We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKelvin Chesnutt
Modified over 4 years ago
CIP-003-1 Cyber Security – Security Management ControlsGary Campbell CIP Compliance Workshop Baltimore, MD August 19-20, 2009 1 © ReliabilityFirst Corporation
Governance Annotated Text of the StandardAnnotations are NOT authoritative, they are commentary only Pre-audit questions Are intended to streamline the audit process Some go beyond what is required by the standard for informational purposes Are intended to help organize information used for compliance Are intended as a starting point for review of the compliance documentation The “plain language” of the standard will govern The only authoritative text in this presentation is that of the language of the standard. All else is opinion and intended practice and is subject to change. This presentation is for use by ReliabilityFirst Corporation and its member organizations only. Any other use requires the prior permission of ReliabilityFirst Corporation. 2 © ReliabilityFirst Corporation
CIP-003-1 Purpose Standard CIP-003 requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Standard CIP-003 should be read as part of a group of standards numbered Standards CIP-002 through CIP Responsible Entities should interpret and apply Standards CIP-002 through CIP-009 using reasonable business judgment.1 1 Responsible Entities should develop it’s policies, procedures, processes according their business practices while being cognizant of their obligation of compliance and business risk. 3 © ReliabilityFirst Corporation
CIP R1 Annotated Text R1. Cyber Security Policy — The Responsible Entity shall document1 and implement a cyber security policy2 that represents management’s commitment and ability to secure its Critical Cyber Assets. 1. Documentation of the Responsible Entity’s cyber security policy. To be valid a document should contain entity identification document title, date, approval signatures and date of approval. A policy must be available for review of the audit team. Auditors will look to find language addressing these points. 4 © ReliabilityFirst Corporation
CIP-003-1 R1 Annotated Text (cont’d)The Responsible Entity shall, at minimum, ensure the following: R1.1. The cyber security policy addresses the requirements1 in Standards CIP-002 through CIP-009, including provision for emergency situations. R1.2. The cyber security policy is readily available2to all personnel who have access to, or are responsible for, Critical Cyber Assets. R1.3. Annual review and approval 3 of the cyber security policy by the senior manager assigned pursuant to R2.(e.g., s, memos, computer based training, etc.); 1 Auditor will review policies for each requirement of the CIP -002 through CIP-009 standards 2 Be prepared to provide or demonstrate how your policy is readily available 3 Documentation of policy should contain review dates and approvals 5 © ReliabilityFirst Corporation
CIP R2 Annotated Text R2. Leadership — The Responsible Entity shall assign a senior manager with overall responsibility for leading and managing the entity’s implementation of, and adherence to, Standards CIP-002 through CIP-009.1 1. This person must be identified in your program. Documentation of the senior manager must be a part of the policy as stated in R1. 6 © ReliabilityFirst Corporation
CIP-003-1 R2 Annotated Text (cont’d)R2.1. The senior manager shall be identified by name, title, business phone, business address, and date of designation. R2.2. Changes to the senior manager must be documented within thirty calendar days of the effective date1. R2.3. The senior manager or delegate(s), shall authorize and document any exception from the requirements of the cyber security policy 1. Entities should consider documentation to track exceptions. 7 © ReliabilityFirst Corporation
CIP R3 Annotated Text R3. Exceptions — Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s). 1 1. These instances should be documented providing a complete explanation of the exception as per the sub-requirements of R3 as part of your CIP policy. 8 © ReliabilityFirst Corporation
CIP-003-1 R3 Annotated Text (cont’d)R3.1. Exceptions to the Responsible Entity’s cyber security policy must be documented 1 within thirty days of being approved by the senior manager or delegate(s). 1 Documentation of exceptions identifying dates of approval and submission into the policy must be available to substantiate this requirement and validate this requirement. 9 © ReliabilityFirst Corporation
CIP-004-1 R3 Annotated Text (cont’d)R3.2. Documented exceptions 1 to the cyber security policy must include an explanation as to why the exception is necessary and any compensating measures, or a statement accepting risk. 1 Documentation of exceptions must include an explanation for each exception. identifying dates of approval and submission into the policy and must be available to substantiate this requirement. 10 © ReliabilityFirst Corporation
CIP-003-1 R3 Annotated Text (cont’d)R3.3. Authorized exceptions to the cyber security policy must be reviewed and approved annually by the senior manager or delegate(s) to ensure the exceptions are still required and valid. Such review and approval shall be documented. 1 1. Documentation of the designated senior manager or delegates (it must clear that a delegate has been assigned by the senior manager). 11 © ReliabilityFirst Corporation
CIP R4 Annotated Text R4. Information Protection — The Responsible Entity shall implement and document a program 1 to identify, classify, and protect information associated with Critical Cyber Assets. 1. Documented program must be available for review of compliance as part of your policy. 12 © ReliabilityFirst Corporation
