CIP Cyber Security – Security Management Controls

Slides:



Advertisements
Similar presentations
NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.
Advertisements

Module N° 7 – SSP training programme
EMS Checklist (ISO model)
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Issue Identification, Tracking, Escalation, and Resolution.
Software Quality Assurance Plan
Internal Audit Documentation and Working Papers
Environmental Management System (EMS)
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
Data Ownership Responsibilities & Procedures
Auditing Computer Systems
Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
Security Controls – What Works
IS Audit Function Knowledge
ISO 9001 Interpretation : Exclusions
OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.
Session 3 – Information Security Policies
Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.
4. Quality Management System (QMS)
Instructions and forms
4. Quality Management System (QMS)
Key changes and transition process
Session No. 3 ICAO Safety Management Standards ICAO SMS Framework
Continuity of Operations Planning COOP Overview for Leadership (Date)
EHS Management System Elements
The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.
CIP 43 ReliabilityFirst Audit Observations ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance.
Introduction to Software Quality Assurance (SQA)
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
Copyright 2005 Welcome to The Great Lakes TL 9000 SIG TL 9000 Requirements Release 3.0 to Release 4.0 Differences Bob Clancy Vice President, BIZPHYX,
Process Safety Management
SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.
Company duties under the ISM Code
1 CIP Physical Security of Critical Cyber Assets A Compliance Perspective Lew Folkerth CIP Compliance Workshop Baltimore, MD August 19-20, 2009 ©
1 CIP Critical Cyber Asset Identification A Compliance Perspective Lew Folkerth CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst.
Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.
Soft Tech Development Inc. 1 Software Project Tracking A CMM Level 2 Key Process Area Soft Tech Development Inc.
NO FRAUD LEFT BEHIND The Effect of New Risk Assessment Auditing Standards on Schools Runyon Kersteen Ouellette.
SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?
1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.
CIP Systems Security Management A Compliance Perspective
QUALITY OF EVIDENCE FRCC Compliance Workshop September/October 2008.
Roadmap For An Effective Compliance And Ethics Program The Top Ten Things the Board Must Know [Name of Presenter] [Title] [Date]
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Date CIP Standards Update Chris Humphreys Texas RE CIP Compliance.
ISO DOCUMENTATION. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to:  Name.
Unit 3: Identifying and Safeguarding Vital Records Unit Introduction and Overview Unit objective:  Describe the elements of an effective vital records.
Compliance Monitoring and Enforcement Audit Program - The Audit Process.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.
ISO DOCUMENT CONTROL. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to: 
State of Georgia Release Management Training
Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
NCSLI 2007 Training Records from an Auditors Viewpoint Shawn Mason Boston Scientific.
May 5, 2016 May 5, Reporting obligations for  Investment banks,  Stockbrokers and dealers  FM and Investment advisers 2. Publication financial.
Information Security Policy
NIEP Evaluation PO&A “How-to” Guide and Issue Classification
Team 1 – Incident Response
Prepared by Rand E Winters, Jr. ASR Senior Auditor October 2014
ISO 9001:2015 Auditor / Registration Decision Lessons Learned
NERC Cyber Security Standards Pre-Ballot Review
Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005
Continuity of Operations Planning
Permit to Work Process​ HSE GROUP RULE (CR-GR-HSE-402)
Presentation transcript:

CIP-003-1 Cyber Security – Security Management Controls Gary Campbell CIP Compliance Workshop Baltimore, MD August 19-20, 2009 1 © ReliabilityFirst Corporation

Governance Annotated Text of the Standard Annotations are NOT authoritative, they are commentary only Pre-audit questions Are intended to streamline the audit process Some go beyond what is required by the standard for informational purposes Are intended to help organize information used for compliance Are intended as a starting point for review of the compliance documentation The “plain language” of the standard will govern The only authoritative text in this presentation is that of the language of the standard. All else is opinion and intended practice and is subject to change. This presentation is for use by ReliabilityFirst Corporation and its member organizations only. Any other use requires the prior permission of ReliabilityFirst Corporation. 2 © ReliabilityFirst Corporation

