditions shall be in place prior to relocating the PAN

backbone switch into an IT room:
i. The plant organization consists of multiple PANs to be consolidated
into a single PAN.
ii. The Plant firewall is to be also relocated to the same IT controlled
facility.
iii. The backbone switch shall be dedicated for a single plant
organization and shall not be shared with others.
iv. The backbone switch and the firewall shall be housed in a locked
cabinet with clear labels indicating its functionality.
v. An SLA is signed by IT and the Plant organization for IT to manage
and operate the L3 switch.
g. PAS components not located in plant controlled communication or server
rooms shall be secured in locked cabinets.
h. Data on any electronic storage device being disposed, returned to
manufacturer, donated or decommissioned shall be sanitized in accordance
with GI-0299.120.
i. The use of active testing tools are not allowed. Passive testing tools such
as network sniffers and analyzers shall adhere to the following guidelines:
i. Shall be exercised with extreme care on all networks and systems
and shall be approved and coordinated with the vendor.
ii. They should always be authorized by Plant Management and
restricted to PAN administrators.
iii. Captured information classified as “Sensitive”, as defined in
GI-0710.002, shall be adequately safeguarded.
iv. All testing tools shall have written justification of need with Plant
manager’s approval that is reviewed annually for validity of need.
v. The PAN administrator shall maintain a list of all approved testing
tools with their justification, approval, log sheets and location.
vi. Testing tools should be securely stored and accessible only by
authorized personnel.
Commentary Note:
Passive testing tools such as cable testers, voltmeters, etc., are

exempted and can be used without the above controls.
Page 26 of 33
j. Physical access logs to facilities housing PAS assets shall be reviewed on

monthly basis and revoked when necessary or no longer required.
k. When combination locks are used, unique personal identification codes
shall be set for each of the different facility housing PAS assets.
l. A formal procedure shall be documented and implemented to ensure that
these codes are periodically changed and immediately when someone with
knowledge of these codes no longer requires access.
m. Plant owned and managed PAS equipment shall be physically segregated
from equipment owned and managed by other organizations (e.g., Saudi
Aramco IT, CoGen partners, etc.) in separate cabinets as depicted by Table 1.
n. Plant owned racks or cabinets housing plant network or systems equipment
shall always be locked.
5.9 Wireless Security
Wireless networks may be considered for non-critical monitoring applications

with prior written approval of the General Supervisor, Process Instrumentation
Division, Process & Control Systems Department, Saudi Aramco, Dhahran.
Wireless networks operated in plant environment shall meet the procedural and
configuration requirements by the wireless network vendor and/or Section 10.3.4
“Wireless Network & Portable Device Security Standards and Guidelines” of
Saudi Aramco Information Protection Manual.
5.10 Change Management

a. Up-to-date, accurate and comprehensive procedures relating to PAS
Change Management (such as the MOC GOIs) shall be documented,
approved by Plant Manager, communicated to support staff and effectively
implemented.
b. The following changes to PAS infrastructure, including hardware or
operating systems shall require a MOC:
i. Installation of applications, modification or deletion of process
related configurations.
ii. Addition, modification or removal of PAS equipment.
iii. Deployment of patches or hardening configurations.
iv. The use of passive testing tools.
v. The use of privileged/administrative account.
Page 27 of 33
c. PAS changes shall be performed through a change management system

with capabilities such as change tracking, approval and scheduling.
d. PAS changes shall be prioritized (e.g., emergency, high, medium, low).
Prioritization criteria shall be established.
e. PAS changes shall be appropriately tested using test plans preferably in a
non-production environment.
f. Implementation and back-out plans shall be developed prior to any change.
g. All required deliverables shall be attached to the change request.
Examples of such deliverables include, but not necessarily limited to
implementation plans, test plans, fallback procedures, diagrams depicting
process flow changes, etc.
h. Affected PAS components shall be backed up prior to any change.
i. PAS changes shall be formally reviewed and approved by appropriate
stakeholders before implementation.
j. PAS changes shall meet the security requirements defined within SAEP-99.
k. Risk, impact and security implications of changes shall be evaluated.
l. Privileged/administrative account systems (e.g., Active directory servers,

