bryan j carr pmp cisa compliance auditor cyber security
Download
Skip this Video
Download Presentation
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

Loading in 2 Seconds...

play fullscreen
1 / 34

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security. CIP-008-5, 009-5, & TFEs May 14, 2014 CIP v5 Roadshow – Salt Lake City, UT. Agenda. Applicability Implementation CIP-008-5 & 009-5 Overview Audit Approach Tips TFEs and CIP v5. Goal.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security' - simone


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
bryan j carr pmp cisa compliance auditor cyber security

Bryan J. Carr, PMP, CISACompliance Auditor, Cyber Security

CIP-008-5, 009-5, & TFEs

May 14, 2014

CIP v5 Roadshow – Salt Lake City, UT

agenda
Agenda
  • Applicability
  • Implementation
  • CIP-008-5 & 009-5
    • Overview
    • Audit Approach
    • Tips
  • TFEs and CIP v5
slide3
Goal

Communicate WECC’s audit approach for each Requirement in CIP-008-5 & 009-5

cip 008 5 purpose
CIP-008-5 Purpose

“To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response requirements.”

cip 008 5 applicability
CIP-008-5 Applicability
  • HIBESCS
    • High Impact BES Cyber Systems (R1-R3)
  • MIBESCS
    • Medium Impact BES Cyber Systems (R1-R3)
cip 008 5 implementation
CIP-008-5 Implementation
  • By April 1, 2016
    • All of CIP-008-5, except as noted below
  • On or before April 1, 2017:
    • CIP-008-5, Requirement R2, Part 2.1
    • CIP-008-5, Requirement R3, Part 3.1
cip 008 5 r1 overview
CIP-008-5 R1 Overview
  • Ingredients of the Cyber Security Incident Response Plan
    • Identify, classify, and respond to Cyber Security Incident (CSI)
    • Process to determine if CSI is a Reportable CSI (RCSI)
    • Notify ES-ISAC w/in 1hr of determination of RCSI
    • Roles and responsibilities
    • Incident handling procedures
cip 008 5 r1 audit approach
CIP-008-5 R1 Audit Approach
  • Documentation requirement
    • Does the CSIRP addresses each Part of R1?
    • Does the CSIRP tie all the necessary resources together?
    • Revision history with sufficient details
cip 008 5 r1 tips
CIP-008-5 R1 Tips
  • Man on the street(ish) test
    • Can someone else in your organization pick up the CSIRP and have everything they need to respond?
  • Roles and responsibilities may include contact lists with names/numbers/emails
  • Assumption is you’ll have Cyber Security Incidents, emphasis on RCSI and criteria used to determine elevation of CSI to RCSI
  • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends
cip 008 5 r2 overview
CIP-008-5 R2 Overview
  • Annual test of CSIRP
    • Actual Incident
    • Paper
    • Operational
  • Use the plan during annual test & document any deviations from the plan
  • Retain records of Incidents
cip 008 5 r2 audit approach
CIP-008-5 R2 Audit Approach
  • Performance Requirement:
    • How has the plan been implemented?
    • How do you test/exercise the plan?
    • Did you document deviations from the plan during exercise/test?
    • How are records kept and where?
cip 008 5 r2 tips
CIP-008-5 R2 Tips
  • Anytime the words “test” or “exercise” are used – lessons learned should follow. If you have no lessons learned, you may not be doing it right
  • It’s ok to get a little creative with test and exercise scenarios
cip 008 5 r3 overview
CIP-008-5 R3 Overview
  • Complete w/in 90 days of test/exercise or actual Incident response:
    • Document lessons learned
    • Update the Plan
    • Notify responsible parties of updates
  • Complete w/in 60 days of change in roles/responsibilities/technology
    • Update the Plan
    • Notify responsible parties
cip 008 5 r3 audit approach
CIP-008-5 R3 Audit Approach
  • Performance Requirement:
    • Updates tracked through revision history or other means of sufficient detail
    • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed
    • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.
cip 008 5 r3 tips
CIP-008-5 R3 Tips
  • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.
  • Suggest outlining how this is supposed to happen in the actual plan
slide16
CIP-008-5

Questions?

cip 009 5 purpose
CIP-009-5 Purpose

“To recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.”

