Rich Powell Director, CIP Compliance JEA
Review access control requirements CIP-003 and CIP-007 Discuss compliance considerations Implementation Strategies Hints/Tips for audit presentation
Account Control requirements CIP-003 R5 CIP-007 R5 Compliance Considerations What to look for Potential issues Best practices Implementation best practices Hints/Tips for audit presentation
R5. Access Control The Responsible Entity shall document and implement a program for managing access to protected Critical Cyber Asset information. R5.1. - The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information. R5.1.1 - Personnel shall be identified by name, title, and the information for which they are responsible for authorizing access. R5.1.2 - The list of personnel responsible for authorizing access to protected information shall be verified at least annually. R5.2. The Responsible Entity shall review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity s needs and appropriate personnel roles and responsibilities. R5.3. The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information.
Ensure you cover: Describe the process used to maintain the list of personnel responsible for authorizing access to CCAI Present your list of authorizers and the CCAI they are responsible for. How are authorized access privileges granted to protected information pertaining to CCAs documented? Describe the process used to ensure the access privileges granted to protected information pertaining to CCAs is reviewed annually. Do you have specific training regarding personnel who have logical/physical access to protected information? Present the latest assessment of your information protection processes How are authorized access privileges granted to protected information pertaining to CCAs documented? Describe the process used to ensure the access privileges granted to protected information pertaining to CCAs is reviewed annually? Beware: The list of authorizers should clearly show the information they are authorizing access to. The review of the list of personnel for authorizing access to protected information may not occur in a timely manner. Annual review is incomplete if it does not take into account roles and responsibilities. The processes for controlling access to protected information are poorly documented or not documented at all.
Tips: Provide documentation that shows all protected information has Authorizers and that the list is reviewed annually. Prepare a list or spreadsheet that shows who authorizes what, where the information is, the format (physical, logical, electronic, AD groups, SharePoint, etc) Document processes for controlling access to protected information. A process may include provisions for storing protected information in a specified location. Annually assess the process and make any necessary changes. Combine the adherence to the program, verifying Authorizers, confirming access privileges and reviewing processes for granting privileges into one task. Create a workflow for the review process for the access control processes. Develop an assessment methodology that includes test steps for all aspects of the information protection program. Test to ensure that all CCAI is identified, that CCAI is properly labeled and that it is stored in accordance with the information protection program. Wherever a review process is used, the approval function (with or without signature) should always include the date, specific name and title of the person reviewing the process/list/function and descriptive wording that demonstrates compliance. I, John Jones, authorizer for access to CCAI, have reviewed on date the access privileges for everyone I have authorized to access CCAI and verified that each individual s access matches their roles and responsibilities. Provide corrective actions for any deficiencies found during the assessment.
R5. Account Management The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access. R5.1. - The Responsible Entity shall ensure that individual and shared system accounts and authorized access permissions are consistent with the concept of need to know with respect to work functions performed. R5.1.1 - The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. Refer to Standard CIP-003-3 Requirement R5. R5.1.2 - The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days. R5.1.3 - The Responsible Entity shall review, at least annually, user accounts to verify access privileges are in accordance with Standard CIP-003-3 Requirement R5 and Standard CIP-004-3 Requirement R4. R5.2. - The Responsible Entity shall implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges including factory default accounts. R5.2.1 - The policy shall include the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service. R5.2.2 - The Responsible Entity shall identify those individuals with access to shared accounts. R5.2.3 - Where such accounts must be shared, the Responsible Entity shall have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination).
Ensure you cover: Is the account management process consistent with a deny by default and need to know concepts? Implementing user accounts Minimize the use of administrator, shared and generic accounts. Approval process for user and shared accounts Managing shared account access Review process for user and shared accounts Beware: Use group permission whenever possible but clearly define the group requirements, permissions based on specific roles related to the individual's duties. Approval process is not clear or permissions don' t match "need to know" for each individual. Review needs to include the account privileges - not just that some access is still needed - make sure the privileges match the owners role. Local accounts are not always required on each system. Some accounts, like root on UNIX systems, can be overlooked. Local accounts must be listed individually by system. Include the disabling or default password change for shared accounts in the change procedures and asset on-boarding procedure as well as the policy. Shared accounts do not get their passwords changed within the appropriate time frame. Passwords must be changed when individuals with access to shared account passwords are terminated.
Tips: Provide a robust method for tracking user accounts, user access and user privileges. Include the user's name, accounts, access permissions, approver, date granted, date revoked and date reviewed. Define the privileges for each role and review the role for each user. Provide reporting procedures for extracting information auditors will expect. All accounts for a user. Changes to access control list with justification. Track shared accounts and the users with access in a spreadsheet or database. Use a tracking spreadsheet to verify that all local accounts were reviewed. Develop audit trail logs that will identify the individual that used the shared account. Provide clear procedures for evaluating when accounts can be disabled or deleted and when accounts must remain enabled. Track the disabled or deleted accounts.
Start from the top Re-use processes Combine tasks where possible Consider audit when creating documents
Document list of approvers at high level Ex. Cyber Security Policy Use consistent identification method Combine review requirements
Automation or re-use increases confidence Access Control Designate system of record Single process Integrate access prerequisites Combine logical and physical Advantages Set and forget Fewer systems to maintain Easier culture change Easier to audit
Daily Operations Access Control Annual review Cyber Security Policy (CIP-003 R5.1, CIP-007 R5.1.1) Access Control Procedure (CIP-003 R5, CIP-004 R4, CIP-007 R5) Cyber Incident Response Exercise (CIP-007 R5.1.3) Cyber Vulnerability Assessment (CIP-007 R5.2.1)
Process maps speed understanding of procedures (see next page for example) Walk the evidence Clearly show compliance logic Increases ease of adoption Present evidence documenting work flow Approved authorizers Responsibilities Access control lists Lists for audit period New hires Transfers Terminations Specifically identify if any are for cause
Process Description: IDM Access Request IDM Access Request Process Process Customer: CCA, Oracle,CC&B, Maximo, Linux, Folders,... Customer Valid Requirements: Access Request Dept. / System/ Group Employee IDM Human Resources Business / Analyst USD Start Employee Request Access to Resource Manager/ Delegate Approve Background check is done when access is requested to a CIP resource. Background checks are required every 7 years. Yes Critical Cyber Asset Access Yes Yes No Security Training is required when access is requested to a CIP Resource. Training is due every 365 days Background Check Complete No Email Request to HR to Obtain Background Check Yes No Email Sent to Employee to Complete Security Training No Security Training Complete Yes Access Request Business Analyst Approval Required No Yes Email to Business Analyst Requesting Approval Email Request Sent to Resource Owner Yes Business Analyst Approval No Access Request Approved No Denial Email Sent to Manager and Employee Yes Access Granted Stop USD Ticket Created for Manual Accessl Employee and Manager Notified by Email Process Complete USD Ticket Created and Closed Stop
Questions?