Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIP Cyber Security – Security Management Controls

Published byKelvin Chesnutt Modified over 9 years ago

Similar presentations

Presentation on theme: "CIP Cyber Security – Security Management Controls"— Presentation transcript:

1 CIP-003-1 Cyber Security – Security Management Controls
Gary Campbell CIP Compliance Workshop Baltimore, MD August 19-20, 2009 1 © ReliabilityFirst Corporation

2 Governance Annotated Text of the Standard
Annotations are NOT authoritative, they are commentary only Pre-audit questions Are intended to streamline the audit process Some go beyond what is required by the standard for informational purposes Are intended to help organize information used for compliance Are intended as a starting point for review of the compliance documentation The “plain language” of the standard will govern The only authoritative text in this presentation is that of the language of the standard. All else is opinion and intended practice and is subject to change. This presentation is for use by ReliabilityFirst Corporation and its member organizations only. Any other use requires the prior permission of ReliabilityFirst Corporation. 2 © ReliabilityFirst Corporation

3 CIP-003-1 Purpose Standard CIP-003 requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Standard CIP-003 should be read as part of a group of standards numbered Standards CIP-002 through CIP Responsible Entities should interpret and apply Standards CIP-002 through CIP-009 using reasonable business judgment.1 1 Responsible Entities should develop it’s policies, procedures, processes according their business practices while being cognizant of their obligation of compliance and business risk. 3 © ReliabilityFirst Corporation

4 CIP R1 Annotated Text R1. Cyber Security Policy — The Responsible Entity shall document1 and implement a cyber security policy2 that represents management’s commitment and ability to secure its Critical Cyber Assets. 1. Documentation of the Responsible Entity’s cyber security policy. To be valid a document should contain entity identification document title, date, approval signatures and date of approval. A policy must be available for review of the audit team. Auditors will look to find language addressing these points. 4 © ReliabilityFirst Corporation

5 CIP-003-1 R1 Annotated Text (cont’d)
The Responsible Entity shall, at minimum, ensure the following: R1.1. The cyber security policy addresses the requirements1 in Standards CIP-002 through CIP-009, including provision for emergency situations. R1.2. The cyber security policy is readily available2to all personnel who have access to, or are responsible for, Critical Cyber Assets. R1.3. Annual review and approval 3 of the cyber security policy by the senior manager assigned pursuant to R2.(e.g., s, memos, computer based training, etc.); 1 Auditor will review policies for each requirement of the CIP -002 through CIP-009 standards 2 Be prepared to provide or demonstrate how your policy is readily available 3 Documentation of policy should contain review dates and approvals 5 © ReliabilityFirst Corporation

6 CIP R2 Annotated Text R2. Leadership — The Responsible Entity shall assign a senior manager with overall responsibility for leading and managing the entity’s implementation of, and adherence to, Standards CIP-002 through CIP-009.1 1. This person must be identified in your program. Documentation of the senior manager must be a part of the policy as stated in R1. 6 © ReliabilityFirst Corporation

7 CIP-003-1 R2 Annotated Text (cont’d)
R2.1. The senior manager shall be identified by name, title, business phone, business address, and date of designation. R2.2. Changes to the senior manager must be documented within thirty calendar days of the effective date1. R2.3. The senior manager or delegate(s), shall authorize and document any exception from the requirements of the cyber security policy 1. Entities should consider documentation to track exceptions. 7 © ReliabilityFirst Corporation

8 CIP R3 Annotated Text R3. Exceptions — Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s). 1 1. These instances should be documented providing a complete explanation of the exception as per the sub-requirements of R3 as part of your CIP policy. 8 © ReliabilityFirst Corporation

9 CIP-003-1 R3 Annotated Text (cont’d)
R3.1. Exceptions to the Responsible Entity’s cyber security policy must be documented 1 within thirty days of being approved by the senior manager or delegate(s). 1 Documentation of exceptions identifying dates of approval and submission into the policy must be available to substantiate this requirement and validate this requirement. 9 © ReliabilityFirst Corporation

10 CIP-004-1 R3 Annotated Text (cont’d)
R3.2. Documented exceptions 1 to the cyber security policy must include an explanation as to why the exception is necessary and any compensating measures, or a statement accepting risk. 1 Documentation of exceptions must include an explanation for each exception. identifying dates of approval and submission into the policy and must be available to substantiate this requirement. 10 © ReliabilityFirst Corporation

11 CIP-003-1 R3 Annotated Text (cont’d)
R3.3. Authorized exceptions to the cyber security policy must be reviewed and approved annually by the senior manager or delegate(s) to ensure the exceptions are still required and valid. Such review and approval shall be documented. 1 1. Documentation of the designated senior manager or delegates (it must clear that a delegate has been assigned by the senior manager). 11 © ReliabilityFirst Corporation

