Rich Powell Director, CIP Compliance JEA

Similar documents
Standard CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

Standard CIP Cyber Security Electronic Security Perimeter(s)

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP 007 4a Cyber Security Systems Security Management

Unofficial Comment Form for Interpretation of CIP-007-3, Requirement R5, for ITC (Project 2012-INT-04)

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Security Architecture

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Security Management Controls

Critical Cyber Asset Identification Security Management Controls

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

State of Colorado Cyber Security Policies

Standard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms

Ben Christensen CIP Enforcement Analyst. Root Cause Analysis for Commonly Violated Requirements June 6, 2013 CIPUG

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Cyber Essentials Questionnaire Guidance

Standard CIP 004 3a Cyber Security Personnel and Training

CYBER SECURITY POLICY REVISION: 12

Compliance: Evidence Requests for Low Impact Requirements

Access Control and CIP 10/20/2011

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

THE TRIPWIRE NERC SOLUTION SUITE

The Common Controls Framework BY ADOBE

Internal Audit Report DATA CENTER LOGICAL SECURITY

Lakeshore Technical College Official Policy

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

CIP Cyber Security Security Management Controls. A. Introduction

CIP Cyber Security Personnel & Training

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

CIP Baseline Configuration Management Overview. FRCC Spring Compliance Workshop April 14-16, 2015

CIP Cyber Security Personnel & Training

I. PURPOSE III. PROCEDURE

AUTHORITY FOR ELECTRICITY REGULATION

Server Security Procedure

Juniper Vendor Security Requirements

Process Document. Scope

CIP Cyber Security Systems Security Management

VMware vcloud Air SOC 1 Control Matrix

Port Facility Cyber Security

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

Sparta Systems TrackWise Digital Solution

ISO/IEC Controls

Cyber Security Supply Chain Risk Management

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

GDPR Controls and Netwrix Auditor Mapping

Mapping BeyondTrust Solutions to

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Cyber Security Program

The Honest Advantage

Oracle Data Cloud ( ODC ) Inbound Security Policies

Prevention of Identity Theft in Student Financial Transactions AP 5800

Standard CIP Cyber Security Incident Reporting and Response Planning

Reliability Standard Audit Worksheet 1

Access to University Data Policy

NERC Staff Organization Chart

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Agenda. Introduction. Key Concepts. The Role of Internal Auditors. Business Drivers Identity and Access Management Background

Standard CIP-006-1a Cyber Security Physical Security

DRAFT. Standard 1300 Cyber Security

University of Sunderland Business Assurance PCI Security Policy

Ohio Supercomputer Center

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Information Technology General Control Review

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Sparta Systems TrackWise Solution

Apex Information Security Policy

Varonis and FISMA Compliance

COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

Standard CIP Cyber Security Physical Security

Standard CIP Cyber Security Physical Security

NB Appendix CIP NB-0 - Cyber Security Personnel & Training

Standard Development Timeline

Network Security Policy

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

01.0 Policy Responsibilities and Oversight

Summary of FERC Order No. 791

TITLE: HIE System Audit

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Netwrix Auditor. Administration Guide. Version: /31/2017

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Critical Asset Identification Methodology. William E. McEvoy Northeast Utilities

Auditing IT General Controls

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

PeopleSoft Finance Access and Security Audit

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Reliability Standard Audit Worksheet 1

Carbon Black PCI Compliance Mapping Checklist

CIP Cyber Security Recovery Plans for BES Cyber Systems

IT risks and controls

HIPAA Controls. Powered by Auditor Mapping.

Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities

Transcription:

Rich Powell Director, CIP Compliance JEA

Review access control requirements CIP-003 and CIP-007 Discuss compliance considerations Implementation Strategies Hints/Tips for audit presentation

Account Control requirements CIP-003 R5 CIP-007 R5 Compliance Considerations What to look for Potential issues Best practices Implementation best practices Hints/Tips for audit presentation

R5. Access Control The Responsible Entity shall document and implement a program for managing access to protected Critical Cyber Asset information. R5.1. - The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information. R5.1.1 - Personnel shall be identified by name, title, and the information for which they are responsible for authorizing access. R5.1.2 - The list of personnel responsible for authorizing access to protected information shall be verified at least annually. R5.2. The Responsible Entity shall review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity s needs and appropriate personnel roles and responsibilities. R5.3. The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information.

Ensure you cover: Describe the process used to maintain the list of personnel responsible for authorizing access to CCAI Present your list of authorizers and the CCAI they are responsible for. How are authorized access privileges granted to protected information pertaining to CCAs documented? Describe the process used to ensure the access privileges granted to protected information pertaining to CCAs is reviewed annually. Do you have specific training regarding personnel who have logical/physical access to protected information? Present the latest assessment of your information protection processes How are authorized access privileges granted to protected information pertaining to CCAs documented? Describe the process used to ensure the access privileges granted to protected information pertaining to CCAs is reviewed annually? Beware: The list of authorizers should clearly show the information they are authorizing access to. The review of the list of personnel for authorizing access to protected information may not occur in a timely manner. Annual review is incomplete if it does not take into account roles and responsibilities. The processes for controlling access to protected information are poorly documented or not documented at all.