CIP-003-1 R4 Annotated Text (cont’d)R4.1. The Critical Cyber Asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists as required in Standard CIP- 002, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster recovery plans, incident response plans, and security configuration information. 1 1. Entities should use sound business judgment to complete all CCA information to reduce an entities business and compliance risk. 13 © ReliabilityFirst Corporation
CIP-003-1 R4 Annotated Text (cont’d)R4.2. The Responsible Entity shall classify information to be protected under this program based on the sensitivity of the Critical Cyber Asset information. 1 1. This information needs to be documented as part of the policy. 14 © ReliabilityFirst Corporation
CIP-003-1 R4 Annotated Text (cont’d)R4.3. The Responsible Entity shall, at least annually, assess adherence to its Critical Cyber Asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment. 1 1. Documentation of all items as a minimum must be part of an entities policy. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. 15 © ReliabilityFirst Corporation
CIP R5 Annotated Text R5. Access Control — The Responsible Entity shall document and implement a program 1 for managing access to protected Critical Cyber Asset information. 1. A documented program for assigning access to protected CCA information must be available for review. Documentation validating implementation of the these programs must also be available. 16 © ReliabilityFirst Corporation
CIP-003-1 R5 Annotated Text (cont’d)R5.1. The Responsible Entity shall maintain a list 1 of designated personnel who are responsible for authorizing logical or physical access to protected information. R Personnel shall be identified by name, title, business phone and the information for which they are responsible for authorizing access. R The list of personnel responsible for authorizing access to protected information shall be verified at least annual. 2 Lists should be documented and provide all information required in R Having the ability to provide all changes for the audit period will be necessary. Some entities are using tracking tales to organize and track this information. Documentation of annual review must be available. 17 © ReliabilityFirst Corporation
CIP-003-1 R5 Annotated Text (cont’d)R5.2. The Responsible Entity shall review 1 at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities. 1. Documentation for this annual review must be a available to auditors for the scope of the audit period. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. 18 © ReliabilityFirst Corporation
CIP-003-1R5 Annotated Text (cont’d)R5.3. The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. Documentation for this annual review must be a available to auditors for the scope of the audit period. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. 19 © ReliabilityFirst Corporation
CIP-003-1R6 Annotated Text (cont’d)R6. Change Control and Configuration Management — The Responsible Entity shall establish and document 1 a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting, configuration management activities to identify, control and document 2 all entity or vendor related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. Documentation of this process must be a part of an entities policy and cover all aspects of change control and configuration management identified in this requirement as a minimum. Documentation of entity and vendor related changes must be available for review as part of the program. 20 © ReliabilityFirst Corporation
Points to Remember Documentation is the essential key to compliance and a successful audit. Identify what the standard states “shall or must“ de done as part of its content. (Document, communicate, provide) Identify all items the standards states “shall or must“ be included as part of your documentation. 21 © ReliabilityFirst Corporation
Points to Remember Cont’dBe sure to prepare documentation that is valid and can be substantiated. To be valid it should identify the entity, date, approval signatures, date of approvals or effective date. To be substantiated, documentation should be available to support the evidence you are presenting as compliance to standard. Review your documentation in preparation for an audit or annual review. Consider having internal or external reviews of you documentation. Remember be prepared to Document, Validate and Substantiate your evidence of compliance! 22 © ReliabilityFirst Corporation
CIP-003-1 Questions? 23 © ReliabilityFirst Corporation
NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.
EMS Checklist (ISO model)
Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.
Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.
Software Quality Assurance Plan
Ensuring Better Services and Fair Value “Introduction and roadmap to implementation of ISO in Zambia’s water utilities” Kasenga Hara March 2015.
Internal Audit Documentation and Working Papers
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
CIP Spot Check Process Gary Campbell Manager of Compliance Audits ReliabilityFirst Corporation August, 2009.
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Data Ownership Responsibilities & Procedures
Auditing Computer Systems
Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Security Controls – What Works
IS Audit Function Knowledge
© 2019 SlidePlayer.com Inc. All rights reserved.