August 28, 2013

CIP Compliance with CARE

Standards CIP-002 through CIP-007 are intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. These standards should be read as part of a group of standards numbered Standards CIP-002 through CIP-009.

CIP-002 - Critical Cyber Asset Identification

This CIP requirement states that responsible entities must identify and document the critical cyber assets associated with the critical assets that support the reliable operation of the Bulk Electric System using a risk-based assessment methodology.

CIP-002 Requirements

  • Develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset.
  • Review this list at least annually and update it as necessary.

How does CARE help?

CARE enables organizations to prioritize compliance activities and focus controls on the users, Critical Cyber Assets and associated access privileges that represent the greatest potential risk to these assets:

  • Provides a centralized authoritative source of IT assets (systems, applications, databases, directories, file shares, etc.) that are classified as essential to the operation of the critical asset.
  • Delivers extensive reporting capabilities to streamline and automate the annual review of access to many of the critical assets and critical cyber assets so that proof of compliance can be confidently provided to auditors.

CIP-003 - Security Management Controls

CIP-003 requires responsible entities to have minimum security management controls in place to protect critical cyber assets with a focus on strong access controls and the documentation and implementation of a strong access control program to protect the Critical Cyber Asset information.

CIP-003 Requirements

  • Maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.
  • Review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Entity’s needs and appropriate personnel roles and responsibilities.
  • Assess and document at least annually the process for controlling access privileges to protected information.

How does CARE help?

CARE integrates access certification, policy enforcement, and activity monitoring capabilities and automates the common auditing, reporting and management activities required by NERC:

  • Provides a centralized authoritative source of access and identity data with on-demand visibility into all workers with access to protected information.
  • Automates the periodic review of worker access privileges by managers and application/data owners to confirm they are correct; enables high-risk cyber assets to be reviewed more frequently quarterly or even monthly.
  • Enforces role based access control to ensure that worker access privileges align with personnel roles and responsibilities.
  • Automates the enforcement of enterprise-wide access policies, including separation-of-duties (SoD) policies to reduce risk within the enterprise.
  • Integrates with existing provisioning systems to automate the remediation of inappropriate access privileges; provides closed-loop auditing to ensure revocations occur on a timely basis.
  • Provides extensive reporting capabilities to enable self-assessment and provide proof of compliance to auditors.

CIP-004 - Personnel and Training

CIP-004 requires organizations to maintain an access list detailing all personnel who have authorized cyber or authorized unescorted physical access to critical cyber assets, including contractors and service vendors.

CIP-004 Requirements

Maintain list(s) of personnel with authorized unescorted physical access to critical cyber access rights, including their specific electronic and physical access rights to Critical Cyber Assets.

How does CARE help?

CARE delivers complete visibility into which workers have logical and physical access to protected data and applications:

  • Collects, centralizes, and analyzes access data from sources all across the enterprise and establishes critical linkages between a user’s identity, access privileges, and job duties.
  • Provides extensive reporting capabilities to enable self-assessment and provide proof of compliance to auditors.

CIP-005 - Electronic Security Perimeter(s)

CIP-005 requires the identification and protection of the electronic security perimeter(s) inside which all critical cyber assets reside, as well as all access points on the perimeter. In addition, it states that the responsible entity should implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the electronic security perimeter(s).

CIP-005 Requirements

  • Implement an access control model that denies access by default, such that explicit access permissions must be specified.
  • Where external interactive access into the Electronic Security Perimeter has been enabled, implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.
  • Document, identity and describe the process for access request and authorization, the authentication methods, and the review process for authorization rights in accordance with CIP-004 R4.

How does CARE help?

CARE offers access request management, role management, and policy enforcement capabilities:

  • Provides complete visibility into the access control models for each cyber asset, including roles and fine-grained entitlements, allowing for the regular verification of strong controls
  • Centralizes and automates the access request and authorization process across the organization.
  • Determines necessary authorizations and approvals based on configurable rules for evaluating access requests.
  • Enforces access policies during the access request process, either denying the request or requiring higher-level authorization when policy violations are detected.
  • Logs all requests and actions by each approver in the system, providing a complete and auditable record of who requested access to which systems and who approved or denied the request.
  • Provides extensive reporting capabilities to enable self-assessment and provide proof of compliance to auditors.

CIP-006 - Physical Security

CIP-006 is focused on the implementation of a physical security program for the protection of critical cyber assets. It requires the responsible entity to create and maintain a physical security plan, approved by a senior manager or delegate(s).

CIP-006 Requirements

Procedures for reviewing physical access authorization requests and revocation of access authorization, in accordance with CIP-004.

How does CARE help?

CARE centralizes and automates the access request and authorization process across the organization, including processes for granting and approving physical access:

  • Determines necessary authorizations and approvals based on configurable rules for evaluating access requests.
  • Enforces access policies during the physical access request process, either denying the request or requiring higher-level authorization when policy violations are detected.
  • Logs all requests and actions by each approver in the system, providing a complete and auditable record of who requested physical access and who approved or denied the request.
  • Provides extensive reporting capabilities to enable self-assessment and provide proof of compliance to auditors

CIP-007 - Electronic Security Perimeter(s)

CIP-007 requires responsible entities to define methods, processes, and procedures for securing those determined to be critical cyber assets, as well as the non-critical cyber assets within the electronic security perimeter(s).

CIP-007 Requirements

  • Ensure that individual and shared system accounts and access permissions are consistent with the concept of “need to know” with respect to work functions performed
  • Ensure that user accounts are implemented as approved by designated personnel
  • Established methods, processes and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days.
  • Review, at least annually, user accounts to verify access privileges are in accordance with CIP-003 R5 and CIP-004 R4.
  • Implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges including factory default accounts.

How does CARE help?

CARE provides visibility and an accurate, automated review process to ensure that worker access privileges align with job functions:

  • Detects and flags privileges that exceed or do not match a user’s role.
  • Logs requests and actions by approvers to provide a complete and auditable record of who requested access to which systems, and who approved or denied the request.
  • Tracks and manages all shared accounts, such as administrative or service accounts.
  • Automates the periodic review and approval of administrator, shared, and other generic accounts by designated owners; tracks and reports on the number of these types of accounts by cyber asset.
  • Provides extensive reporting capabilities to enable self-assessment and provide proof of compliance to auditors.
SureID and Force 5 Partner to Deliver Innovative Vetting and Cost Recovery OfferingPress Release