Tips: Provide documentation that shows all protected information has Authorizers and that the list is reviewed annually. Prepare a list or spreadsheet that shows who authorizes what, where the information is, the format (physical, logical, electronic, AD groups, SharePoint, etc) Document processes for controlling access to protected information. A process may include provisions for storing protected information in a specified location. Annually assess the process and make any necessary changes. Combine the adherence to the program, verifying Authorizers, confirming access privileges and reviewing processes for granting privileges into one task. Create a workflow for the review process for the access control processes. Develop an assessment methodology that includes test steps for all aspects of the information protection program. Test to ensure that all CCAI is identified, that CCAI is properly labeled and that it is stored in accordance with the information protection program. Wherever a review process is used, the approval function (with or without signature) should always include the date, specific name and title of the person reviewing the process/list/function and descriptive wording that demonstrates compliance. I, John Jones, authorizer for access to CCAI, have reviewed on date the access privileges for everyone I have authorized to access CCAI and verified that each individual s access matches their roles and responsibilities. Provide corrective actions for any deficiencies found during the assessment.

R5. Account Management The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access. R5.1. - The Responsible Entity shall ensure that individual and shared system accounts and authorized access permissions are consistent with the concept of need to know with respect to work functions performed. R5.1.1 - The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. Refer to Standard CIP-003-3 Requirement R5. R5.1.2 - The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days. R5.1.3 - The Responsible Entity shall review, at least annually, user accounts to verify access privileges are in accordance with Standard CIP-003-3 Requirement R5 and Standard CIP-004-3 Requirement R4. R5.2. - The Responsible Entity shall implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges including factory default accounts. R5.2.1 - The policy shall include the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service. R5.2.2 - The Responsible Entity shall identify those individuals with access to shared accounts. R5.2.3 - Where such accounts must be shared, the Responsible Entity shall have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination).

Ensure you cover: Is the account management process consistent with a deny by default and need to know concepts? Implementing user accounts Minimize the use of administrator, shared and generic accounts. Approval process for user and shared accounts Managing shared account access Review process for user and shared accounts Beware: Use group permission whenever possible but clearly define the group requirements, permissions based on specific roles related to the individual's duties. Approval process is not clear or permissions don' t match "need to know" for each individual. Review needs to include the account privileges - not just that some access is still needed - make sure the privileges match the owners role. Local accounts are not always required on each system. Some accounts, like root on UNIX systems, can be overlooked. Local accounts must be listed individually by system. Include the disabling or default password change for shared accounts in the change procedures and asset on-boarding procedure as well as the policy. Shared accounts do not get their passwords changed within the appropriate time frame. Passwords must be changed when individuals with access to shared account passwords are terminated.

Tips: Provide a robust method for tracking user accounts, user access and user privileges. Include the user's name, accounts, access permissions, approver, date granted, date revoked and date reviewed. Define the privileges for each role and review the role for each user. Provide reporting procedures for extracting information auditors will expect. All accounts for a user. Changes to access control list with justification. Track shared accounts and the users with access in a spreadsheet or database. Use a tracking spreadsheet to verify that all local accounts were reviewed. Develop audit trail logs that will identify the individual that used the shared account. Provide clear procedures for evaluating when accounts can be disabled or deleted and when accounts must remain enabled. Track the disabled or deleted accounts.

Start from the top Re-use processes Combine tasks where possible Consider audit when creating documents

Document list of approvers at high level Ex. Cyber Security Policy Use consistent identification method Combine review requirements

Automation or re-use increases confidence Access Control Designate system of record Single process Integrate access prerequisites Combine logical and physical Advantages Set and forget Fewer systems to maintain Easier culture change Easier to audit

Daily Operations Access Control Annual review Cyber Security Policy (CIP-003 R5.1, CIP-007 R5.1.1) Access Control Procedure (CIP-003 R5, CIP-004 R4, CIP-007 R5) Cyber Incident Response Exercise (CIP-007 R5.1.3) Cyber Vulnerability Assessment (CIP-007 R5.2.1)

Process maps speed understanding of procedures (see next page for example) Walk the evidence Clearly show compliance logic Increases ease of adoption Present evidence documenting work flow Approved authorizers Responsibilities Access control lists Lists for audit period New hires Transfers Terminations Specifically identify if any are for cause

Process Description: IDM Access Request IDM Access Request Process Process Customer: CCA, Oracle,CC&B, Maximo, Linux, Folders,... Customer Valid Requirements: Access Request Dept. / System/ Group Employee IDM Human Resources Business / Analyst USD Start Employee Request Access to Resource Manager/ Delegate Approve Background check is done when access is requested to a CIP resource. Background checks are required every 7 years. Yes Critical Cyber Asset Access Yes Yes No Security Training is required when access is requested to a CIP Resource. Training is due every 365 days Background Check Complete No Email Request to HR to Obtain Background Check Yes No Email Sent to Employee to Complete Security Training No Security Training Complete Yes Access Request Business Analyst Approval Required No Yes Email to Business Analyst Requesting Approval Email Request Sent to Resource Owner Yes Business Analyst Approval No Access Request Approved No Denial Email Sent to Manager and Employee Yes Access Granted Stop USD Ticket Created for Manual Accessl Employee and Manager Notified by Email Process Complete USD Ticket Created and Closed Stop

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback