We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKelvin Chesnutt
Modified about 1 year ago
1 CIP Cyber Security – Security Management Controls Gary Campbell CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation
2 Governance Annotated Text of the Standard Annotations are NOT authoritative, they are commentary only Pre-audit questions Are intended to streamline the audit process Some go beyond what is required by the standard for informational purposes Are intended to help organize information used for compliance Are intended as a starting point for review of the compliance documentation The “plain language” of the standard will govern The only authoritative text in this presentation is that of the language of the standard. All else is opinion and intended practice and is subject to change. This presentation is for use by ReliabilityFirst Corporation and its member organizations only. Any other use requires the prior permission of ReliabilityFirst Corporation. © ReliabilityFirst Corporation
3 CIP Purpose Standard CIP-003 requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Standard CIP-003 should be read as part of a group of standards numbered Standards CIP-002 through CIP-009. Responsible Entities should interpret and apply Standards CIP-002 through CIP-009 using reasonable business judgment. 1 1 Responsible Entities should develop it’s policies, procedures, processes according their business practices while being cognizant of their obligation of compliance and business risk. © ReliabilityFirst Corporation
4 CIP R1 Annotated Text R1. Cyber Security Policy — The Responsible Entity shall document 1 and implement a cyber security policy 2 that represents management’s commitment and ability to secure its Critical Cyber Assets. 1. Documentation of the Responsible Entity’s cyber security policy. To be valid a document should contain entity identification document title, date, approval signatures and date of approval. A policy must be available for review of the audit team. 2Auditors will look to find language addressing these points. © ReliabilityFirst Corporation
5 CIP R1 Annotated Text (cont’d) The Responsible Entity shall, at minimum, ensure the following: R1.1. The cyber security policy addresses the requirements 1 in Standards CIP-002 through CIP-009, including provision for emergency situations. R1.2. The cyber security policy is readily available 2 to all personnel who have access to, or are responsible for, Critical Cyber Assets. R1.3. Annual review and approval 3 of the cyber security policy by the senior manager assigned pursuant to R2.(e.g., s, memos, computer based training, etc.); 1 Auditor will review policies for each requirement of the CIP -002 through CIP-009 standards 2 Be prepared to provide or demonstrate how your policy is readily available 3 Documentation of policy should contain review dates and approvals © ReliabilityFirst Corporation
6 CIP R2 Annotated Text R2. Leadership — The Responsible Entity shall assign a senior manager with overall responsibility for leading and managing the entity’s implementation of, and adherence to, Standards CIP-002 through CIP This person must be identified in your program. Documentation of the senior manager must be a part of the policy as stated in R1. © ReliabilityFirst Corporation
7 CIP R2 Annotated Text (cont’d) R2.1. The senior manager shall be identified by name, title, business phone, business address, and date of designation. R2.2. Changes to the senior manager must be documented within thirty calendar days of the effective date 1. R2.3. The senior manager or delegate(s), shall authorize and document any exception from the requirements of the cyber security policy 1. Entities should consider documentation to track exceptions. © ReliabilityFirst Corporation
8 CIP R3 Annotated Text R3. Exceptions — Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s) These instances should be documented providing a complete explanation of the exception as per the sub-requirements of R3 as part of your CIP policy. © ReliabilityFirst Corporation
9 CIP R3 Annotated Text (cont’d) R3.1. Exceptions to the Responsible Entity’s cyber security policy must be documented 1 within thirty days of being approved by the senior manager or delegate(s). 1 Documentation of exceptions identifying dates of approval and submission into the policy must be available to substantiate this requirement and validate this requirement. © ReliabilityFirst Corporation
10 CIP R3 Annotated Text (cont’d) R3.2. Documented exceptions 1 to the cyber security policy must include an explanation as to why the exception is necessary and any compensating measures, or a statement accepting risk. 1 Documentation of exceptions must include an explanation for each exception. identifying dates of approval and submission into the policy and must be available to substantiate this requirement. © ReliabilityFirst Corporation
11 CIP R3 Annotated Text (cont’d) R3.3. Authorized exceptions to the cyber security policy must be reviewed and approved annually by the senior manager or delegate(s) to ensure the exceptions are still required and valid. Such review and approval shall be documented Documentation of the designated senior manager or delegates (it must clear that a delegate has been assigned by the senior manager). © ReliabilityFirst Corporation
12 CIP R4 Annotated Text R4. Information Protection — The Responsible Entity shall implement and document a program 1 to identify, classify, and protect information associated with Critical Cyber Assets. 1. Documented program must be available for review of compliance as part of your policy. © ReliabilityFirst Corporation
13 CIP R4 Annotated Text (cont’d) R4.1. The Critical Cyber Asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists as required in Standard CIP- 002, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster recovery plans, incident response plans, and security configuration information Entities should use sound business judgment to complete all CCA information to reduce an entities business and compliance risk. © ReliabilityFirst Corporation
14 CIP R4 Annotated Text (cont’d) R4.2. The Responsible Entity shall classify information to be protected under this program based on the sensitivity of the Critical Cyber Asset information This information needs to be documented as part of the policy. © ReliabilityFirst Corporation
15 CIP R4 Annotated Text (cont’d) R4.3. The Responsible Entity shall, at least annually, assess adherence to its Critical Cyber Asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment Documentation of all items as a minimum must be part of an entities policy. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. © ReliabilityFirst Corporation
