CIP-003-7 - Cyber Security — Security Management Controls
Attachment 2 Examples of Evidence for Cyber Security Plan(s) for Assets Containing Low Impact BES Cyber Systems Section 1. Cyber Security Awareness: An example of evidence for Section 1 may include, but is not limited to, documentation that the reinforcement of cyber security practices occurred at least once every 15 calendar months. The evidence could be documentation through one or more of the following methods: • Direct communications (for example, e-mails, memos, or computer-based training); • Indirect communications (for example, posters, intranet, or brochures); or • Management support and reinforcement (for example, presentations or meetings). Section 2. Physical Security Controls: Examples of evidence for Section 2 may include, but are not limited to: • Documentation of the selected access control(s) (e.g., card key, locks, perimeter controls), monitoring controls (e.g., alarm systems, human observation), or other operational, procedural, or technical physical security controls that control physical access to both: a. The asset, if any, or the locations of the low impact BES Cyber Systems within the asset; and b. The Cyber Asset(s) specified by the Responsible Entity that provide(s) electronic access controls implemented for Attachment 1, Section 3.1, if any. Section 3. Electronic Access Controls: Examples of evidence for Section 3 may include, but are not limited to: 1. Documentation showing that at each asset or group of assets containing low impact BES Cyber Systems, routable communication between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset is restricted by electronic access controls to permit only inbound and outbound electronic access that the Responsible Entity deems necessary, except where an entity provides rationale that communication is used for time-sensitive protection or control functions between intelligent electronic devices. Examples of such documentation may include, but are not limited to representative diagrams that illustrate control of inbound and outbound communication(s) between the low impact BES Cyber
System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s) or lists of implemented electronic access controls (e.g., access control lists restricting IP addresses, ports, or services; implementing unidirectional gateways).
Page 25 of 57
Made with FlippingBook - Online magazine maker