CIP-003-1 Purpose Standard CIP-003 requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Standard CIP-003 should be read as part of a group of standards numbered Standards CIP-002 through CIP-009. Responsible Entities should interpret and apply Standards CIP-002 through CIP-009 using reasonable business judgment.1 1 Responsible Entities should develop it’s policies, procedures, processes according their business practices while being cognizant of their obligation of compliance and business risk. 3 © ReliabilityFirst Corporation

CIP-003-1 R1 Annotated Text R1. Cyber Security Policy — The Responsible Entity shall document1 and implement a cyber security policy2 that represents management’s commitment and ability to secure its Critical Cyber Assets. 1. Documentation of the Responsible Entity’s cyber security policy. To be valid a document should contain entity identification document title, date, approval signatures and date of approval. A policy must be available for review of the audit team. Auditors will look to find language addressing these points. 4 © ReliabilityFirst Corporation

CIP-003-1 R1 Annotated Text (cont’d) The Responsible Entity shall, at minimum, ensure the following: R1.1. The cyber security policy addresses the requirements1 in Standards CIP-002 through CIP-009, including provision for emergency situations. R1.2. The cyber security policy is readily available2to all personnel who have access to, or are responsible for, Critical Cyber Assets. R1.3. Annual review and approval 3 of the cyber security policy by the senior manager assigned pursuant to R2.(e.g., emails, memos, computer based training, etc.); 1 Auditor will review policies for each requirement of the CIP -002 through CIP-009 standards 2 Be prepared to provide or demonstrate how your policy is readily available 3 Documentation of policy should contain review dates and approvals 5 © ReliabilityFirst Corporation

CIP-003-1 R2 Annotated Text R2. Leadership — The Responsible Entity shall assign a senior manager with overall responsibility for leading and managing the entity’s implementation of, and adherence to, Standards CIP-002 through CIP-009.1 1. This person must be identified in your program. Documentation of the senior manager must be a part of the policy as stated in R1. 6 © ReliabilityFirst Corporation

CIP-003-1 R2 Annotated Text (cont’d) R2.1. The senior manager shall be identified by name, title, business phone, business address, and date of designation. R2.2. Changes to the senior manager must be documented within thirty calendar days of the effective date1. R2.3. The senior manager or delegate(s), shall authorize and document any exception from the requirements of the cyber security policy 1. Entities should consider documentation to track exceptions. 7 © ReliabilityFirst Corporation

CIP-003-1 R3 Annotated Text R3. Exceptions — Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s). 1 1. These instances should be documented providing a complete explanation of the exception as per the sub-requirements of R3 as part of your CIP policy. 8 © ReliabilityFirst Corporation

CIP-003-1 R3 Annotated Text (cont’d) R3.1. Exceptions to the Responsible Entity’s cyber security policy must be documented 1 within thirty days of being approved by the senior manager or delegate(s). 1 Documentation of exceptions identifying dates of approval and submission into the policy must be available to substantiate this requirement and validate this requirement. 9 © ReliabilityFirst Corporation

CIP-004-1 R3 Annotated Text (cont’d) R3.2. Documented exceptions 1 to the cyber security policy must include an explanation as to why the exception is necessary and any compensating measures, or a statement accepting risk. 1 Documentation of exceptions must include an explanation for each exception. identifying dates of approval and submission into the policy and must be available to substantiate this requirement. 10 © ReliabilityFirst Corporation

CIP-003-1 R3 Annotated Text (cont’d) R3.3. Authorized exceptions to the cyber security policy must be reviewed and approved annually by the senior manager or delegate(s) to ensure the exceptions are still required and valid. Such review and approval shall be documented. 1 1. Documentation of the designated senior manager or delegates (it must clear that a delegate has been assigned by the senior manager). 11 © ReliabilityFirst Corporation

