Académique Documents
Professionnel Documents
Culture Documents
Sequence of Completion Phase 1- RFC supplies Attachment C for entity to input required data. Phase 2- Entity completes the three green colored tabs: Critical Assets, Cyber Assets, and Personnel and submits to RFC via extranet. See Phase 2 instructions for more details. Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample and Personnel Sample tabs will be populated with requested samples) Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs completed) RFC Action Required : RFC supplies the Attachment C to the entity as part of the 90 day notification package. The CIP evidence list (Yellow Tab) is customized for the entity audit scope. Colored Coded Tabs Entity populates green tabs Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in this information. Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due dates and Samples as appropriate Acronyms: EACM - Electronic Access Control and Monitoring AP - Access Point CCA - Critical Cyber Asset ESP - Electronic Security Perimeter NCCA - Non-Critical Cyber Asset PSP - Physical Security Perimeter PACS - Physical Access Control System Next Steps: After this Workbook is completed, sent to and received by ReliabilityFirst , the audit team will apply a sampling methodology to this data list in order to establish and define a specific random sample set to audit against. The audit team will then send Evidence Requests for the specific random sample to the audited entity within 10 calendar days of receipt of a completed Attachment C and/or no later than sixty five (65) calendar days prior to the scheduled review date of the Complaince Audit.
Requirement
R1 R1.1 R1.2 R1.2.1 R1.2.2 R1.2.3 R1.2.4 R1.2.5 R1.2.6 R1.2.7
CIP-002-3
R2
CIP-002-3
R3
CIP-002-3
R4
CIP-003-3
R1
CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3
R1 R1 R2
CIP-004-3
R3.3
CIP-004-3
R4
CIP-004-3
R1 R1 R1 R1 R1 R1 R2
CIP-005-3
R2.1, R2.2
CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3
CIP-005-3
CIP-005-3 CIP-005-3
CIP-005-3
R5.3
CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3
R1 R1 R1.14 R1.14 R1.2 R1.2 R1.3 R1.3 R1.4 R1.5 R1.6 R1.6 R1.7 R1.8 R2.1 R2.2 R3 R4 R5 R6 R6
CIP-006-3
R7
CIP-007-3
CIP-007-3
R5.1.2
CIP-007-3
R5.1.3
CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3
R5.2 R5.2 R5.34 R5.34 R5.3.14 R5.3.24 R5.3.34 R64 R64 R6.1 R6.2 R6.2 R6.34 R6.34
CIP-007-3
R6.4, R6.5
CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3
R1 R1.1 R1.2 R1.2 R1.2 R1.3 R1.3 R1.4 R1.4 R1.5 R1.6 R2
CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3
Notes
1. Evidence identified in this listing is the result of each requirement. This listing is intended to provide guidance to the en 2. Evidence identified in this column must be submitted 40 days before the scheduled audit review date. 3. Evidence identified in this column must be submitted as designated by Reliability First .
