Third Party Cyber Security Assurance

Describe your existing cyber security organization and associated governance structure.

Q1 Tier:
In the space to the right, please rate your cyber security organization and governance structure (refer to the NIST Tier ratings on the subsequent tab).

Response:

Describe how you respond to and recover from cyber security events.
Q2 Tier:
In the space to the right, please rate your cyber response and recovery capability (refer to the NIST Tier ratings on the subsequent tab).

Response

Describe how you conduct cyber security monitoring and threat detection, including the technology and processes used to detect security events.
Q3 Tier:
In the space to the right, please rate your cyber security monitoring and threat detection capability (refer to the NIST Tier ratings on the subsequent tab).

Response

Do you have an established business continuity plan (BCP) for a cyber incident? Yes/No:
Q4
Do you have a process to periodically rehearse or test your BCPs? Yes/No:
Confirm the general security testing and assurance activities you have in place, including the frequency of these activities (e.g. monthly, quarterly, annually, ad hoc, etc.).
Penetration Testing Yes/No: Frequency:
Vulnerability Scanning Yes/No: Frequency:
Q5 Commercial Treat Feeds Yes/No: Frequency:
Cyber Risk Registers Yes/No: Frequency:
Periodic Audit Processes Yes/No: Frequency:
If applicable, please include other security testing and assurance activities in the space provided below: Yes/No: Frequency:

Response

Confidential
 Third Party Cyber Security Assurance

Are your employees and contractors regularly made aware of their responsibilities with regards to data and information security and the handling
Yes/No: Frequency:
of information? If so, how frequently are they reminded of these responsibilities?

In your work with ROO, do you use a document sharing solution? If so, is it hosted within ROO, within your facilities, or with a third parties (e.g.
Yes/No: Hosted:
DropBox, etc.)

Q6 Confirm what type of ROO data you may store or manage on our behalf.
Do you store any ROO data that would generally be considered commercially sensitive? Yes/No: Frequency:
Do you store any ROO data that would be classified as personally identifiable (e.g. individual's names, email addresses, personal addresses, etc.)? Yes/No: Frequency:
Do you store any ROO data related to the process for gaining physical access to ROO facilities or any diagrams of ROO facilities? Yes/No: Frequency:
Do you store any ROO data related to the configuration of our process control network (PCN)? Yes/No: Frequency:
If applicable, describe any other confidential or sensitive ROO data you may store or manage on our behalf in the space provided below.

Response

Confirm the nature of access you have to ROO digital systems and/or the access ROO representatives have to your digital systems.
Do your personnel/representatives typically have a ROO NT ID and/or ROO email account? Yes/No:
Q7 Do your personnel/representatives have access to ROO IT systems (other than email and document sharing addressed above)? Yes/No:
Do your personnel/representatives have access to ROO plant automation systems (also referred to a Process Control Network or PCN)? Yes/No:
Do ROO personnel/representatives have access to your company's IT systems (other than document sharing addressed above)? Yes/No:
Confirm the nature of cyber security expectations you set with your subcontractors. (Respond "n/a" if you do not have any subcontractors.)
Do you have standard contract clauses/terms, specific to cyber security, you require in your contracts with the subcontractors you use? Yes/No:
Q8
If so, do you require your subcontractors to cascade these clauses/terms to their own subcontractors? Yes/No:
In the space below, provide a list of any key subcontracting relationships you have with other suppliers, specifically as it relates to the services you provide to ROO.

Response

Q9 Please provide the names and contact details of any key personnel whom ROO should contact in case of the cyber security incident,
include individual's name, role/title, phone, and email. If there is a general contact or mail box for cyber related incidents, please include this as well.

Response

Confidential
The below tiers are based on the NIST Cybersecurity Framework and can be used to generally describe the degree to which an organization’s cybersecurity risk managem

The tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor, and how well integrated cybersecurity risk decisions are into
broader risk decisions, and the degree to which the organization shares and receives cybersecurity info from external parties.

For the purposes of our questionnaire, we ask that you apply a similar tier rating to the specific questions, where requested.

Cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner.
Tier 1 - Partial Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or
business/mission requirements.

Risk management practices are approved by management but may not be established as organizational-wide policy.
Tier 2 - Risk-
Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment, or business/mission
Informed
requirements.

Risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated
Tier 3 -
based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology
Repeatable
landscape.

Adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity
Tier 4 - activities.
Adaptive Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively
adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.