Page 1 of 44
CIP-003-7 - Cyber Security — Security Management Controls
Purpose To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).
Requirements R1
Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: 1.1 For its high impact and medium impact BES Cyber Systems, if any: 1.1.1 Personnel and training (CIP-004); 1.1.2 Electronic Security Perimeters (CIP-005) including Interactive Remote Access; 1.1.3 Physical security of BES Cyber Systems (CIP-006); 1.1.4 System security management (CIP-007); 1.1.5 Incident reporting and response planning (CIP-008); 1.1.6 Recovery plans for BES Cyber Systems (CIP-009); 1.1.7 Configuration change management and vulnerability assessments (CIP-010); 1.1.8 Information protection (CIP-011); and 1.1.9 Declaring and responding to CIP Exceptional Circumstances. 1.2 For its assets identified in CIP-002 containing low impact BES Cyber Systems, if any: 1.2.1 Cyber security awareness; 1.2.2 Physical security controls; 1.2.3 Electronic access controls; 1.2.4 Cyber Security Incident response; 1.2.5 Transient Cyber Assets and Removable Media malicious code risk mitigation; and 1.2.6 Declaring and responding to CIP Exceptional Circumstances.
Made with FlippingBook - Online magazine maker