Provide documentation of exceptions to the Cyber Security Policy, including expired exceptions, or an assertion that there have been no exceptions to the Cyber Security Policy during the compliance period For each exception to the cyber security policy, provide evidence of the date of approval For each exception to the cyber security policy, provide evidence of the explanation of the necessity for the exception For each exception to the cyber security policy, provide evidence of any compensating measures For each exception to the cyber security policy, provide evidence of the annual review Provide information protection program Provide evidence of an annual assessment of information protection program Provide access control program Provide list of designated personnel who are responsible for authorizing logical or physical access to protected information Provide evidence of annual verification of the list of personnel responsible for authorizing access to protected information Provide evidence of annual review of access privileges Provide evidence of the annual assessment of processes for controlling access privileges to protected information Provide the process for change control and configuration management Provide evidence that the change control and configuration management process has been implemented
Provide awareness program Provide evidence of awareness reinforcement Provide Cyber Security Training Program Supporting Evidence: Addresses to whom it applies, delivery, review, and update frequencies Provide Training Documentation, i.e., attendance records Supporting Evidence: Include all relevant personnel that documents date of authorization and date of training Provide training material that addresses all of R2.2 and its sub requirements Provide training documentation that includes annual training completion dates Provide Personnel Risk Assessment program Provide documentation that specifies when the PRA was conducted and when access was granted Provide documentation that the PRA program includes all elements of R3.1 Provide Personnel Risk Assessment Program language that addresses criteria with respect to "for cause" and schedules for re-assessment Provide documentation of assessment results for all relevant personnel Supporting Evidence: Documentation, i.e., database, application or spreadsheet that shows proof of assessments matched against CIP-004 R4 list(s) Contract agreements and associated documentation Provide list(s), i.e., spreadsheet, database or other application that tracks all electronic and physical access rights Supporting Evidence: Documentation of authorized access approvals Provide documentation that the list(s) is reviewed quarterly and updated within seven days of any change of access Provide documentation that access list(s) for contractors and service vendors are properly maintained Provide documentation that access is revoked within 24 for personnel terminated for cause and within seven calendar days for personnel who no longer need access
Supporting Evidence for CIP-004 R2, R3, & R4: Provide the following in a spreadsheet, database, etc. for anyone with electronic or physical access to a CCA Employee name and ID (unique identifier) Date electronic access granted Specific electronic access granted Date physical access granted Specific physical access granted Date electronic access removed Date physical access removed Date of original training Date of annual training Date initial PRA completed Date PRA updated
For each Critical Cyber Asset identified per CIP-002-3 R3, identify the Electronic Security Perimeter (ESP) within which it resides For each ESP, identify each Cyber Asset residing within the perimeter For each ESP, identify each access point to the ESP For each ESP, identify each cyber asset used in the access control of the ESP For each ESP, identify each cyber asset used in the monitoring of the ESP For each ESP, provide a high-level diagram showing the major systems protected, all access points, and all access control devices For each ESP, provide documentation of processes and mechanisms for control of electronic access to the ESP For R2.1, provide evidence that deny-by-default policy is deployed to sampled Access Points. For R2.2, provide evidence for each sampled Access Point that Ports and Services are configured/implemented for operations and for monitoring of cyber assets, including justification, within the respective ESP. For each cyber asset used in the access control of an ESP, provide evidence that the access control model denies access by default Provide the procedure for securing dial-up access to each ESP Provide evidence that the procedure for securing dial-up access to each ESP has been implemented, or an attestation that no dial-up access exists for the ESP in question For each ESP, if external interactive access to the ESP has been enabled, describe the controls used to authenticate the user For each access control device, provide the document identifying the content of the acceptable use banner Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# For each ESP, provide the documented electronic or manual processes for monitoring and logging access at access points to each ESP Provide evidence that the above processes have been implemented Provide evidence that the above processes are operational twenty-four