bryan j. carr, pmp, cisa compliance auditor, cyber security cip-004-5 personnel & training may...
TRANSCRIPT
Bryan J. Carr, PMP, CISA
Compliance Auditor, Cyber Security
CIP-004-5 Personnel & TrainingMay 14 , 2014
CIP v5 Roadshow – Salt Lake City, UT
2
• Applicability
• Implementation
• CIP-004-5 R1-R5o Overviewo Audit Approacho Tips
Agenda
3
Positives:o Important ingredient in the
stew of reliabilityo Adds flavor to an
organizationo Improves overall health of
the BESo Peel back layers of
evidence
Negatives:o It stinkso Makes people cryo Known to aggravate certain
medical conditionso Causes indigestiono Can be dryo Known to cause shock
Compliance is like an onion…
4
Communicate WECC’s audit approach for each Requirement of CIP-004-5
Goal
5
“To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of
personnel risk assessment, training, and security awareness in support of protecting BES
Cyber Systems.”
CIP-004-5 Purpose
6
Regurgitating the Requirement language does not constitute developing a policy, program,
process, or procedure.
Policy, Program, Process, Procedure…
7
• HIBESCS• MIBESCS• HIBESCSATAEACMSAPACS• HIBESCSATAEACMS• MIBESCSWERCATAEACMSAPACS
CIP-004-5 Extreme Acronyms
8
• HIBESCSo High Impact BES Cyber Systems (R1)
• MIBESCSo Medium Impact BES Cyber Systems (R1)
• HIBESCSATAEACMSAPACSo High Impact BES Cyber Systems and their associated EACMS and
PACS (R2-R5 except 5.5)
• HIBESCSATAEACMSo High Impact BES Cyber Systems and their associated EACMS (Part
5.5 only)
• MIBESCSWERCATAEACMSAPACSo Medium Impact BES Cyber Systems with external routable
connectivity and their associated EACMS and PACS (R2-R5 except 5.5)
CIP-004-5 Applicability
9
• By April 1, 2016o CIP-004-5 R1-R5 except as noted below…
• On or before July 1, 2016:o CIP-004-5, R4, Part 4.2
• On or before April 1, 2017:o CIP-004-5, R2, Part 2.3o CIP-004-5, R4, Part 4.3, Part 4.4
• Within 7 years after last PRA performed:o CIP-004-5, Requirement R3, Part 3.5
CIP-004-5 Implementation
10
• Security Awareness Programo Reinforce cyber (and physical) security
practiceso Once each calendar quarter
• High & Medium BESCS
CIP-004-5 R1 Overview
11
• Documented process covering all of R1• Quarterly reinforcement• Evidence demonstrating:o Contento Delivery method
CIP-004-5 R1 Audit Approach
12
• Informational program reinforcing logical and physical security practices
• Strong awareness programs leverage various content and content delivery methods
• R1 applies to High and Medium BES Cyber Systems
CIP-004-5 R1 Tips
13
• Cyber security training specific to roles, functions, responsibilitieso Training content specified in 2.1.1 – 2.1.9o Train PRIOR to granting accesso Refresh annually (at least 1x/15 months)
• High & Medium (w/ERC) BESCS + EACM + PACS
CIP-004-5 R2 Overview
14
Training
15
• Documented role-based training programso e.g. Sys Admin vs. Operator vs. Security Guard
• Does training cover 2.1.1 – 2.1.9?• Validate training prior to accesso Compare dates
• Validate annual refresh• Review controls in place to ensure timely
delivery of training and annual refreshers
CIP-004-5 R2 Audit Approach
16
• You have flexibility to develop customized/personalized training program(s)
• Don’t get too granular with role-based training
• Not intended to be technical training• CIP Exceptional Circumstances – consider
how it applies to your organization
CIP-004-5 R2 Tips
17
• All programs and policies specified throughout CIP-004-5 require CIP Senior Manager approval.
False
Quiz Time!!
18
• Personnel risk assessmento Confirm identityo 7-year criminal history checko Process & criteria to evaluate resultso PRAs for contractors & vendorso Renewal process
CIP-004-5 R3 Overview
19
Personnel Risk Assessment
20
• Documented PRA process – does it include:o Identity validationo 7-year criminal historyo Supporting documentation if 7 years cannot be
completedo Evaluation of results
• Tracking PRA dates - initial & renewal• Evaluate controls in place to ensure timely
completion, renewal, and tracking of PRAs
CIP-004-5 R3 Audit Approach
21
• Criteria or process to evaluate criminal history (3.3) is NEW – clearly identify criteria or evaluation process & associated outputs
• Check that PRA dates are PRIOR to access granted dates
• Be prepared to request PRA evidence from vendors & contractors
• PRAs performed for v3 don’t need to be re-done for v5
CIP-004-5 R3 Tips
22
• Access Management Programo Access authorization process covering:
Cyber Physical BES Cyber System Information
o Quarterly verification of authorizationo Annual verification of:
Privileges to BES Cyber Systems Access to BES Cyber System Information
CIP-004-5 R4 Overview
23
Access Management
24
• Documented access management program – does it address all aspects of 4.1 – 4.4, including deliverables?
• Validate quarterly & annual reviews• Validate access grants against system
records• Evaluate controls related to access list
maintenance, and quarterly & annual reviews
CIP-004-5 R4 Audit Approach
25
• Quarterly reviews = compare individuals actually provisioned against authorization records
• Annual review = more detailed to ensure least privilege is enabled
• Work towards evolving beyond spreadsheets and paper forms
• Continue tracking individuals and their role-based access rights
• Consider separation of duties: provisioner vs. reviewer
CIP-004-5 R4 Tips
26
• Documented access revocation processo Terminations
Initiate removal of ability for physical and interactive remote access immediately and complete w/in 24 hours
Revoke logical/physical access to designated storage locations by end of next calendar day
Revoke non-shared user accounts w/in 30 days Change shared account passwords w/in 30 days
o Transfers/Reassignments: Revoke logical & physical access by end of next
business day Change shared account passwords w/in 30 days
CIP-004-5 R5 Overview
27
Access Revocation
28
• Processes for terminations and transfers/reassignments
• Does the processes cover everything in 5.1 through 5.5?
• Do your processes point to procedures detailing how each action is carried out?
• Proof of performance: records, lists, screenshots, tickets, emails, system reports, forms, etc.
CIP-004-5 R5 Audit Approach
29
• Define start trigger for termination/transfer process• Read Part 5.1 carefully – deliberate wording.
Document how you define ability to access• NEW – designated storage locations, whether physical
or electronic, for BES Cyber System Information – identify and document
• NEW – extenuating operating circumstances (changing shared account passwords 5.5) – define, document, and track
• Part 5.5 only applies to High Impact BES CA and associated EACMS
• Workflow diagrams are an auditors best friend
CIP-004-5 R5 Tips
30
• NERC v3 to v5 mapping document (pp. 8-11)
• FERC Order 791 (pp. 15-16)
• 2011 v5 SDT Presentation (pp. 36-46)
Resources, References, & Light Reading
Bryan J. Carr, PMP, CISA
Compliance Auditor, Cyber Security
O: 801.819.7691
M: 801.837.8425
Questions?