12 CIP R4 Annotated Text R4. Information Protection — The Responsible Entity shall implement and document a program 1 to identify, classify, and protect information associated with Critical Cyber Assets. 1. Documented program must be available for review of compliance as part of your policy. 12 © ReliabilityFirst Corporation

13 CIP-003-1 R4 Annotated Text (cont’d)
R4.1. The Critical Cyber Asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists as required in Standard CIP- 002, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster recovery plans, incident response plans, and security configuration information. 1 1. Entities should use sound business judgment to complete all CCA information to reduce an entities business and compliance risk. 13 © ReliabilityFirst Corporation

14 CIP-003-1 R4 Annotated Text (cont’d)
R4.2. The Responsible Entity shall classify information to be protected under this program based on the sensitivity of the Critical Cyber Asset information. 1 1. This information needs to be documented as part of the policy. 14 © ReliabilityFirst Corporation

15 CIP-003-1 R4 Annotated Text (cont’d)
R4.3. The Responsible Entity shall, at least annually, assess adherence to its Critical Cyber Asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment. 1 1. Documentation of all items as a minimum must be part of an entities policy. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. 15 © ReliabilityFirst Corporation

16 CIP R5 Annotated Text R5. Access Control — The Responsible Entity shall document and implement a program 1 for managing access to protected Critical Cyber Asset information. 1. A documented program for assigning access to protected CCA information must be available for review. Documentation validating implementation of the these programs must also be available. 16 © ReliabilityFirst Corporation

17 CIP-003-1 R5 Annotated Text (cont’d)
R5.1. The Responsible Entity shall maintain a list 1 of designated personnel who are responsible for authorizing logical or physical access to protected information. R Personnel shall be identified by name, title, business phone and the information for which they are responsible for authorizing access. R The list of personnel responsible for authorizing access to protected information shall be verified at least annual. 2 Lists should be documented and provide all information required in R Having the ability to provide all changes for the audit period will be necessary. Some entities are using tracking tales to organize and track this information. Documentation of annual review must be available. 17 © ReliabilityFirst Corporation

18 CIP-003-1 R5 Annotated Text (cont’d)
R5.2. The Responsible Entity shall review 1 at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities. 1. Documentation for this annual review must be a available to auditors for the scope of the audit period. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. 18 © ReliabilityFirst Corporation

19 CIP-003-1R5 Annotated Text (cont’d)
R5.3. The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. Documentation for this annual review must be a available to auditors for the scope of the audit period. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. 19 © ReliabilityFirst Corporation

20 CIP-003-1R6 Annotated Text (cont’d)
R6. Change Control and Configuration Management — The Responsible Entity shall establish and document 1 a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting, configuration management activities to identify, control and document 2 all entity or vendor related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. Documentation of this process must be a part of an entities policy and cover all aspects of change control and configuration management identified in this requirement as a minimum. Documentation of entity and vendor related changes must be available for review as part of the program. 20 © ReliabilityFirst Corporation

21 Points to Remember Documentation is the essential key to compliance and a successful audit. Identify what the standard states “shall or must“ de done as part of its content. (Document, communicate, provide) Identify all items the standards states “shall or must“ be included as part of your documentation. 21 © ReliabilityFirst Corporation

22 Points to Remember Cont’d
Be sure to prepare documentation that is valid and can be substantiated. To be valid it should identify the entity, date, approval signatures, date of approvals or effective date. To be substantiated, documentation should be available to support the evidence you are presenting as compliance to standard. Review your documentation in preparation for an audit or annual review. Consider having internal or external reviews of you documentation. Remember be prepared to Document, Validate and Substantiate your evidence of compliance! 22 © ReliabilityFirst Corporation

23 CIP-003-1 Questions? 23 © ReliabilityFirst Corporation

Download ppt "CIP Cyber Security – Security Management Controls"

Similar presentations

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.
Module N° 7 – SSP training programme

Module N° 7 – SSP training programme
EMS Checklist (ISO model)

EMS Checklist (ISO model)
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Issue Identification, Tracking, Escalation, and Resolution.

Issue Identification, Tracking, Escalation, and Resolution.
Software Quality Assurance Plan

Software Quality Assurance Plan
Internal Audit Documentation and Working Papers

Internal Audit Documentation and Working Papers
Environmental Management System (EMS)

Environmental Management System (EMS)
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.

1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Auditing Computer Systems

Auditing Computer Systems
Project 2008-06 Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.

1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
Security Controls – What Works

Security Controls – What Works
IS Audit Function Knowledge

IS Audit Function Knowledge
ISO 9001 Interpretation : Exclusions

ISO 9001 Interpretation : Exclusions
OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.

OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.

Similar presentations

Ads by Google