hours a day, seven days as week If applicable, provide evidence of alerts and notification of response personnel If applicable, provide evidence of review or assessment of access logs Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Provide evidence of alerts for each sampled Access Point where attempts at or actual unauthorized accesses were detected. If alerting was not technically feasible for sampled Access Points provide evidence of manual review of logs at least every 90days. Provide evidence of the 90 days prior to the 90 day notification. For each ESP, provide documentation of the annual cyber vulnerability assessment Provide documentation of vulnerability assessment process Provide documentation of results of annual vulnerability assessment If applicable, provide action plan to remediate or mitigate vulnerabilities and the execution status of the action plan
Provide documentation of annual review for all evidence for CIP-005 Provide evidence that updates to network control documentation were made within 90 days of a change
For Access Points selected provide evidence that access logs are retained for at least ninety calendar days. Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5
Provide Physical Security Plan Provide documentation of approval of Physical Security Plan by the senior manager or delegate(s) For each Cyber Asset within an ESP, identify the Physical Security Perimeter (PSP) associated with that Cyber Asset. Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# For each PSP, provide identification of all physical access points through the PSP and measures to control entry at those access points For each PSP, provide evidence that the measures above have been implemented For each PSP, provide documentation of the processes, tools, and procedures for monitoring of physical access to the PSP For each PSP, provide evidence that the processes, tools and procedures above have been implemented Provide documentation of visitor pass management, response to loss, and prohibition of inappropriate us of physical access controls Provide documentation Review of access authorization requests and revocation of access authorization, in accordance with CIP-004-3 Requirement R4. For each PSP, provide logs of visitor entry and exit For each PSP, provide evidence of continuous escorted access of visitors Provide evidence that Physical Security Plan was updated within 30 calendar days of a physical security change Provide evidence of an annual review of the Physical Security Plan Provide documentation that physical access control systems are protected from unauthorized physical access Provide documentation that physical access control systems are afforded the protective measures in the referenced requirements; this may be addressed as part of the individual applicable requirements or directly in response to this requirement Provide documentation that electronic access control systems are located within an identified Physical Security Perimeter For each PSP, provide documentation of operational and procedural controls to manage physical access at all access points to the PSP Provide evidence that Unauthorized access attempts are reviewed immediately and handled in accordance with the procedures specified in Requirement CIP-008-3. Provide evidence of the 90 days prior to the 90 day notification. Provide documentation identifying the methods for logging physical access For each PSP, provide logs of physical entry to the PSP
Provide evidence of physical access logs for the implemented logging solution(s) that demonstrates 90 calendar days worth of logs . Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5
For each PSP, provide evidence of a maintenance and testing program for all physical security systems For each PSP, provide evidence of testing and maintenance of all physical security mechanisms For each PSP, provide the retention period for the testing and maintenance records For each PSP, provide the retention period for outage records regarding access controls, logging and monitoring
Provide evidence that all Cyber Assets within the Electronic Security Perimeter are subject to the required test procedures Provide evidence that all cyber security controls have been included in the test plans Provide evidence (including test results) that all significant updates made to Cyber Assets selected have been tested. Provide evidence for the past year immediately prior to the 90 day notification. Provide documentation that testing was performed in a manner that minimizes impact on the production environment Provide documentation that testing was performed in a manner that reflects the production environment Provide documentation of test results For each Cyber Asset selected, provide a list of each active port and service. For each active port and service identified, provide a description of the port or service and identify the need to that port or service to be enabled
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Provide the security patch management program For each Cyber Asset selected, provide evidence of the assessment and implementation of security patches.
