Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method



Similar documents
The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

Standard CIP Cyber Security Systems Security Management

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

Standard CIP 007 3a Cyber Security Systems Security Management

Information Shield Solution Matrix for CIP Security Standards

Summary of CIP Version 5 Standards

LogRhythm and NERC CIP Compliance

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Standard CIP Cyber Security Security Management Controls

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

BSM for IT Governance, Risk and Compliance: NERC CIP

Standard CIP 004 3a Cyber Security Personnel and Training

Implementation Plan for Version 5 CIP Cyber Security Standards

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

NERC CIP Compliance with Security Professional Services

Lessons Learned CIP Reliability Standards

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

Alberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

NERC Cyber Security Standards

Security Regulations and Standards for SCADA and Industrial Controls

TRIPWIRE NERC SOLUTION SUITE

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

Technology Solutions for NERC CIP Compliance June 25, 2015

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

Cyber Security for NERC CIP Version 5 Compliance

Plans for CIP Compliance

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Patching & Malicious Software Prevention CIP-007 R3 & R4

Cyber Security Compliance (NERC CIP V5)

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

CYBER SECURITY POLICY For Managers of Drinking Water Systems

University of Pittsburgh Security Assessment Questionnaire (v1.5)

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

2012 CIP Spring Compliance Workshop May Testing, Ports & Services and Patch Management

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Critical Controls for Cyber Security.

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

GE Measurement & Control. Cyber Security for NERC CIP Compliance

Ohio Supercomputer Center

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Supplier Information Security Addendum for GE Restricted Data

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

System Security Plan University of Texas Health Science Center School of Public Health

CIP Cyber Security Security Management Controls

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

IBX Business Network Platform Information Security Controls Document Classification [Public]

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Security Policy for External Customers

Supplier Security Assessment Questionnaire

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

Retention & Destruction

Patch and Vulnerability Management Program

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

INCIDENT RESPONSE CHECKLIST

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Draft Information Technology Policy

Designtech Cloud-SaaS Hosting and Delivery Policy, Version 1.0, Designtech Cloud-SaaS Hosting and Delivery Policy

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

White Paper: Librestream Security Overview

NERC CIP Compliance. Dave Powell Plant Engineering and Environmental Performance. Presentation to 2009 BRO Forum

Supplier IT Security Guide

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

SYMMETRY WHITE PAPER. Support for Critical Infrastructure Protection (CIP) Cyber Security Standards. Adam Shane

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Data Management Policies. Sage ERP Online

INFORMATION TECHNOLOGY SECURITY STANDARDS

GE Measurement & Control. Cyber Security for Industrial Controls

Reclamation Manual Directives and Standards

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

QAD CLOUD EDI PROGRAM DOCUMENT

Cyber Security Standards Update: Version 5

NERC CIP Tools and Techniques

CONCEPTS IN CYBER SECURITY

SRA International Managed Information Systems Internal Audit Report

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

Microsoft Hyper-V Powered by Rackspace & Microsoft Cloud Platform Powered by Rackspace Support Services Terms & Conditions

How To Ensure The C.E.A.S.A

Exhibit to Data Center Services Service Component Provider Master Services Agreement

CIP R2 BES Assets Containing Low Impact BCS. Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security

RuggedCom Solutions for

Transcription:

NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method R2 Critical Asset Identification R3 Critical Cyber Asset Identification Procedures and Evaluation Criteria List of Identified Critical Assets Completed (Y/N) Owner Document Name Location / Server Notes List of Associated Critical Cyber Assets R4 Annual Approval Annual Approval by Senior Manager Signed and Dated Record of the Senior Manager approval of the list Based on R1, R2, and R3, responsible entity may determine that it has no Critical Assets or Critical Cyber Assets CIP-003 Security Management Controls R1 Cyber Security Policy(ies) CIP Requirements Emergency Provisions Accessibility Security Classification Annual Review and Approval No Deficiencies Prior to Approval R2 Leadership R3 Exceptions Senior Manager in Charge Name Phone Address Date of Designation Identified within 30 days of change? Documented Within 30 Days of Approval Why the Exception is Necessary

R4 Information Protection Compensation Measures Statement of Accept Annual Review (Applicability) Identify, classify, and protect information associated with critical cyber assets The critical cyber asset information to be protected shall include at at minimum: Operational Procedures Lists as required in CIP-002 Network topology or similar diagrams Floor plans of computing centers that contain critical cyber assets Equipmnet layouts of critical cyber assets Disaster recovery plans Incident response plans Security configuration information R5 Access Control R6 Change Control Classify information based on sensitivity Annual Review Assess adherence to its protection program Document the assessment Results Create an action plan to remediate deficiencies Discovery of all access points Access Control Documentation Who Can Grant Access - Name, Title, Phone, Responsible Access Authorizations Request and Authorization Process Anuual Review Change Control and Configuration Management Documentation

