Standard CIP 003 1 Cyber Security Security Management Controls



Similar documents
Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management

Standard CIP 004 3a Cyber Security Personnel and Training

CIP Cyber Security Security Management Controls

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Information Shield Solution Matrix for CIP Security Standards

NERC Cyber Security Standards

Implementation Plan for Version 5 CIP Cyber Security Standards

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

BSM for IT Governance, Risk and Compliance: NERC CIP

NERC CIP Tools and Techniques

Summary of CIP Version 5 Standards

NERC CIP Compliance with Security Professional Services

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Alberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

CIP Cyber Security Electronic Security Perimeter(s)

A. Introduction. B. Requirements. Standard PER System Personnel Training

BPA Policy Cyber Security Program

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Alberta Reliability Standard Cyber Security Security Management Controls CIP-003-AB-5

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

LogRhythm and NERC CIP Compliance

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

North American Electric Reliability Corporation. Compliance Monitoring and Enforcement Program. December 19, 2008

Cyber Security Standards Update: Version 5

Checklist For Business Recovery

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Cyber Security Compliance (NERC CIP V5)

GE Intelligent Platforms. Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems

Voluntary Cyber Security Standards for Industrial Control Systems v

Designing Compliant and Sustainable Security Programs 1 Introduction

Automating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference

PROCEDURE. Ontario Technical Feasibility Exception PUBLIC. Issue 0.2 IESO_PRO_0680

Significant Revisions to OMB Circular A-127. Section Revision to A-127 Purpose of Revision Section 1. Purpose

Alberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1

INFORMATION TECHNOLOGY SECURITY STANDARDS

Reclamation Manual Directives and Standards

R345, Information Technology Resource Security 1

NPCC Implementation of the NERC Compliance Monitoring And Enforcement Program (CMEP)

TRIPWIRE NERC SOLUTION SUITE

SRA International Managed Information Systems Internal Audit Report

Reclamation Manual Directives and Standards

Information Security Program

CIP R2 BES Assets Containing Low Impact BCS. Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security

Meeting NERC CIP Access Control Standards. Presented on February 12, 2014

4.1.1 Generator Owner Transmission Owner that owns synchronous condenser(s)

Effective Use of Assessments for Cyber Security Risk Mitigation

CHAPTER 5 QUALITY CONTROL AND QUALITY ASSURANCE

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Alberta Reliability Standard Cyber Security Physical Security of BES Cyber Systems CIP-006-AB-5

PROCEDURE. Part 3.1: Metering Service Provider (MSP) Registration, Revocation, and Deregistration PUBLIC. Market Manual 3: Metering. Issue 14.

Information Security Policies. Version 6.1

Patching & Malicious Software Prevention CIP-007 R3 & R4

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions August 10, Electric Grid Operations

NERC CIP VERSION 5 COMPLIANCE

Information Technology Internal Audit Report

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

CANADIAN PAYMENTS ASSOCIATION LVTS RULE 11 CHANGE MANAGEMENT, TESTING AND CERTIFICATION

Technology Solutions for NERC CIP Compliance June 25, 2015

STATE OF NEW JERSEY Security Controls Assessment Checklist

Better secure IT equipment and systems

Midwest Reliability Organization Procedure For NERC PRC-012

The following provisions apply to the accrual and use of overtime compensation:

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

How To Ensure The C.E.A.S.A

FERC, NERC and Emerging CIP Standards

Supplier IT Security Guide

IT Security & Compliance Risk Assessment Capabilities

Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire

How To Assess A Critical Service Provider

CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS RULE E3 RULES APPLICABLE TO ELECTRONIC DATA INTERCHANGE TRANSACTIONS

Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide

ONTARIO REGULATION proposed to be made under the

Third Party Identity Services Assurance Framework. Information Security Registered Assessors Program Guide

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

EPA Classification No.: CIO P-01.1 CIO Approval Date: 06/10/2013 CIO Transmittal No.: Review Date: 06/10/2016

Intel Enhanced Data Security Assessment Form

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report January 3, 2012

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Vendor Management. Outsourcing Technology Services

Management Standards for Information Security Measures for the Central Government Computer Systems

Security from a customer s perspective. Halogen s approach to security

Rules on Southern Companies Energy Auction Participation

Transcription:

A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-1 3. Purpose: Standard CIP-003 requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Standard CIP-003 should be read as part of a group of standards numbered Standards CIP-002 through CIP-009. Responsible Entities should interpret and apply Standards CIP-002 through CIP-009 using reasonable business judgment. 4. Applicability: 4.1. Within the text of Standard CIP-003, Responsible Entity shall mean: 4.1.1 Reliability Coordinator. 4.1.2 Balancing Authority. 4.1.3 Interchange Authority. 4.1.4 Transmission Service Provider. 4.1.5 Transmission Owner. 4.1.6 Transmission Operator. 4.1.7 Generator Owner. 4.1.8 Generator Operator. 4.1.9 Load Serving Entity. 4.1.10 NERC. 4.1.11 Regional Reliability Organizations. 4.2. The following are exempt from Standard CIP-003: 4.2.1 Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission. 4.2.2 Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters. 4.2.3 Responsible Entities that, in compliance with Standard CIP-002, identify that they have no Critical Cyber Assets. 5. B. Requirements The Responsible Entity shall comply with the following requirements of Standard CIP-003: R1. Cyber Security Policy The Responsible Entity shall document and implement a cyber security policy that represents management s commitment and ability to secure its Critical Cyber Assets. The Responsible Entity shall, at minimum, ensure the following: R1.1. The cyber security policy addresses the requirements in Standards CIP-002 through CIP-009, including provision for emergency situations. R1.2. The cyber security policy is readily available to all personnel who have access to, or are responsible for, Critical Cyber Assets. Adopted by Board of Trustees: May 2, 2006 Page 1 of 5

R1.3. Annual review and approval of the cyber security policy by the senior manager assigned pursuant to R2. R2. Leadership The Responsible Entity shall assign a senior manager with overall responsibility for leading and managing the entity s implementation of, and adherence to, Standards CIP-002 through CIP-009. R2.1. The senior manager shall be identified by name, title, business phone, business address, and date of designation. R2.2. R2.3. Changes to the senior manager must be documented within thirty calendar days of the effective date. The senior manager or delegate(s), shall authorize and document any exception from the requirements of the cyber security policy. R3. Exceptions Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s). R3.1. Exceptions to the Responsible Entity s cyber security policy must be documented within thirty days of being approved by the senior manager or delegate(s). R3.2. R3.3. Documented exceptions to the cyber security policy must include an explanation as to why the exception is necessary and any compensating measures, or a statement accepting risk. Authorized exceptions to the cyber security policy must be reviewed and approved annually by the senior manager or delegate(s) to ensure the exceptions are still required and valid. Such review and approval shall be documented. R4. Information Protection The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets. R4.1. R4.2. R4.3. The Critical Cyber Asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists as required in Standard CIP- 002, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster recovery plans, incident response plans, and security configuration information. The Responsible Entity shall classify information to be protected under this program based on the sensitivity of the Critical Cyber Asset information. The Responsible Entity shall, at least annually, assess adherence to its Critical Cyber Asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment. R5. Access Control The Responsible Entity shall document and implement a program for managing access to protected Critical Cyber Asset information. R5.1. The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information. R5.1.1. Personnel shall be identified by name, title, business phone and the information for which they are responsible for authorizing access. R5.1.2. The list of personnel responsible for authorizing access to protected information shall be verified at least annually. Adopted by Board of Trustees: May 2, 2006 Page 2 of 5

R5.2. R5.3. The Responsible Entity shall review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity s needs and appropriate personnel roles and responsibilities. The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. R6. Change Control and Configuration Management The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity or vendorrelated changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. C. Measures The following measures will be used to demonstrate compliance with the requirements of Standard CIP-003: M1. Documentation of the Responsible Entity s cyber security policy as specified in Requirement R1. Additionally, the Responsible Entity shall demonstrate that the cyber security policy is available as specified in Requirement R1.2. M2. Documentation of the assignment of, and changes to, the Responsible Entity s leadership as specified in Requirement R2. M3. Documentation of the Responsible Entity s exceptions, as specified in Requirement R3. M4. Documentation of the Responsible Entity s information protection program as specified in Requirement R4. M5. The access control documentation as specified in Requirement R5. M6. The Responsible Entity s change control and configuration management documentation as specified in Requirement R6. D. Compliance 1. Compliance Monitoring Process 1.1. Compliance Monitoring Responsibility 1.1.1 Regional Reliability Organizations for Responsible Entities. 1.1.2 NERC for Regional Reliability Organization. 1.1.3 Third-party monitor without vested interest in the outcome for NERC. 1.2. Compliance Monitoring Period and Reset Time Frame Annually. 1.3. Data Retention 1.3.1 The Responsible Entity shall keep all documentation and records from the previous full calendar year. 1.3.2 The compliance monitor shall keep audit records for three years. 1.4. Additional Compliance Information 1.4.1 Responsible Entities shall demonstrate compliance through self-certification or audit, as determined by the Compliance Monitor. Adopted by Board of Trustees: May 2, 2006 Page 3 of 5