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# For each Cyber Asset selected, provide evidence of the implemention of anti-virus and malware prevention tools and testing and installation of signatures updates. Provide documentation of the process uses to update anti-malware signatures Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Provide documentation of technical and procedural controls that enforce access authentication and accountability of all user activity Provide evidence that user accounts are implemented as authorized
Provide evidence of audit trails of individual user account activity demonstrating 90 days worth of logs/audit trails. Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5
Provide evidence of an annual review of user accounts to verify access privileges
Provide policy on use of administrator, shared, and other generic account privileges Identify those individuals with access to shared accounts Provide evidence that passwords adhere to 5.3 sub requirements as technically feasible Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Provide explanation of how security status monitoring is implemented Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Provide documentation of the mechanisms to monitor security events within each ESP Provide documentation of alerting system configuration Provide a listing of alerts generated by the monitoring systems Provide evidence that logs of system events related to cyber security are maintained Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
For each Cyber Asset selected provide evidence that logs of system events related to cyber security are maintained and reviewed. Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5
Provide documentation on methods, processes, and procedures for disposal or redeployment of Cyber Assets within the ESP Provide records that assets were disposed of or redeployed in accordance with documented procedures Provide documentation of the annual vulnerability assessment of all Cyber Assets within the ESP Provide documentation of vulnerability assessment process Provide documentation of results of annual cyber vulnerability assessment If applicable, provide action plan to remediate or mitigate vulnerabilities and the execution status of the action plan Provide documentation and records demonstrating the annual review and update of all documentation for CIP-007
Provide Cyber Security Incident Response Plan Provide procedure for characterizing and classifying events as reportable Cyber Security Incidents Provide roles and responsibilities Provide incident handling procedure Provide communication plans Provide process for reporting incidents to the ES-ISAC Provide evidence that all reportable incidents were reported to the ES-ISAC or an assertion that there have been no reportable incidents during the spot check period Provide process for updating response procedures Provide history of Response Plan updates or an assertion that there have been no updates made during the spot check period Provide evidence of annual review Provide history of incident response tests conducted, including 1) type of test (e.g. paper drill, table-top exercise, full response drill, etc.) 2) date of test 3) incident(s) or event(s) tested Provide cyber security incident documentation
Provide Critical Cyber Asset Recovery Plans List the Recovery plan that covers the selected cyber assets. Provide conditions that would invoke the recovery plan Provide recovery actions Provide roles and responsibilities Provide evidence of annual review Provide history of recovery plan exercises conducted, including 1) type of test (e.g. paper drill, table-top exercise, full response drill, etc.) 2) date of test 3) event(s) or condition(s) tested Provide documentation of changes to the recovery plan(s) and documentation of all communications Provide documentation regarding the backup and storage of information Provide documentation of annual testing of backup media
Notes
in this listing is the result of each requirement. This listing is intended to provide guidance to the entities in preparation for their audi in this column must be submitted 40 days before the scheduled audit review date. in this column must be submitted as designated by Reliability First .
40 Days2
X X X X X X X X X X
Upon Request3
X X X X X X X X
Not in Scope Not in Scope Not in Scope Not in Scope Not in Scope Not in Scope Not in Scope X X X X X X
X X X X X X X
See Personnel Sampling Tab See Personnel Sampling Tab See Personnel Sampling Tab X See Personnel Sampling Tab See Personnel Sampling Tab X
X X X X X X X
X X X X X X X X X X X X X
X X X X X X X X X X X X X X X X X X See Device Sampling Tab X X See Device Sampling Tab See Device Sampling Tab
X X X X
X X See Device Sampling Tab X See Device Sampling Tab X X X See Personnel Sample Tab
X See Personnel Sample Tab See Personnel Sample Tab X X X X X X See Device Sampling Tab See Device Sampling Tab See Device Sampling Tab See Device Sampling Tab X
X X X X X X X X X X X X