CIP-003-1 R4 Annotated Text R4. Information Protection — The Responsible Entity shall implement and document a program 1 to identify, classify, and protect information associated with Critical Cyber Assets. 1. Documented program must be available for review of compliance as part of your policy. 12 © ReliabilityFirst Corporation

CIP-003-1 R4 Annotated Text (cont’d) R4.1. The Critical Cyber Asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists as required in Standard CIP- 002, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster recovery plans, incident response plans, and security configuration information. 1 1. Entities should use sound business judgment to complete all CCA information to reduce an entities business and compliance risk. 13 © ReliabilityFirst Corporation

CIP-003-1 R4 Annotated Text (cont’d) R4.2. The Responsible Entity shall classify information to be protected under this program based on the sensitivity of the Critical Cyber Asset information. 1 1. This information needs to be documented as part of the policy. 14 © ReliabilityFirst Corporation

CIP-003-1 R4 Annotated Text (cont’d) R4.3. The Responsible Entity shall, at least annually, assess adherence to its Critical Cyber Asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment. 1 1. Documentation of all items as a minimum must be part of an entities policy. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. 15 © ReliabilityFirst Corporation

CIP-003-1 R5 Annotated Text R5. Access Control — The Responsible Entity shall document and implement a program 1 for managing access to protected Critical Cyber Asset information. 1. A documented program for assigning access to protected CCA information must be available for review. Documentation validating implementation of the these programs must also be available. 16 © ReliabilityFirst Corporation

CIP-003-1 R5 Annotated Text (cont’d) R5.1. The Responsible Entity shall maintain a list 1 of designated personnel who are responsible for authorizing logical or physical access to protected information. R5.1.1. Personnel shall be identified by name, title, business phone and the information for which they are responsible for authorizing access. R5.1.2. The list of personnel responsible for authorizing access to protected information shall be verified at least annual. 2 Lists should be documented and provide all information required in R5.1.1. Having the ability to provide all changes for the audit period will be necessary. Some entities are using tracking tales to organize and track this information. Documentation of annual review must be available. 17 © ReliabilityFirst Corporation

CIP-003-1 R5 Annotated Text (cont’d) R5.2. The Responsible Entity shall review 1 at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities. 1. Documentation for this annual review must be a available to auditors for the scope of the audit period. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. 18 © ReliabilityFirst Corporation

CIP-003-1R5 Annotated Text (cont’d) R5.3. The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. Documentation for this annual review must be a available to auditors for the scope of the audit period. Entities will need to be able to show the previous annual assessment dates for the audit period. Tracking/Revision tables are used by some entities. 19 © ReliabilityFirst Corporation

CIP-003-1R6 Annotated Text (cont’d) R6. Change Control and Configuration Management — The Responsible Entity shall establish and document 1 a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting, configuration management activities to identify, control and document 2 all entity or vendor related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. Documentation of this process must be a part of an entities policy and cover all aspects of change control and configuration management identified in this requirement as a minimum. Documentation of entity and vendor related changes must be available for review as part of the program. 20 © ReliabilityFirst Corporation

Points to Remember Documentation is the essential key to compliance and a successful audit. Identify what the standard states “shall or must“ de done as part of its content. (Document, communicate, provide) Identify all items the standards states “shall or must“ be included as part of your documentation. 21 © ReliabilityFirst Corporation

Points to Remember Cont’d Be sure to prepare documentation that is valid and can be substantiated. To be valid it should identify the entity, date, approval signatures, date of approvals or effective date. To be substantiated, documentation should be available to support the evidence you are presenting as compliance to standard. Review your documentation in preparation for an audit or annual review. Consider having internal or external reviews of you documentation. Remember be prepared to Document, Validate and Substantiate your evidence of compliance! 22 © ReliabilityFirst Corporation

CIP-003-1 Questions? 23 © ReliabilityFirst Corporation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.