CIP-002-1Critical Cyber Asset Identification

All network assets must be audited to identify Critical Cyber Assets. A risk-based assessment methodology should be utilized with annual reviews.

Network Security Solutions Cyber Data theft prevention

CIP-003-1Security Management Controls

Policies with adherence monitoring and change control must be documented and in place. Change control policies and processes must be adhered to. Definitions and documentation on access control levels for critical assets such as Internet facing systems and critical backend solutions. Solutions should be in place to mitigate risks.

Security policy and procedure development

CIP-004-1Personnel and Training

Employees should be trained on policies, access controls and general awareness issues around Social Engineering. Background checks should be performed on all users with access to computer assets.

Security policy and procedure development Training

CIP-005-1Electronic Security Protection

An Electronic Security Perimeter should be established that provides the following: Disable ports and services that are not required Monitor and Log Access 24x7x365 Perform Annual Vulnerability Assessments (at a minimum) Documentation of Network Changes

Network Security solutions

CIP-006-1Physical Security Program

Physical Security controls should be documented and implemented that provide perimeter monitoring and logging along with robust access controls. All cyber assets used for Physical Security are considered Critical and should be treated as such.

Security policy and procedure development

CIP-007-1Systems Security Management

All methods, processes and procedures for securing Critical Assets and all technology solutions should be well-defined and include automated controls. System and network events should be monitored automatically with alerts sent to key personnel. An annual vulnerability assessment should be performed.

Security and Risk Consulting including Policies, Standards, and Security Baseline development and Security Awareness program development

CIP-008-1Incident Response and Reporting

All cyber security incidents should be addressed by an internal computer incident response team (CIRT) and reported to the Electricity Sector Information Sharing and Analysis Center (ES ISAC).

Security and Risk Consulting including GLBA Compliance and Incident Response Program Development

CIP-009-1Disaster Recovery

A disaster recovery plan should be created and tested with annual drills

Security and Risk Consulting including GLBA Compliance and Incident Response Program Development