cip 009 5 applicability
CIP-009-5 Applicability
  • HIBESCS
    • High Impact BES Cyber Systems (2.3)
  • MIBESCSACCATAEACMSAPACS
    • Medium Impact BES Cyber Systems at Control Centers and their associated EACMS and PACS (1.4, 2.1, 2.2, 3.1, 3.2)
  • HIBESCSATAEACMSAPACS
    • High Impact BES Cyber Systems and their associated EACMS and PACS (R1-R3 except 2.3)
  • MIBESCSATAEACMSAPACS
    • Medium Impact BES Cyber Systems and their associated EACMS and PACS (R1 except 1.4)
cip 009 5 implementation
CIP-009-5 Implementation
  • By April 1, 2016
    • All of CIP-009-5, except as noted below
  • On or before April 1, 2017:
    • CIP-009-5, Requirement R2, Parts 2.1, 2.2
    • CIP-009-5, Requirement R3, Part 3.1
  • On or before April 1, 2018:
    • CIP-009-5, Requirement R2, Part 2.3
cip 009 5 r1 overview
CIP-009-5 R1 Overview
  • Ingredients of the recovery plan
    • Conditions for activation of the plan
    • Roles and responsibilities
    • Process for backup and storage
    • Process to verify successful completion of backups
    • Process to preserve data
cip 009 5 r1 audit approach
CIP-009-5 R1 Audit Approach
  • Documentation requirement
    • Does the plan (or plans) address all processes required?
    • Review associated procedures, flowcharts, etc.
    • Revision history with sufficient details
cip 009 5 r1 tips
CIP-009-5 R1 Tips
  • Two new Requirements (1.4 & 1.5) – read carefully, plan accordingly
  • Regurgitating the Requirement language does not constitute developing a program/process
  • Man on the street(ish) test
    • Can someone else in your organization pick up the CSIRP and have everything they need to respond?
  • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends
cip 009 5 r2 overview
CIP-009-5 R2 Overview
  • Annual test of recovery plan
    • Actual Incident
    • Paper
    • Operational
  • Test representative sample of backups to ensure validity and compatibility
  • Operational exercise req’d 1x/36 months for High BES Cyber Systems
cip 009 5 r2 audit approach
CIP-009-5 R2 Audit Approach
  • Performance Requirement:
    • How has the plan been implemented?
    • How do you test/exercise the plan?
    • Representative sample – how did you determine the sample set?
    • Documentation of test/exercise, outcomes & lessons learned
cip 009 5 r2 tips
CIP-009-5 R2 Tips
  • R2-related testing and exercise processes can integrated into R1 plan, or bolted on as attachments, or as separate docs
  • Focus on outputs of R2, what are the deliverables?
    • Part 2.3 – First full operational exercise must occur by 4/1/2017, then at least once every 36 months
cip 009 5 r3 overview
CIP-009-5 R3 Overview
  • Complete w/in 90 days of test/exercise or actual recovery:
    • Document lessons learned
    • Update the plan
    • Notify responsible parties of updates
  • Complete w/in 60 days of change in roles/responsibilities/technology
    • Update the plan
    • Notify responsible parties
cip 009 5 r3 audit approach
CIP-009-5 R3 Audit Approach
  • Performance Requirement:
    • Updates tracked through revision history or other means of sufficient detail
    • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed
    • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.
cip 009 5 r3 tips
CIP-009-5 R3 Tips
  • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.
  • Good idea to outline how this is supposed to happen in the actual plan
cip v5 and tfes
CIP v5 and TFEs
  • TFEs will be necessary in v5
  • Definitive list of Requirements/Parts to be determined – 9 have “where technically feasible”
  • Appendix 4D will be updated to accommodate v5
  • webCDMS will be updated as necessary
  • Streamlined process will remain in place
resources references light reading
Resources, References, & Light Reading
  • NERC v3 to v5 mapping document
  • FERC Order 791
  • 2011 v5 SDT Presentation
  • DHS: Developing an Industrial Control Systems Cybersecurity Incident Response Capability
  • NIST Computer Security Incident Handling Guide
slide34
Bryan J. Carr, PMP, CISA

Compliance Auditor, Cyber Security

O: 801.819.7691

M: 801.837.8425

[email protected]

Questions?

ad