Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

Published byHugo Lucas Modified over 9 years ago

Similar presentations

Presentation on theme: "Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security"— Presentation transcript:

1 Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
CIP Personnel & Training May 14 , 2014 CIP v5 Roadshow – Salt Lake City, UT

2 Agenda Applicability Implementation CIP-004-5 R1-R5 Overview
Audit Approach Tips

3 Compliance is like an onion…
Positives: Negatives: Important ingredient in the stew of reliability It stinks Makes people cry Adds flavor to an organization Known to aggravate certain medical conditions Improves overall health of the BES Causes indigestion Can be dry Peel back layers of evidence Known to cause shock

4 Communicate WECC’s audit approach for each Requirement of CIP-004-5
Goal Communicate WECC’s audit approach for each Requirement of CIP-004-5

5 CIP Purpose “To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.”

6 Policy, Program, Process, Procedure…
Regurgitating the Requirement language does not constitute developing a policy, program, process, or procedure.

7 CIP-004-5 Extreme Acronyms
HIBESCS MIBESCS HIBESCSATAEACMSAPACS HIBESCSATAEACMS MIBESCSWERCATAEACMSAPACS

8 CIP-004-5 Applicability HIBESCS MIBESCS HIBESCSATAEACMSAPACS
High Impact BES Cyber Systems (R1) MIBESCS Medium Impact BES Cyber Systems (R1) HIBESCSATAEACMSAPACS High Impact BES Cyber Systems and their associated EACMS and PACS (R2-R5 except 5.5) HIBESCSATAEACMS High Impact BES Cyber Systems and their associated EACMS (Part 5.5 only) MIBESCSWERCATAEACMSAPACS Medium Impact BES Cyber Systems with external routable connectivity and their associated EACMS and PACS (R2-R5 except 5.5)

9 CIP-004-5 Implementation By April 1, 2016 On or before July 1, 2016:
CIP R1-R5 except as noted below… On or before July 1, 2016: CIP-004-5, R4, Part 4.2 On or before April 1, 2017: CIP-004-5, R2, Part 2.3 CIP-004-5, R4, Part 4.3, Part 4.4 Within 7 years after last PRA performed: CIP-004-5, Requirement R3, Part 3.5

10 CIP-004-5 R1 Overview Security Awareness Program High & Medium BESCS
Reinforce cyber (and physical) security practices Once each calendar quarter High & Medium BESCS

11 CIP-004-5 R1 Audit Approach Documented process covering all of R1
Quarterly reinforcement Evidence demonstrating: Content Delivery method

12 CIP R1 Tips Informational program reinforcing logical and physical security practices Strong awareness programs leverage various content and content delivery methods R1 applies to High and Medium BES Cyber Systems

13 CIP R2 Overview Cyber security training specific to roles, functions, responsibilities Training content specified in – 2.1.9 Train PRIOR to granting access Refresh annually (at least 1x/15 months) High & Medium (w/ERC) BESCS + EACM + PACS

14 Training

15 CIP-004-5 R2 Audit Approach Documented role-based training programs
e.g. Sys Admin vs. Operator vs. Security Guard Does training cover – 2.1.9? Validate training prior to access Compare dates Validate annual refresh Review controls in place to ensure timely delivery of training and annual refreshers

16 CIP R2 Tips You have flexibility to develop customized/personalized training program(s) Don’t get too granular with role-based training Not intended to be technical training CIP Exceptional Circumstances – consider how it applies to your organization

17 Quiz Time!! All programs and policies specified throughout CIP require CIP Senior Manager approval. False

18 CIP-004-5 R3 Overview Personnel risk assessment Confirm identity
7-year criminal history check Process & criteria to evaluate results PRAs for contractors & vendors Renewal process

19 Personnel Risk Assessment

20 CIP-004-5 R3 Audit Approach Documented PRA process – does it include:
Identity validation 7-year criminal history Supporting documentation if 7 years cannot be completed Evaluation of results Tracking PRA dates - initial & renewal Evaluate controls in place to ensure timely completion, renewal, and tracking of PRAs