Attachment "C" CIP Data List for Sampling Phase 2 Instructions Entity Action Required : Please complete all the worksheets within this spreadsheet and return to ReliabilityFirst no later than seventy five (75) calendar days prior to the scheduled review date of the Compliance Audit Please complete the following worksheets: Critical Assets (List of all Critical Assets) Critical Assets -Name of Critical Asset Asset Function - Enter the function of the Critical Asset, e.g. Primary/Back-Up/Aleternate Control Center, Substation, etc. Responsible Registered Entity- For a combined audit of multiple registered entities Cyber Assets (List of all Cyber Assets and the associated ESP and PSP- Indicate CCA, NCCA, AP, EACM, PACS) Cyber Asset Name - Name of the Cyber Asset Critical Asset Name - Name of the Critical Asset where the Cyber Asset resides ESP Name - Name of ESP containing Cyber Asset PSP Name - Name of PSP containing Cyber Asset Vendor - Name of vendor for identified Cyber Asset Model - Model Name and Number of identified Cyber Asset IOS / Platform or Operating System - Name of platform or operating system running on the Cyber Asset (e.g. Windows, NT, Linux, Unix, DB/App, N/A, etc. Virtual Machine - Enter "Yes" or "No" if the asset is a virtual machine Asset Type - Enter the type of device, e.g. workstation, server, firewall, switch, IDS, printer, database, etc. Supporting Organization - Name of internal organization supporting identified CA (e.g. EMS, Substation, Corp IT, Corp Security, etc.) Cyber Asset Type (CCA, NCCA, AP, EACM, PACS) Responsible Registered Entity- For a combined audit of multiple registered entities Personnel (List of all personnel with authorized cyber or authorized unescorted physical access to critical cyber assets and identification of terminated personnel or personnel role changes within the past six (6) months) Name - Name of individual Access Type - Should be Physical, Cyber, or Both Personnel Type - Should be Employee, Contractor, Vendor or Other Date of Termination and/or Personnel Role Change - Identify the date of termination or personnel organization change. Enter N/A if active employee and no personnel role and responsibility change within past six (6) months. Responsible Registered Entity- For a combined audit of multiple registered entities Colored Coded Tabs Entity populates green tabs Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in this information. Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due dates and Samples as appropriate Sequence of Completion Phase 1- RFC supplies Attachment C for entity to input required data. Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and Personnel and submits to RFC via extranet Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample and Personnel Sample tabs will be populated with requested samples) Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs completed)
Acronyms: EACM - Electronic Access Control and Monitoring AP - Access Point CCA - Critical Cyber Asset ESP - Electronic Security Perimeter NCCA - Non-Critical Cyber Asset PSP - Physical Security Perimeter PACS - Physical Access Control System Next Steps: After this Workbook is completed, sent to and received by ReliabilityFirst , the audit team will apply a sampling methodology to this data list in order to establish and define a specific random sample set to audit against. The audit team will then send Evidence Requests for the specific random sample to the audited entity within 10 calendar days of receipt of a completed Attachment C and/or no later than sixty five (65) calendar days prior to the scheduled review date of the Complaince Audit.
Sequential number 1 2 3 4 5
Critical Asset where CCA resides SOUTHPARK NORTHPARK SOUTHPARK SOUTHPARK SOUTHPARK
IOS / Platform or Operating System Windows 2000 TRU64 UNIX N/A N/A N/A
Cyber Asset Type Choose only one from Responsible example Registered list Entity CCA NCCA AP EACM PACS RE1 RE2 RE3 RE4 RE5
Sequential number
Vendor
Model
Asset Type
Supporting Organization
CIP3 R6
For the selected Cyber Assets, provide documentation to demonstrate that the change control and configuration management process has been implemented. Provide changes for the past year immediately prior to the 90 day notification.
CIP5 R3.2
Provide evidence of alerts for each sampled Access Point where attempts at or actual unauthoriz ed accesses were detected. If alerting was not technically feasible for sampled Access Points provide evidence of manual review of logs at least every 90days. Provide evidence of the 90 days
CIP5 R5.3
For Access Points selected provide evidence that access logs are retained for at least ninety calendar days. Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5
CIP6 R5
Provide evidence that Unauthoriz ed access attempts are reviewed immediatel y and handled in accordance with the procedures specified in Requireme nt CIP-0083. Provide evidence of the 90 days prior to the 90 day notification .
CIP6 R7
Provide evidence of physical access logs for the implement ed logging solution(s) that demonstrat es 90 calendar days worth of logs . Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5
CIP7 R1
Provide evidence (including test results) that all significant updates made to Cyber Assets selected have been tested. Provide evidence for the past year immediatel y prior to the 90 day notification .
CIP7 R2
For each Cyber Asset selected, provide a list of each active port and service. For each active port and service identified, provide a description of the port or service and identify the need to that port or service to be enabled
CIP7 R3
For each Cyber Asset selected, provide evidence of the assessment and implementation of security patches.
CIP7 R4
For each Cyber Asset selected, provide evidence of the implementi on of antivirus and malware prevention tools and testing and installation of signatures updates.
