Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Transcription

1 NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method R2 Critical Asset Identification R3 Critical Cyber Asset Identification Procedures and Evaluation Criteria List of Identified Critical Assets Completed (Y/N) Owner Document Name Location / Server Notes List of Associated Critical Cyber Assets R4 Annual Approval Annual Approval by Senior Manager Signed and Dated Record of the Senior Manager approval of the list Based on R1, R2, and R3, responsible entity may determine that it has no Critical Assets or Critical Cyber Assets CIP-003 Security Management Controls R1 Cyber Security Policy(ies) CIP Requirements Emergency Provisions Accessibility Security Classification Annual Review and Approval No Deficiencies Prior to Approval R2 Leadership R3 Exceptions Senior Manager in Charge Name Phone Address Date of Designation Identified within 30 days of change? Documented Within 30 Days of Approval Why the Exception is Necessary

2 R4 Information Protection Compensation Measures Statement of Accept Annual Review (Applicability) Identify, classify, and protect information associated with critical cyber assets The critical cyber asset information to be protected shall include at at minimum: Operational Procedures Lists as required in CIP-002 Network topology or similar diagrams Floor plans of computing centers that contain critical cyber assets Equipmnet layouts of critical cyber assets Disaster recovery plans Incident response plans Security configuration information R5 Access Control R6 Change Control Classify information based on sensitivity Annual Review Assess adherence to its protection program Document the assessment Results Create an action plan to remediate deficiencies Discovery of all access points Access Control Documentation Who Can Grant Access - Name, Title, Phone, Responsible Access Authorizations Request and Authorization Process Anuual Review Change Control and Configuration Management Documentation

3 Types of Changes Who Initiates Who Approves Who Tests Results Lessons Learned CIP-004 Personnel and Training R1 Awareness R2 Training Awareness Program Sound Security Practices Can be in form of: Memos Computer Based Training Posters Intranet Brochures Presentations Meetings Quarterly Proper use of critical cyber assets Physical and electronic access controls to critical cyber assets Proper handling of critical cyber asset information R3 Personnel Risk Assessment Action plans and procedures to recover or re-establish critical cyber assets and access thereto following a cyber incident Attendance records Training Date Annual Attendance Quarterly Review Required Checks Identity verification (DHS Form I-9) Seven Year Criminal Check

4 Update each personnel risk assessment at least every 7 years or for cause Results R4 Access Access Control Documentation Who Has Access CIP-005 Electronic Security Perimeters R1 Electronic Security Perimeter (Access Points / Assets) R2 Electronic Access Controls R3 Monitoring Electronic Access R4 Cyber Vulnerability Assessment Critical Cyber Assets within the ESP Non-Critical Cyber Assets within the ESP Access Points for the ESP List Tools and Mechanisms Dial-up security Procedural Controls Authentication Methods Documentation of log and monitoring controls for the electronic security perimeter Scope Process / Procedure Frequency Service / Port Review Review of Controls (accounts) Review of Controls (passwords) Findings / Results Remediation / Mitigation Plan Action Plan

5 R5 Documentation Review & Maintenance CIP-006 Physical Security R1 Physical Security Plan R2 Physical Access Controls R3 Monitoring Physical Access R4 Logging Physical Access Access logs and documentation of review, changes, and log retention Modifications are documented within 90 days Logs are retained for 90 days Physical Security Perimeter Controlled Access Points Monitor Physical Access Appropriate Use Procedures Access Authorization & Revocation Escorted Access Procedures Plan Updating Process PSP Cyber Assets Protection Annual Plan Review Must be one of the following: Card Key Special Locks Security Personnel Other Authentication Devices Alarm Systems Human Observation Access Points Sufficient information to uniquely identify individuals Times of access 24x7 Computerized Logging? Video Recording? Manual Logging?

6 R5 Access Log Retension R6 Maintenance & Testing At least 90 days CIP-007 Systems Security Management R1 Test Procedures R2 Ports & Services R3 Security Patch Management Physical Security Mechanisms on a cycle no longer than 3 years Retention Period Outage Records Implementation of security patches Cumulative service packs Vendor releases Version upgrades of operating systems Applications Database platforms Other third-party software or firmware Any change that might introduce vulnerabilities into the production environment Results which assets are tested Anticipated changes Test/Fail Criteria Results Process to ensure that only those ports and services required for normal and emergency operations are enabled Approved Ports / services Used Ports / Services Disabled Ports / Services Exceptions and compensation measure Document changes within 90 days Tracking Evaluating Testing Installing

7 R4 Malicious Software Protection R5 Account Management R6 Security Status Monitoring R7 Disposal or Redeployment R8 Cyber Vulnerability Assessment R9 Documentation Review & Maintenance Exceptions Tools used Update and signature Process Testing Implementation and documentation of technical and procedureal controls that enforce access authentication Tools and procedures Alerts Logs 90 day retension Process and Procedrues Prior to Disposal Prior to Redeployment Records of disposed or redeployed how / by whom Scope Process / Procedure Frequency Service / Port Review Review of access controls (Accounts) Findings / Results Remediation / Mitigation Plan Action Plan Process to review and update the documentation specified in CIP-007 at least annually

8 Changes are documented within 90 days CIP-008 Incident Reporting & Response Planning R1 Cyber Security Incident Response Plan Procedures to characterize and classify events R2 Cyber Security Incident Documentation Response Actions, Roles, Teams, Tools, Procedures, and Communications Plans Reporting Process Tasks required to report incidents Roles and responsibilities to execute the process Timing Requirements Process for updating the plan within 90 days of any changes Process for ensuring that the plan is reviewed at least annually Process for ensuring the plan is tested at least annually Incident logs reatianed for 3 years CIP-009 Recovery Plans for Critical Cyber Assets R1 Recovery Plans R2 Excercises Required actions in response to events or conditions of varying duration and severity that would activate the recover plan Criticality Classification Dependency Analysis Single point of failure analysis Recovery Time Objective Redundancy, diversity and survivability Emergency response Exercise Plan

9 R3 Change Control Roles and responsibilities Methods Lessons Learned Communicate changes within 90 days Manager R4 Backup and Restore R5 Testing Backup Media Process and procedures needed to successfully restore Tested at least annually to ensure that the information is available May be completed off-site Must be accessible to responders Assignments of and changes to the responsible leadership Exceptions Retain for 90 calender days - 3 calendar years