1. Is there an applicable cyber security policy? If possible please provide a copy and discuss if/how it covers the following topics: *

A. Organizational and individual responsibilities (including identification of responsible management)

B. Acceptable Use of information systems

C. Personnel surety

D. User account management

E. Use of anti-virus, etc.

F. Audit Logging

G. Information Classification & Protection

H. Risk Assessments

I. Change control

J. Incident reporting

K. Exceptions to policy

2. Is there an active Information Systems Security Awareness and/or Training program? Please describe.

A. How are users informed of potential or specific security threats and/or countermeasures?

3. Have You experienced a cyber incident (originating either externally or internally) resulting in:

i. The loss or unauthorized disclosure of sensitive information?

ii. DoS of information systems?

A. If yes, please describe (to the extent possible) each known incident including business impacts, affected systems, networks and/or applications, estimated costs (direct and indirect), etc.

B. Were incidents reported (how and to whom)?

4. What data backup systems exist? For each environment, discuss:

A. How often are backups performed?

B. Are backups kept offsite?

C. Are backup exercises regularly performed to insure data restoration capabilities?

5. Do critical systems have emergency backup equipment?

Please describe in terms of cutover times, associated loss of functionality (if any), physical location (i.e., on/offsite), cutover exercises, etc.

6. To what cyber security regulations are you required to comply (NERC, etc.)?

A. Indicate to which networks, computer systems the regulations apply

B. Has there been an audit by the regulatory agency within the last two years?

If yes : i. Were there any findings?

ii. Have all findings/action items been resolved?

1. Please list/identify A. All IP address blocks in use by you.

B. All domain names in use by you.

2. For each network in place, please describe the following: A. Firewall(s) in place (quantity, manufacturer, version)

B. Intrusion Detection/Prevention in place (Host vs. Network based, quantity, manufacturer, version)

C. Network Management System in place, if any (manufacturer, version, network placement, etc.) i. Security Management in place ii. Accounting Management in place

D. Dedicated connections, if any, to other networks (describe connection type and additional security, e.g., DMZ, router, gateway, firewall, etc.): i. Internal ii. External (business partners, suppliers, etc.)

E. Remote access capability; describe numbers of users, access methods, (e.g., VPN, dial-up, etc.), safeguards, etc. i. Employees ii. Contractors iii. Other

3. Describe use, if any, of VPN tunnels between logical sections of any networks, multi-site access, etc.

4. Describe any wireless networks: A. Access and authentication

B. Usage (e.g., Guest only, etc.)

C. Restrictions (access privileges, etc.)

5. Do you have any systems that use modems? If yes please describe usage and access policies.

6. How are anomalous events actioned: A. What events are simply recorded?

B. How are events recorded?

i. Centralized location?

ii. Non-editable files?

iii. Accuracy of time synchronization for forensic analysis?

iv. Method of file identification (daily time tags, etc.)?

v. Capability to selected excerpts for forensic analysis?

C. What types of events are alerted?

i. Method of alert (email, page, etc.)?

ii. Who responds?

iii. What records are kept?

D. Are any events automatically actioned (account lockouts, etc.)?

1. By network, please list the following (include quantities, physical locations, etc.): A. Windows Servers (include version, patch level, etc.) B. Unix Servers (include brand, version, etc.) C. Linux Servers (include brand, version, etc.) D. Windows clients (include version, patch level, etc.) E. Other clients (include brand, version, etc.)

2. Are there file servers in use (are they included above)?

What file management system(s) is in place?

3. For each of the above, describe how OS patch management is handled. Include description of the following processes: A. Testing B. Rollout/rollback C. Documentation/configuration management

4. For each of the above, describe the anti-malware products in use, if any. A. For each unique product and environment, how are updates handled?

5. How are administrative accounts managed on servers (i.e., generic/shared accounts)?

6. Describe how user accounts are managed: A. Are individual clients used by multiple users?

i. Does each user have private data storage?

B. Describe password policies in effect

7. Are clients “portable” (i.e., taken off-site)?

How is this managed?

8. What is the policy for unattended devices (e.g., auto-logoff, locked screen-saver, etc.)?

9. Describe processes (records, data protection, etc.) associated with: A. Device re-deployment (i.e., within OG&E) B. Device disposal

1. Identify/describe (names, versions, usage, etc.) the following “personal” software:

2. Identify (names, versions, number of users, etc.) the various “multi-user” applications in place:

3. Is there a “Single Sign-on” (SSO) environment in place? Please describe.

4. What languages are used for internal development:

5. What services are allowed (e.g., FTP, SSH, etc.)

6. How are applications:

B. Changes initiated and managed?

1. Are physical controls documented?

2. Indicate number and names of facilities.

3. Describe building barriers. A. Exterior measures. B. Interior - Wall/ceiling/floor protections

4. Describe intrusion detection measures

5. Are any facilities shared with non-OG&E personnel?

A. If yes, Are there contracts or agreements in place?

6. Are data center activities monitored and recorded?

7. Describe access control.

A. Are visitors allowed within secure areas?