CIP7 R5.1.2
CIP7 R6
CIP 9 R1
Provide evidence of For each Cyber Asset List the audit trails of individual selected provide Recovery user account activity evidence that logs of plan that demonstrating 90 days system events related to covers the worth of logs/audit cyber security are selected trails. Provide evidence maintained and cyber for the following dates: reviewed. assets. Date1 Provide evidence for the Date2 following dates: Date3 Date1 Date4 Date2 Date5 Date3 Date4 Date5
Entity
TRAINING
2010 DATES or oldest on record Sequential number Name Access Type Responsible Registered Entity
2011 DATES
2012 DATES
NING
PRA DATES
PRA CONTENTS (RFC to REDACTED complete) PRA 7 YR REDACTED PRA SAMPLE AUTHORIZ SS# CHECK CRIMINAL SAMPLE REQUESTED ATION (Y/N) CHECK RECEIVED (for (for most DATE (Y/N) most recent recent PRA) PRA) (Y/N) DATE
MOST RECENT
NEXT
CRITICAL CYBER ASSET - AUTHORIZED CYBER ACCESS EMPLOYM CURRENT ANY ACCESS ACCESS DATE ENT STATUS - CHANGE DATE REVOCATI IF YES, NO GRANTED CHANGE TERMINAT ACTIVE / IN ACCESS CHANGE ON TERMINAT LONGER DATE IDENTIFIE ED FOR NON RIGHTS MADE REQUIRED ION DATE REQUIRED D CAUSE ACTIVE (Y/N) (Y/N) (Y/N) (Y/N)
CURRENT ANY ACCESS IF YES, DATE ACCESS AUTHORIZ STATUS - CHANGE DATE REVOCATI DATE GRANTED CHANGE REVOCATI ATION ACTIVE / IN ACCESS CHANGE ON IDENTIFIE DATE IDENTIFIE ON DATE DATE NON RIGHTS MADE REQUIRED D D ACTIVE (Y/N) (Y/N)
ED UNESCORTED PHYSICAL ACCESS EMPLOYM CIP 006 ACCESS ENT IF YES, R1.5 ENTITY RFC IF YES, NO ACCESS TERMINAT DATE Provide 1 TERMINAT LONGER REVOCATI COMMEN COMMEN ED FOR IDENTIFIE evidence TS TS ION DATE REQUIRED ON DATE CAUSE D file for all (Y/N) (Y/N) sampled personnel
RFC Action Required : Select samples and populate the Device Sample and Personnel Sample tabs using approved methodology (and Device Sample Matrix and Personnel Sample Templates) and return to entity no later than sixty- five (65) calendar days prior to the scheduled review date of the Compliance Audit. Please complete the following worksheets: Device Sample (List of selected Cyber Assets and the associated Standards and Requirements merged with Device Sample Matrix) Pull required samples using approved methodology and merge with Device Sample Matrix. Change Device Sample tab color to Green prior to sending to entity. Cyber Asset Name - Name of the Cyber Asset Critical Asset Name - Name of the Critical Asset where the Cyber Asset resides ESP Name - Name of ESP containing Cyber Asset PSP Name - Name of PSP containing Cyber Asset Vendor - Name of vendor for identified Cyber Asset Model - Model Name and Number of identified Cyber Asset IOS / Platform or Operating System - Name of platform or operating system running on the Cyber Asset (e.g. Windows, NT, Linux, Unix, DB/App, N/A, etc. Virtual Machine - Enter "Yes" or "No" if the asset is a virtual machine Asset Type - Enter the type of device, e.g. workstation, server, firewall, switch, IDS, printer, database, etc. Supporting Organization - Name of internal organization supporting identified CA (e.g. EMS, Substation, Corp IT, Corp Security, etc.) Cyber Asset Type (CCA, NCCA, AP, EACM, PACS) Responsible Registered Entity- For a combined audit of multiple registered entities Personnel Sample (List of selected personnel with authorized cyber or authorized unescorted physical access to critical cyber assets and identification of terminated personnel or personnel role changes within the past six (6) months) Pull required samples using approved methodology and merge with Personnel Sample Template. Change Personnel Sample tab color to Green prior to sending to entity. Name - Name of individual Access Type - Should be Physical, Cyber, or Both
Personnel Type - Should be Employee, Contractor, Vendor or Other Date of Termination and/or Personnel Role Change - Identify the date of termination or personnel organization change. Enter N/A if active employee and no personnel role and responsibility change within past six (6) months. Responsible Registered Entity- For a combined audit of multiple registered entities Colored Coded Tabs Entity populates green tabs Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in this information. Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due dates and Samples as appropriate Sequence of Completion Phase 1- RFC supplies Attachment C for entity to input required data. Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and Personnel and submits to RFC via extranet Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample and Personnel Sample tabs will be populated with requested samples) Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs completed) Acronyms: EACM - Electronic Access Control and Monitoring AP - Access Point CCA - Critical Cyber Asset ESP - Electronic Security Perimeter NCCA - Non-Critical Cyber Asset PSP - Physical Security Perimeter PACS - Physical Access Control System
