Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CIP-004-1 Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.

Published byCecily Lester Modified over 8 years ago

Similar presentations

Presentation on theme: "1 CIP-004-1 Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation."— Presentation transcript:

1 1 CIP-004-1 Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation

2 2 Governance Annotated Text of the Standard Annotations are NOT authoritative, they are commentary only Pre-audit questions Are intended to streamline the audit process Some go beyond what is required by the standard for informational purposes Are intended to help organize information used for compliance Are intended as a starting point for review of the compliance documentation The “plain language” of the standard will govern The only authoritative text in this presentation is that of the language of the standard. All else is opinion and intended practice and is subject to change. This presentation is for use by ReliabilityFirst Corporation and its member organizations only. Any other use requires the prior permission of ReliabilityFirst Corporation. © ReliabilityFirst Corporation

3 3 CIP-004-1 Purpose Standard CIP-004 requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness. © ReliabilityFirst Corporation

4 4 CIP-004-1 R1 Annotated Text R1. Awareness — The Responsible Entity shall establish, maintain, and document a security awareness program to ensure personnel 1 having authorized cyber or authorized unescorted physical access receive on- going reinforcement in sound security practices. 1 Includes contractors and service vendors. © ReliabilityFirst Corporation

5 5 CIP-004-1 R1 Annotated Text (cont’d) The program shall include security awareness reinforcement on at least a quarterly basis 2 using mechanisms such as: Direct communications (e.g., emails, memos, computer based training, etc.); Indirect communications (e.g., posters, intranet, brochures, etc.); Management support and reinforcement (e.g., presentations, meetings, etc.). 2 Documentation of quarterly reinforcement of the program is required by the standard. Items for substantiating compliance to this requirement may be distribution/completion lists, content descriptions, and distribution methods. © ReliabilityFirst Corporation

6 6 CIP-004-1 R2 Annotated Text R2. Training — The Responsible Entity shall establish, maintain, and document an annual cyber security training program for personnel 3 having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, and review the program annually and update as necessary. 3 Includes contractors and service vendors. © ReliabilityFirst Corporation

7 7 CIP-004-1 R2 Annotated Text (cont’d) R2.1. This program will ensure that all personnel having such access to Critical Cyber Assets, including contractors and service vendors, are trained within ninety calendar days of such authorization 4. 4 Documentation of dates when personnel were given authorized cyber or authorized unescorted physical access to Critical Cyber Assets. Also documentation that training occurred within 90 days of authorization. © ReliabilityFirst Corporation

8 8 CIP-004-1 R2 Annotated Text (cont’d) R2.2. Training 5 shall cover the policies, access controls, and procedures as developed for the Critical Cyber Assets covered by CIP-004, and include, at a minimum, the following required items appropriate to personnel roles and responsibilities: R2.2.1. The proper use of Critical Cyber Assets; R2.2.2. Physical and electronic access controls to Critical Cyber Assets; R2.2.3. The proper handling of Critical Cyber Asset information; and, R2.2.4. Action plans and procedures to recover or re-establish Critical Cyber Assets and access thereto following a Cyber Security Incident. 5 The program shall cover the minimum training as defined in this requirement. Documentation of these training materials is essential to verify that each of these items are covered in all versions of the training materials in effect during the audit period. © ReliabilityFirst Corporation

9 9 CIP-004-1 R2 Annotated Text (cont’d) R2.3. The Responsible Entity shall maintain documentation that training is conducted at least annually, including the date the training was completed and attendance records 6. 6 Documentation of dates and attendees for each training class. For computer based training, make sure the date is the date of completion for each individual and not the date the training became available. © ReliabilityFirst Corporation

10 10 CIP-004-1 R3 Annotated Text R3. Personnel Risk Assessment —The Responsible Entity shall have a documented personnel risk assessment program 7, in accordance with federal, state, provincial, and local laws, and subject to existing collective bargaining unit agreements, for personnel 8 having authorized cyber or authorized unescorted physical access. A personnel risk assessment shall be conducted pursuant to that program within thirty days 9 of such personnel being granted such access. 7 Documentation describing the program including all versions in effect during the audit period. 8 Includes contractors and service vendors. 9 Documentation of the date the personnel risk assessment was completed for each individual. © ReliabilityFirst Corporation

11 11 CIP-004-1 R3 Annotated Text (cont’d) Such program shall at a minimum include: R3.1. The Responsible Entity shall ensure that each assessment conducted include, at least, identity verification (e.g., Social Security Number verification in the U.S.) and seven year criminal check. The Responsible Entity may conduct more detailed reviews 10, as permitted by law and subject to existing collective bargaining unit agreements, depending upon the criticality of the position. 10 The Personnel Risk Assessment Program documentation should describe what is reviewed including any variations for different personnel groups. © ReliabilityFirst Corporation

12 12 CIP-004-1 R3 Annotated Text (cont’d) R3.2. The Responsible Entity shall update each personnel risk assessment 11 at least every seven years after the initial personnel risk assessment or for cause. 11 Documentation supporting the requirement for the seven year assessment or for cause assessment. © ReliabilityFirst Corporation

13 13 CIP-004-1 R3 Annotated Text (cont’d) R3.3. The Responsible Entity shall document the results 12 of personnel risk assessments of its personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, and that personnel risk assessments of contractor and service vendor personnel with such access are conducted pursuant to Standard CIP-004. 12 Documentation of the results of the personnel risk assessment for each individual. Sensitive information may be removed. © ReliabilityFirst Corporation

14 14 CIP-004-1 R4 Annotated Text R4. Access — The Responsible Entity shall maintain list(s) of personnel 13 with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets. 13 Includes contractors and service vendors. © ReliabilityFirst Corporation

15 15 CIP-004-1 R4 Annotated Text (cont’d) R4.1. The Responsible Entity shall review the list(s) of its personnel who have such access to Critical Cyber Assets quarterly 14, and update the list(s) within seven calendar days 15 of any change of personnel with such access to Critical Cyber Assets, or any change in the access rights of such personnel. The Responsible Entity shall ensure access list(s) 16 for contractors and service vendors are properly maintained. 14 Documentation of the quarterly review for the access list(s) of its personnel including the documents reviewed and the dates completed. 15 Documentation of the dates of changes for the access list(s) for a change of personnel or a change in their access rights. Include the date the need for the change became known. 16 Documentation for contractors and service vendors if different than supplied above. © ReliabilityFirst Corporation

16 16 CIP-004-1 R4 Annotated Text (cont’d) R4.2. The Responsible Entity shall revoke such access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets 17. 17 Documentation of the dates of personnel changes, reason for change, and dates access was revoked. Also, documentation of confirmation that all persons that should have been revoked have been revoked properly. © ReliabilityFirst Corporation

17 17 CIP-004-1 Compliance Tips Think like an auditor and use the pre-audit questionnaire to be clear and detailed on how your evidence proves compliance Provide detailed documentation for every step of your processes, procedures, etc. Word, Excel, Access, PDF, etc. When providing your lists of people and dates, use unique identifier in each list like Employee ID so the lists can be compared correctly “John D. Smith” is not the same as “Smith, J.” or “Don Smith”. Perhaps supply an additional spreadsheet that pulls it all together and includes all applicable personnel, their training dates, physical access grant/revoke dates, cyber access grant/revoke dates, and personnel assessment dates. Include contractors and service vendors © ReliabilityFirst Corporation

18 18 CIP-004-1 Questions? © ReliabilityFirst Corporation

Download ppt "1 CIP-004-1 Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation."

Similar presentations

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.
4.02 Compliance Training Brian A. Dahl Senior Counsel Takeda Pharmaceuticals North America, Inc. November 14, 2003.

4.02 Compliance Training Brian A. Dahl Senior Counsel Takeda Pharmaceuticals North America, Inc. November 14, 2003.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.

Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Section Six: Foreign Ownership, Control, or Influence (FOCI)

Section Six: Foreign Ownership, Control, or Influence (FOCI)
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.

1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Contractor Safety Management

Contractor Safety Management
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.

1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
Information Security Policies and Standards

Information Security Policies and Standards
Lecture 8. Quality Assurance/Quality Control The Islamic University of Gaza- Environmental Engineering Department Environmental Measurements (EENV 4244)

Lecture 8. Quality Assurance/Quality Control The Islamic University of Gaza- Environmental Engineering Department Environmental Measurements (EENV 4244)
IS Audit Function Knowledge

IS Audit Function Knowledge
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Quality Assurance/Quality Control Policy

Quality Assurance/Quality Control Policy
OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.

OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.

Similar presentations

Ads by Google