1 / 31

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security. CIP-004-5 Personnel & Training May 14 , 2014 CIP v5 Roadshow – Salt Lake City, UT. Agenda. Applicability Implementation CIP-004-5 R1-R5 Overview Audit Approach Tips. Compliance is like an onion…. Positives:

claire-osborn
Download Presentation

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bryan J. Carr, PMP, CISACompliance Auditor, Cyber Security CIP-004-5 Personnel & Training May 14 , 2014 CIP v5 Roadshow – Salt Lake City, UT

  2. Agenda • Applicability • Implementation • CIP-004-5 R1-R5 • Overview • Audit Approach • Tips

  3. Compliance is like an onion… Positives: • Important ingredient in the stew of reliability • Adds flavor to an organization • Improves overall health of the BES • Peel back layers of evidence Negatives: • It stinks • Makes people cry • Known to aggravate certain medical conditions • Causes indigestion • Can be dry • Known to cause shock

  4. Goal Communicate WECC’s audit approach for each Requirement of CIP-004-5

  5. CIP-004-5 Purpose “To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.”

  6. Policy, Program, Process, Procedure… Regurgitating the Requirement language does not constitute developing a policy, program, process, or procedure.

  7. CIP-004-5 Extreme Acronyms • HIBESCS • MIBESCS • HIBESCSATAEACMSAPACS • HIBESCSATAEACMS • MIBESCSWERCATAEACMSAPACS

  8. CIP-004-5 Applicability • HIBESCS • High Impact BES Cyber Systems (R1) • MIBESCS • Medium Impact BES Cyber Systems (R1) • HIBESCSATAEACMSAPACS • High Impact BES Cyber Systems and their associated EACMS and PACS (R2-R5 except 5.5) • HIBESCSATAEACMS • High Impact BES Cyber Systems and their associated EACMS (Part 5.5 only) • MIBESCSWERCATAEACMSAPACS • Medium Impact BES Cyber Systems with external routable connectivity and their associated EACMS and PACS (R2-R5 except 5.5)

  9. CIP-004-5 Implementation • By April 1, 2016 • CIP-004-5 R1-R5 except as noted below… • On or before July 1, 2016: • CIP-004-5, R4, Part 4.2 • On or before April 1, 2017: • CIP-004-5, R2, Part 2.3 • CIP-004-5, R4, Part 4.3, Part 4.4 • Within 7 years after last PRA performed: • CIP-004-5, Requirement R3, Part 3.5

  10. CIP-004-5 R1 Overview • Security Awareness Program • Reinforce cyber (and physical) security practices • Once each calendar quarter • High & Medium BESCS

  11. CIP-004-5 R1 Audit Approach • Documented process covering all of R1 • Quarterly reinforcement • Evidence demonstrating: • Content • Delivery method

  12. CIP-004-5 R1 Tips • Informational program reinforcing logical and physical security practices • Strong awareness programs leverage various content and content delivery methods • R1 applies to High and Medium BES Cyber Systems

  13. CIP-004-5 R2 Overview • Cyber security training specific to roles, functions, responsibilities • Training content specified in 2.1.1 – 2.1.9 • Train PRIOR to granting access • Refresh annually (at least 1x/15 months) • High & Medium (w/ERC) BESCS + EACM + PACS

  14. Training

  15. CIP-004-5 R2 Audit Approach • Documented role-based training programs • e.g. Sys Admin vs. Operator vs. Security Guard • Does training cover 2.1.1 – 2.1.9? • Validate training prior to access • Compare dates • Validate annual refresh • Review controls in place to ensure timely delivery of training and annual refreshers

  16. CIP-004-5 R2 Tips • You have flexibility to develop customized/personalized training program(s) • Don’t get too granular with role-based training • Not intended to be technical training • CIP Exceptional Circumstances – consider how it applies to your organization

  17. Quiz Time!! • All programsand policies specified throughout CIP-004-5 require CIP Senior Manager approval. False

  18. CIP-004-5 R3 Overview • Personnel risk assessment • Confirm identity • 7-year criminal history check • Process & criteria to evaluate results • PRAs for contractors & vendors • Renewal process

  19. Personnel Risk Assessment

  20. CIP-004-5 R3 Audit Approach • Documented PRA process – does it include: • Identity validation • 7-year criminal history • Supporting documentation if 7 years cannot be completed • Evaluation of results • Tracking PRA dates - initial & renewal • Evaluate controls in place to ensure timely completion, renewal, and tracking of PRAs

  21. CIP-004-5 R3 Tips • Criteria or process to evaluate criminal history (3.3) is NEW – clearly identify criteria or evaluation process & associated outputs • Check that PRA dates are PRIOR to access granted dates • Be prepared to request PRA evidence from vendors & contractors • PRAs performed for v3 don’t need to be re-done for v5

  22. CIP-004-5 R4 Overview • Access Management Program • Access authorization process covering: • Cyber • Physical • BES Cyber System Information • Quarterly verification of authorization • Annual verification of: • Privileges to BES Cyber Systems • Access to BES Cyber System Information

  23. Access Management

  24. CIP-004-5 R4 Audit Approach • Documented access management program – does it address all aspects of 4.1 – 4.4, including deliverables? • Validate quarterly & annual reviews • Validate access grants against system records • Evaluate controls related to access list maintenance, and quarterly & annual reviews

  25. CIP-004-5 R4 Tips • Quarterly reviews = compare individuals actually provisioned against authorization records • Annual review = more detailed to ensure least privilege is enabled • Work towards evolving beyond spreadsheets and paper forms • Continue tracking individuals and their role-based access rights • Consider separation of duties: provisioner vs. reviewer

  26. CIP-004-5 R5 Overview • Documented access revocation process • Terminations • Initiate removal of ability for physical and interactive remote access immediately and complete w/in 24 hours • Revoke logical/physical access to designated storage locations by end of next calendar day • Revoke non-shared user accounts w/in 30 days • Change shared account passwords w/in 30 days • Transfers/Reassignments: • Revoke logical & physical access by end of next business day • Change shared account passwords w/in 30 days

  27. Access Revocation

  28. CIP-004-5 R5 Audit Approach • Processes for terminations and transfers/reassignments • Does the processes cover everything in 5.1 through 5.5? • Do your processes point to procedures detailing how each action is carried out? • Proof of performance: records, lists, screenshots, tickets, emails, system reports, forms, etc.

  29. CIP-004-5 R5 Tips • Define start trigger for termination/transfer process • Read Part 5.1 carefully – deliberate wording. Document how you define ability to access • NEW – designated storage locations, whether physical or electronic, for BES Cyber System Information – identify and document • NEW – extenuating operating circumstances (changing shared account passwords 5.5) – define, document, and track • Part 5.5 only applies to High Impact BES CA and associated EACMS • Workflow diagrams are an auditors best friend

  30. Resources, References, & Light Reading • NERC v3 to v5 mapping document(pp. 8-11) • FERC Order 791 (pp. 15-16) • 2011 v5 SDT Presentation (pp. 36-46)

  31. Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security O: 801.819.7691 M: 801.837.8425 bcarr@wecc.biz Questions?

More Related