Attachment "C" CIP Data List for Sampling Phase 4 Instructions Entity Action Required : Complete the Device Sample and Personnel Sample tabs per below instructions and return to RFC no later than forty (40) calendar days prior to the scheduled review date of the Compliance Audit. Please complete the following worksheets: Device Sample (List of selected Cyber Assets and the associated Standards and Requirements) Please provide an evidence file reference for each Standard/Requirement column listed that is not "greyed out". It is preferred that each requirement will have one PDF file with the information contained within for all the samples within that requirement. Personnel Sample (List of selected personnel with authorized cyber or authorized unescorted physical access to critical cyber assets and identification of terminated personnel or personnel role changes within the past six (6) months) Complete the required fields for each person For the columns CIP 6 R1.5 and CIP 7 R5, it is preferred that each requirement will have one file with the information contained within for all the samples within that requirement. In this file, please include the appropriate training records and redacted PRAs for the selected individuals. Colored Coded Tabs Entity populates green tabs Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in this information. Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due dates and Samples as appropriate Sequence of Completion Phase 1- RFC supplies Attachment C for entity to input required data. Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and Personnel and submits to RFC via extranet Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample and Personnel Sample tabs will be populated with requested samples) Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs completed)
Acronyms: EACM - Electronic Access Control and Monitoring AP - Access Point CCA - Critical Cyber Asset ESP - Electronic Security Perimeter NCCA - Non-Critical Cyber Asset PSP - Physical Security Perimeter PACS - Physical Access Control System
Date December 17, 2010 February 15, 2011 October 19, 2011 December 19, 2011
Version Changes Number Initial release of Attachment C spreadsheet 1 Added type to Critical assets, critical cyber assets and non-critical cyber assets 2 Added a changes tab and instruction to gather the total population of changes from 10/1/2010 through the 90 notification. This will allow for sampling of changes for CIP-003 3 R6 Changed due date in instructions from 30 days to 75 days. 4 Added Asset Function field to Instruction and Critical Asset Tab; Added Vendor; Model; Platform or O/S; Function Performed; and Supporting Organization fields to the CCA, Non-CCA, ESP Access Points and ACM and Instruction tabs. Changed abbreviation to acronymns and added acronyms to the Instructions tab. Added examples to the worksheetts and formatted. 1) Changed field "Asset Function" to "Asset Type" on the CCA, NCCA, AP and ACM tabs for clarity; 2) Added filters on each worksheet to enable filtering capability for each tab/worksheet 3) Removed Changes tab 4) Added "Date of Termination" and "Date of Personnel Role Change" column to Personnel tab. 5) Added "Critical Asset" column to CCA, NCCA, AP and ACM tabs to map respective assets back to the Critical Asset. 6) Added additional examples to each of the worksheets 7) Updated the Instructions tab to reflect above changes. 8) Moved Instruction tab to be the first worksheet within workbook. 9) Moved the Personnel tab to be after ACM worksheet.
Rhonda Bramer
Rhonda Bramer
5.1
February 23, 2012 June 25, 2012 July 3, 2012 August 24, 2012 November 15, 2012 November 28, 2012
Todd Thompson John Kellerhals John Kellerhals John Kellerhals John Kellerhals John Kellerhals
Added a "Yes" or "No" column for "Virtual Machine" in the following tabs: Critical Cyber Assets, Non-Critical Cyber Assets, ESP Access Points and Access Control and Monitoring. Also updated the Instructions Tab to reflect the change above. Incorporated multiple sample sheets into this spreadsheet for ease of use. Added Responsible Registered Entity Columns to support combined audits Included feedback suggestions from entities Release including instructions for 4 phases Release including instructions for 4 phases