1.4.2 Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and approved by the designated senior manager or delegate(s). Refer to CIP-003, Requirement R3. Duly authorized exceptions will not result in non-compliance. 2. Levels of Noncompliance 2.1. Level 1: 2.1.1 Changes to the designation of senior manager were not documented in accordance with Requirement R2.2; or, 2.1.2 Exceptions from the cyber security policy have not been documented within thirty calendar days of the approval of the exception; or, 2.1.3 An information protection program to identify and classify information and the processes to protect information associated with Critical Cyber Assets has not been assessed in the previous full calendar year. 2.2. Level 2: 2.2.1 A cyber security policy exists, but has not been reviewed within the previous full calendar year; or, 2.2.2 Exceptions to policy are not documented or authorized by the senior manager or delegate(s); or, 2.2.3 Access privileges to the information related to Critical Cyber Assets have not been reviewed within the previous full calendar year; or, 2.2.4 The list of designated personnel responsible to authorize access to the information related to Critical Cyber Assets has not been reviewed within the previous full calendar year. 2.3. Level 3: 2.3.1 A senior manager has not been identified in accordance with Requirement R2.1; or, 2.3.2 The list of designated personnel responsible to authorize logical or physical access to protected information associated with Critical Cyber Assets does not exist; or, 2.3.3 No changes to hardware and software components of Critical Cyber Assets have been documented in accordance with Requirement R6. 2.4. Level 4: 2.4.1 No cyber security policy exists; or, 2.4.2 No identification and classification program for protecting information associated with Critical Cyber Assets exists; or, 2.4.3 No documented change control and configuration management process exists. E. Regional Differences None identified. Adopted by Board of Trustees: May 2, 2006 Page 4 of 5

Version History Version Date Action Change Tracking Adopted by Board of Trustees: May 2, 2006 Page 5 of 5

Standard CIP-003-1 Cyber Security Security Management Controls Appendix QC-CIP-003-1 Provisions specific to the standard CIP-003-1 applicable in Québec This appendix establishes specific provisions for the application of the standard in Québec. Provisions of the standard and of its appendix must be read together for the purposes of understanding and interpretation. Where the standard and appendix differ, the appendix shall prevail. A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-1 3. Purpose: 4. Applicability: Functions 4.1. Facilities Exemptions 4.2. The following are exempt from Standard CIP-003: 4.2.1 4.2.2 4.2.3 4.2.4 Entities identified in the Register of Entities that have no Critical Assets. 5. Effective Date: 5.1. Adoption of the standard by the Régie de l énergie: October 30, 2013 5.2. Adoption of the appendix by the Régie de l énergie: October 30, 2013 5.3. Effective date of the standard and its appendix in Québec: Month xx 201x B. Requirements C. Measures D. Compliance 1. Compliance Monitoring Process 1.1. Compliance Monitoring Responsibility 1.1.1 The Régie de l énergie is responsible, in Québec, for compliance monitoring with respect to the reliability standard and its appendix that it adopts. 1.1.2 1.1.3 Adopted by the Régie de l énergie (Decision D-2013-176): October 30, 2013 Page QC-1 of 2

Standard CIP-003-1 Cyber Security Security Management Controls Appendix QC-CIP-003-1 Provisions specific to the standard CIP-003-1 applicable in Québec 1.2. Compliance Monitoring Period and Reset Time Frame 1.3. Data Retention 1.4. Additional Compliance Information 2. Levels of Non-Compliance E. Regional Differences Revision History Revision Adoption Date Action Change Tracking 0 July 25, 2012 New appendix (decision D-2012-091) New 1 October 30 2013 Removed "Responsible" from section 4.2.4 Use of a new template Capitalized the term "Register of Entities" Revised Adopted by the Régie de l énergie (Decision D-2013-176): October 30, 2013 Page QC-2 of 2

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information