16 CIP R5 Annotated Text R5. Access Control — The Responsible Entity shall document and implement a program 1 for managing access to protected Critical Cyber Asset information. 1. A documented program for assigning access to protected CCA information must be available for review. Documentation validating implementation of the these programs must also be available. © ReliabilityFirst Corporation
17 CIP R5 Annotated Text (cont’d) R5.1. The Responsible Entity shall maintain a list 1 of designated personnel who are responsible for authorizing logical or physical access to protected information. R Personnel shall be identified by name, title, business phone and the information for which they are responsible for authorizing access. R The list of personnel responsible for authorizing access to protected information shall be verified at least annual. 2 1.Lists should be documented and provide all information required in R Having the ability to provide all changes for the audit period will be necessary. Some entities are using tracking tales to organize and track this information. 2.Documentation of annual review must be available. © ReliabilityFirst Corporation
18 CIP R5 Annotated Text (cont’d) R5.2. The Responsible Entity shall review 1 at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities. 1. Documentation for this annual review must be a available to auditors for the scope of the audit period. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. © ReliabilityFirst Corporation
19 CIP-003-1R5 Annotated Text (cont’d) R5.3. The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. Documentation for this annual review must be a available to auditors for the scope of the audit period. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. © ReliabilityFirst Corporation
20 CIP-003-1R6 Annotated Text (cont’d) R6. Change Control and Configuration Management — The Responsible Entity shall establish and document 1 a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting, configuration management activities to identify, control and document 2 all entity or vendor related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. 1.Documentation of this process must be a part of an entities policy and cover all aspects of change control and configuration management identified in this requirement as a minimum. 2.Documentation of entity and vendor related changes must be available for review as part of the program. © ReliabilityFirst Corporation
21 Points to Remember 1.Documentation is the essential key to compliance and a successful audit. 2.Identify what the standard states “shall or must“ de done as part of its content. (Document, communicate, provide) 3.Identify all items the standards states “shall or must“ be included as part of your documentation. © ReliabilityFirst Corporation
22 Points to Remember Cont’d 1.Be sure to prepare documentation that is valid and can be substantiated. 1.To be valid it should identify the entity, date, approval signatures, date of approvals or effective date. 2.To be substantiated, documentation should be available to support the evidence you are presenting as compliance to standard. 2.Review your documentation in preparation for an audit or annual review. 3.Consider having internal or external reviews of you documentation. 4.Remember be prepared to Document, Validate and Substantiate your evidence of compliance! © ReliabilityFirst Corporation
23 CIP Questions? © ReliabilityFirst Corporation
NEBOSH International General Certificate Resource Pack Ian Harries CMIOSH © 2013 Ian Harries. All rights reserved. No part of this material may be reprinted.
COOP and Contingency Plans. Introduction to Emergency Preparedness Various processes are involved in ensuring business continuity. Listed below are some.
Workplace Safety and Insurance Board | Commission de la sécurité professionnelle et de lassurance contre les accidents du travail Safety Groups.
Federal Information System Controls Audit Manual (FISCAM)
PLANNING THE AUDIT Individual audits must be properly planned to ensure: Appropriate and sufficient evidence is obtained to support the auditors opinion;
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
ISO/DIS 9001:2008 versus ISO 9001:2000 August 2008 CER Business Line - Peter Bonnaerens.
Radiopharmaceutical Production Quality Manual STOP.
Health & Safety Management Health & Safety Management for Quarries Topic Four.
Module N° 4 – ICAO SSP framework Revision N° 3ICAO State Safety Programme (SSP) familiarization Course06/05/09.
Training Guide Gaining Senior Leadership Support for Continuity of Operations.
Section 2 QM & ISO PURPOSE Section 4 STRUCTURE ISO 9001 Section 6 APPENDENCIES Section 1 INTRO Section 5 IMPLEMENTATION STEPS Section 3 EIGHT PRINCIPLES.
Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012.
Emergency Preparedness: Essentials for Business Continuity Planning For Community Health Centers Presented by: Bernadette Johnson and H. Duane Taylor.
QUALITY SYSTEM Organizational Structure Procedures, Processes and Resources needed to implement Quality Management.
The European Organisation for the Safety of Air Navigation Implementing the DAL – A Phased Approach DAL/DQR Workshop Brussels, February 2013 Presented.
INTOSAI IT Audit IT Methods Awareness. Outline Scope Overview It Methods Methods Description Methods Usage Audit Reporting.
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
Presented to By. 2Normative references ISO 9000:2005, Quality management systems Fundamentals and vocabulary ISO 19011:2002, Guidelines for quality and/or.
Workplace Safety and Insurance Board | Commission de la sécurité professionnelle et de lassurance contre les accidents du travail WSIB Update - Advantage.
Reading Between the Rules: The New Medical Error Reporting and Patient Safety Requirements Cindy Bednar, R.N. Director of Licensing Programs Health Facility.
1 Are You Ready for IT Control Identification & Testing? The Institute of Internal Auditors February 10, 2004 Moderator: Xenia Ley Parker, CIA, CISA, CFSA.
Best Practices for In House Counsel Andrea C. Okun General Counsel Merit Management Group LP.
SharePoint Governance Questions January 2014 ©2014 SUSAN HANLEY LLC.
Breach Response TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Start With A Great Information Security Plan! Tammy L. Clark, CISO, Georgia State University William Monahan, Lead Information Security Administrator,
Manage an IT Project. Aim This presentation is prepared to support and give a general overview of the ‘How to Manage and IT Project’ Guide and should.
Hospital Incident Command System Module 9 The Hospital Incident Command System.
CWSP Guide to Wireless Security Wireless Security Policy.
Validation | Slide 1 of 39 August 2006 Validation Supplementary Training Modules on Good Manufacturing Practice WHO Technical Report Series, No. 937, 2006.
© 2016 SlidePlayer.com Inc. All rights reserved.