Radius servers, DNS) shall conform to the following:
i. Locate privileged/administrative accounts systems in secure rooms or
locked cabinets.
ii. Privileged/Administrative users shall initiate a Management of
Change “MOC” request and receive a supervisor level approval
before accessing the system.
iii. The accessed system shall have logging capability enabled.
iv. The system log retention shall be set to at least one year.
v. A manual log-book and a computer tracking tool such as an excel
sheet to document administrative access shall be used. The following
minimum information shall be included in the log: User Name, Badge
Number, Phone Number, Station/Server ID accessed, Session date,
session length, and reason.
Page 28 of 33
5.11 Assets Management
5.11.1 Inventory of Assets

a. Assets handling information or performing information
processing at Saudi Aramco plants shall be identified and an
inventory of these assets shall be maintained.
b. The identification of assets shall cover the entire information
lifecycle, including creation, processing, storage, transmission,
deletion and destruction.
c. For each of the identified assets, the asset shall be assigned to an
owner (see Asset Ownership) and the classification of the asset
shall be determined and documented.
d. The assets inventory shall be:
i. Accurate
ii. Up-to-date
iii. Consistent
iv. Aligned with other inventories, if any.
e. A detailed inventory shall be compiled covering each asset in
the facility. In addition, an aggregate inventory shall be in place
summarizing the different categories of assets.
Commentary Note:
An automated inventory collection solution can be used to

automate the process of data collection. When using such
tools, PAS vendors shall be consulted to ensure they do not
impact the operation of PAS systems.
f. The inventory shall be reviewed annually to verify that any

changes have been reflected in the inventory.
5.11.2 Assets Identification

a. Primary and supporting assets shall be identified and inventoried for
each processing facility, see Appendix A for more information on
primary and supporting assets.
b. Any other assets, inheriting controls for protecting primary assets,
(i.e. UPS, Server room AC) shall be identified and addressed.
c. When multiple assets work together to provide a given service,
assets can be grouped together as one service.
Page 29 of 33
5.11.3 Asset Ownership

a. All assets shall be owned by the plant manager.
b. The plant manager shall be responsible for controlling the entire
lifecycle of the asset, including creation, processing, storage,
transmission, deletion and destruction.
5.11.4 Asset Classification

a. Information asset owners are accountable for information
classification.
b. Classification of supporting assets is determined by the
classification of information they handle.
5.11.5 Roles and Responsibilities

a. The owner of an asset can delegate tasks to a custodian to perform a
certain task but the ultimate responsibility remains with the owner.
b. When grouping assets for a particular service, the entire group of
assets shall be assigned to a service owner. The service owner
retains the accountability to deliver the service and operate the
assets.
5.11.6 Return of Assets

a. A formal procedure shall be established to ensure that all company-
owned information are transferred to the organization and securely
erased from any equipment.
b. All organizational assets shall be returned upon employee, or third
party user, termination of employment, contract or agreement.
6 Responsibilities
6.1 Plants Operations/Management
Plant management and their designated operating staff are responsible for the
implementation of this procedure.
6.2 PAN Administrators

a. Plant organization shall have a qualified formally assigned primary and
backup PAN administrator to manage and perform system configuration
and monitoring as designated by the plant management.
Page 30 of 33
b. The PAN administrator shall assume the responsibility to administer all

plant networks and systems.
c. The PAN administrators shall ensure the accuracy of firewall filter rules
and security policies.
d. The PAN administrator is responsible for the operation, management and
accuracy of any firewall in the plant. This shall include granting, revoking,
and tracking user’s access and maintaining filter rules. This does not apply
to firewalls that are operated by Information Technology.
e. The PAN administrator shall create and maintain the accuracy of the 'PAN
administrator e-mail distribution lists' relevant to their Plants.
f. The PAN administrators are responsible to implement the instructions
specified in this document.
g. The PAN administrators shall be responsible for reporting of security
incidents, if any.
6.3 Delegation of Responsibility

a. Delegation of support and management responsibilities is limited to
process information networks and systems (i.e., systems that are not part of
control or engineering).
b. A risk assessment, as per SAEP-707, shall precede the official delegation
of support responsibilities of PAN components to IT or other support
entities.
c. Any delegation of support and management responsibility must be
approved by the Plant Manager through a Service Level Agreement (SLA).
7 Training
The primary and backup PAN Administrators shall maintain:

a. Knowledge or experience in plant operations, and
b. Successful completion of P&CSD’s “Process Automation Network Administrator
Training and Certification Curriculum” and other recommended training in the
PAN Admin C-MAP.
Revision Summary
29 October 2015 Major revision to reflect Audit IS2015-426 observations.
Page 31 of 33
Appendix A
Primary Assets
1. Business Processes, for example:
a. Processes whose interruption leads to partial/complete loss of production.
b. Processes, that when loss or degraded, makes it impossible to carry the
organization’s mission.
c. Processes involving proprietary/patented technology.
d. Processes that are necessary for the organization to comply with contractual,
legal or regulatory requirements.
2. Information, primary information mostly include:
a. Information vital for the organization to conduct its business/mission.
b. Strategic information pertaining to corporate strategic objectives.
c. High-cost information whose lifecycle from gathering until destruction requires a
long time and/or high acquisition cost.
Supporting Assets
1. Hardware
a. Any physical element supporting a primary asset falls under the hardware
category:
b. Data processing equipment (active)
c. Transportable equipment, e.g., laptops, PDAs…etc.
d. Fixed equipment used on the company’s premise, e.g., server or workstation.
e. Processing peripherals are equipment connected to a communication port (serial,
parallel, etc.) for entering, conveying or transmitting data. Examples include
printers, removable disk drives, etc.
f. Passive data medium used for storing data.
g. Electronic medium connected to a computer/computer network for data storage
such as floppy disc, CD ROM, back-up cartridge, removable hard disc, memory
key, tape.
Page 32 of 33
h. Static, non-electronic media containing data such as plant documentation.
2. Software
a. Operating system.
b. Service, maintenance or administration software.
c. Standard, off-the-shelf software.
d. Business application, whether it is a standard or a custom one.
3. Network
a. Communication media and equipment. Examples include PTSN, Ethernet,
ADSL, Wi-Fi 802.11, and Bluetooth…etc.
b. Passive or active relay such as bridges, routers, hubs, switches, automatic
exchange.
c. Communication interface such as Network Interface Card (NIC), General Packet
Radio Service (GPRS).
4. Personnel
a. Management staff
b. Operations staff
c. Maintenance staff
d. Engineers
e. Administrators
Page 33 of 33

Saep 99

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Saep 99

Încărcat de

Drepturi de autor:

Formate disponibile

Engineering Procedure

SAEP-99 29 October 2015

Saudi Aramco DeskTop Standards

Previous Issue: 06 November 2014 Next Planned Update: 29 October 2018

Copyright©Saudi Aramco 2015. All rights reserved.

This procedure provides the minimum mandatory security requirements for

1.2.1 Information Networks and Systems hardware and software such as

1.2.2 Associated internal, human, network, or machine interfaces used to

1.2.3 Firewall equipment used to interface PAN to corporate network.

1.4 Responsible Organizations

2 Conflicts and Deviations

3.1 Saudi Aramco References

Saudi Aramco Engineering Procedures

SAEP-707 Risk Assessment Procedure for Plants Networks and

Saudi Aramco Engineering Standards

Saudi Aramco Engineering Report

Saudi Aramco Engineering Best Practice

SABP-Z-070 Process Automation Systems Cybersecurity

Saudi Aramco General Instructions

Saudi Aramco Information Protection Standards and Guidelines

3.2 Industry Codes and Standards

Institute of Electrical and Electronics Engineers, Inc.

National Institute of Standards and Technology

SDH Synchronous Digital Hierarchy

Access Control: Means of controlling and regulating access to computing

Authentication: The process of verifying the identity of a user through a code

Authorization: A right or a permission that is granted to an entity to access a

Confidentiality: The process of ensuring that information is not disclosed to

Configuration Baseline: A system configuration that has been approved at a

Firewall: An inter-network connection device that controls data communication

Hardware Key: A physical key or dongle that is used to regulate access to a

Integrity: The process of ensuring data accuracy and authenticity.

Logs: Files or prints of information in chronological order.

Non-Disclosure Agreement: A contract that restricts the disclosure of

PAN: A plant wide network interconnecting Process Control Networks (PCN)

PAN Administrator: A system administrator that performs day-to-day

Password: Sequence of characters (letters, numbers, symbols) used as a secret

Plant Main Gate(s): Physically restricted access points through perimeter

Process Automation System (PAS): A network of computer-based or

Process Control Network (PCN): A proprietary process control networks

Process Control System (PCS): The integrated system which is used to

Separation (Logical): Logical separation is indicated by the virtual isolation of

Separation (Physical): Physical separation is indicated by the comprehensive

Server: A dedicated un-manned data provider.

Service account: An account used by a process running on a computer

Service Level Agreement (SLA): Contract between a service provider and a

Supporting Assets: Assets servicing ‘Primary Assets’ and typically include:

User Account: An established relationship between a user and a computer,

Vulnerability: A flaw or weakness in a system's design, implementation,

The following instructions shall be adhered to:

5.1 Access Control Systems and Methodology

5.1.1 Access to PAN devices (e.g., switches, routers and Plant-managed

5.1.4 Access to PCS applications for monitoring and diagnostics purposes

5.1.5 Access to PCS applications for PCS configuration purposes shall be

5.1.6 Authentication and Authorization

Passwords shall be the minimum authentication methodology.

password can be re-used.

master passwords shall be maintained possibly in a notebook locked

Unless specified, encryption wherever mentioned in this document

r. Passwords shall be changed whenever there is an indication of

5.1.9 User Accounts

iii. The application is not intended to Administer or perform any

i. Operator and Service accounts shall be excluded from automatic