CIP-003-7 Supplemental Material
• Appropriate notifications upon discovery of an incident • Obligations to report Cyber Security Incidents 1.2.5 Transient Cyber Assets and Removable Media Malicious Code Risk Mitigation • Acceptable use of Transient Cyber Asset(s) and Removable Media • Method(s) to mitigate the risk of the introduction of malicious code to low impact BES Cyber Systems from Transient Cyber Assets and Removable Media • Method(s) to request Transient Cyber Asset and Removable Media 1.2.6 Declaring and responding to CIP Exceptional Circumstances • Process(es) to declare a CIP Exceptional Circumstance • Process(es) to respond to a declared CIP Exceptional Circumstance Requirements relating to exceptions to a Responsible Entity’s security policies were removed because it is a general management issue that is not within the scope of a reliability requirement. It is an internal policy requirement and not a reliability requirement. However, Responsible Entities are encouraged to continue this practice as a component of their cyber security policies. In this and all subsequent required approvals in the NERC CIP Reliability Standards, the Responsible Entity may elect to use hardcopy or electronic approvals to the extent that there is sufficient evidence to ensure the authenticity of the approving party. Requirement R2: The intent of Requirement R2 is for each Responsible Entity to create, document, and implement one or more cyber security plan(s) that address the security objective for the protection of low impact BES Cyber Systems. The required protections are designed to be part of a program that covers the low impact BES Cyber Systems collectively at an asset level (based on the list of assets containing low impact BES Cyber Systems identified in CIP-002), but not at an individual device or system level.
Page 31 of 57
Made with FlippingBook - Online magazine maker