21 CIP R3 Tips Criteria or process to evaluate criminal history (3.3) is NEW – clearly identify criteria or evaluation process & associated outputs Check that PRA dates are PRIOR to access granted dates Be prepared to request PRA evidence from vendors & contractors PRAs performed for v3 don’t need to be re-done for v5

22 CIP-004-5 R4 Overview Access Management Program
Access authorization process covering: Cyber Physical BES Cyber System Information Quarterly verification of authorization Annual verification of: Privileges to BES Cyber Systems Access to BES Cyber System Information

23 Access Management

24 CIP R4 Audit Approach Documented access management program – does it address all aspects of 4.1 – 4.4, including deliverables? Validate quarterly & annual reviews Validate access grants against system records Evaluate controls related to access list maintenance, and quarterly & annual reviews

25 CIP R4 Tips Quarterly reviews = compare individuals actually provisioned against authorization records Annual review = more detailed to ensure least privilege is enabled Work towards evolving beyond spreadsheets and paper forms Continue tracking individuals and their role-based access rights Consider separation of duties: provisioner vs. reviewer

26 CIP-004-5 R5 Overview Documented access revocation process
Terminations Initiate removal of ability for physical and interactive remote access immediately and complete w/in 24 hours Revoke logical/physical access to designated storage locations by end of next calendar day Revoke non-shared user accounts w/in 30 days Change shared account passwords w/in 30 days Transfers/Reassignments: Revoke logical & physical access by end of next business day 5.3 For termination actions, revoke the individual’s access to the designated storage locations for BES Cyber System Information, whether physical or electronic (unless already revoked according to Requirement R5.1), by the end of the next calendar day following the effective date of the termination action. 5.4 For termination actions, revoke the individual’s non-shared user accounts (unless already revoked according to Parts 5.1 or 5.3) within 30 calendar days of the effective date of the termination action.

27 Access Revocation

28 CIP R5 Audit Approach Processes for terminations and transfers/reassignments Does the processes cover everything in 5.1 through 5.5? Do your processes point to procedures detailing how each action is carried out? Proof of performance: records, lists, screenshots, tickets, s, system reports, forms, etc.

29 CIP R5 Tips Define start trigger for termination/transfer process Read Part 5.1 carefully – deliberate wording. Document how you define ability to access NEW – designated storage locations, whether physical or electronic, for BES Cyber System Information – identify and document NEW – extenuating operating circumstances (changing shared account passwords 5.5) – define, document, and track Part 5.5 only applies to High Impact BES CA and associated EACMS Workflow diagrams are an auditors best friend

30 Resources, References, & Light Reading
NERC v3 to v5 mapping document (pp. 8-11) FERC Order 791 (pp ) 2011 v5 SDT Presentation (pp ) A couple of R4 questions that we’ll seek answers to during an audit…

31 Questions? Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

Download ppt "Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security"

Similar presentations

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Keshav Sarin Manager, Compliance Risk Analysis

Keshav Sarin Manager, Compliance Risk Analysis
ISO 9001:2000 Documentation Requirements

ISO 9001:2000 Documentation Requirements
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Ben Christensen Senior CIP Enforcement Analyst

Ben Christensen Senior CIP Enforcement Analyst
1 PER-005 Update Impact on Operators System Operator Conference April 17-19 and May 1-3, 2012 Columbia, SC Margaret Stambach Manager, Training Services.

1 PER-005 Update Impact on Operators System Operator Conference April and May 1-3, 2012 Columbia, SC Margaret Stambach Manager, Training Services.
Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.

Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.
Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.

Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
Brent Castagnetto Manager, Cyber Security Audits & Investigations Team CIP v5 Implementation Guidance CIP v5 Roadshow Salt Lake City, UT May 14-15, 2014.

Brent Castagnetto Manager, Cyber Security Audits & Investigations Team CIP v5 Implementation Guidance CIP v5 Roadshow Salt Lake City, UT May 14-15, 2014.
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.

1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
Auditing Computer Systems

Auditing Computer Systems
Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.

Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.
Project 2008-06 Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
Security Controls – What Works

Security Controls – What Works
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice

Similar presentations

Ads by Google