Types of Changes Who Initiates Who Approves Who Tests Results Lessons Learned CIP-004 Personnel and Training R1 Awareness R2 Training Awareness Program Sound Security Practices Can be in form of: Email Memos Computer Based Training Posters Intranet Brochures Presentations Meetings Quarterly Proper use of critical cyber assets Physical and electronic access controls to critical cyber assets Proper handling of critical cyber asset information R3 Personnel Risk Assessment Action plans and procedures to recover or re-establish critical cyber assets and access thereto following a cyber incident Attendance records Training Date Annual Attendance Quarterly Review Required Checks Identity verification (DHS Form I-9) Seven Year Criminal Check

Update each personnel risk assessment at least every 7 years or for cause Results R4 Access Access Control Documentation Who Has Access CIP-005 Electronic Security Perimeters R1 Electronic Security Perimeter (Access Points / Assets) R2 Electronic Access Controls R3 Monitoring Electronic Access R4 Cyber Vulnerability Assessment Critical Cyber Assets within the ESP Non-Critical Cyber Assets within the ESP Access Points for the ESP List Tools and Mechanisms Dial-up security Procedural Controls Authentication Methods Documentation of log and monitoring controls for the electronic security perimeter Scope Process / Procedure Frequency Service / Port Review Review of Controls (accounts) Review of Controls (passwords) Findings / Results Remediation / Mitigation Plan Action Plan

R5 Documentation Review & Maintenance CIP-006 Physical Security R1 Physical Security Plan R2 Physical Access Controls R3 Monitoring Physical Access R4 Logging Physical Access Access logs and documentation of review, changes, and log retention Modifications are documented within 90 days Logs are retained for 90 days Physical Security Perimeter Controlled Access Points Monitor Physical Access Appropriate Use Procedures Access Authorization & Revocation Escorted Access Procedures Plan Updating Process PSP Cyber Assets Protection Annual Plan Review Must be one of the following: Card Key Special Locks Security Personnel Other Authentication Devices Alarm Systems Human Observation Access Points Sufficient information to uniquely identify individuals Times of access 24x7 Computerized Logging? Video Recording? Manual Logging?

R5 Access Log Retension R6 Maintenance & Testing At least 90 days CIP-007 Systems Security Management R1 Test Procedures R2 Ports & Services R3 Security Patch Management Physical Security Mechanisms on a cycle no longer than 3 years Retention Period Outage Records Implementation of security patches Cumulative service packs Vendor releases Version upgrades of operating systems Applications Database platforms Other third-party software or firmware Any change that might introduce vulnerabilities into the production environment Results which assets are tested Anticipated changes Test/Fail Criteria Results Process to ensure that only those ports and services required for normal and emergency operations are enabled Approved Ports / services Used Ports / Services Disabled Ports / Services Exceptions and compensation measure Document changes within 90 days Tracking Evaluating Testing Installing

R4 Malicious Software Protection R5 Account Management R6 Security Status Monitoring R7 Disposal or Redeployment R8 Cyber Vulnerability Assessment R9 Documentation Review & Maintenance Exceptions Tools used Update and signature Process Testing Implementation and documentation of technical and procedureal controls that enforce access authentication Tools and procedures Alerts Logs 90 day retension Process and Procedrues Prior to Disposal Prior to Redeployment Records of disposed or redeployed how / by whom Scope Process / Procedure Frequency Service / Port Review Review of access controls (Accounts) Findings / Results Remediation / Mitigation Plan Action Plan Process to review and update the documentation specified in CIP-007 at least annually

Changes are documented within 90 days CIP-008 Incident Reporting & Response Planning R1 Cyber Security Incident Response Plan Procedures to characterize and classify events R2 Cyber Security Incident Documentation Response Actions, Roles, Teams, Tools, Procedures, and Communications Plans Reporting Process Tasks required to report incidents Roles and responsibilities to execute the process Timing Requirements Process for updating the plan within 90 days of any changes Process for ensuring that the plan is reviewed at least annually Process for ensuring the plan is tested at least annually Incident logs reatianed for 3 years CIP-009 Recovery Plans for Critical Cyber Assets R1 Recovery Plans R2 Excercises Required actions in response to events or conditions of varying duration and severity that would activate the recover plan Criticality Classification Dependency Analysis Single point of failure analysis Recovery Time Objective Redundancy, diversity and survivability Emergency response Exercise Plan

R3 Change Control Roles and responsibilities Methods Lessons Learned Communicate changes within 90 days Manager R4 Backup and Restore R5 Testing Backup Media Process and procedures needed to successfully restore Tested at least annually to ensure that the information is available May be completed off-site Must be accessible to responders Assignments of and changes to the responsible leadership Exceptions Retain for 90 calender days - 3 calendar years

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information