Page 24 of 44
NERC Reliability Standard Audit Worksheet
Compliance Assessment Approach Specific to CIP-003-7, R1 This section to be completed by the Compliance Enforcement Authority
For its high impact and medium impact BES Cyber Systems, if any, verify the Responsible Entity has documented one or more cyber security policies that collectively address the following topics: 1. Personnel and training (CIP-004); 2. Electronic Security Perimeters (CIP-005) including Interactive Remote Access; 3. Physical security of BES Cyber Systems (CIP-006); 4. System security management (CIP-007);
5. Incident reporting and response planning (CIP-008); 6. Recovery plans for BES Cyber Systems (CIP-009); 7. Configuration change management and vulnerability assessments (CIP-010); 8. Information protection (CIP-011); and 9. Declaring and responding to CIP Exceptional Circumstances.
For its assets identified in CIP-002 containing low impact BES Cyber Systems, if any, verify the Responsible Entity has documented one or more cyber security policies that collectively address the following topics: 1. Cyber security awareness; 2. Physical security controls; 3. Electronic access controls; 4. Cyber Security Incident response 5. Transient Cyber Assets and Removable Media malicious code risk mitigation; and 6. Declaring and responding to CIP Exceptional Circumstances. Verify each policy used to meet this Requirement has been reviewed at least once every 15 calendar months. Verify the CIP Senior Manager has approved each policy used to meet this Requirement at least once every 15 calendar months. Verify the Responsible Entity has achieved the security objective of instituting cyber security policies that will preserve the availability, integrity, and confidentiality of systems that support the reliable operation of the BES. Note to Auditor: Per Attachment 1, “Responsible Entities with multiple-impact BES Cyber Systems ratings can utilize policies, procedures, and processes for their high or medium impact BES Cyber Systems to fulfill the sections for the development of low impact cyber security plan(s). Each Responsible Entity can develop a cyber security plan(s) either by individual asset or groups of assets.”
Auditor Notes:
NERC Reliability Standard Audit Worksheet Audit ID: Audit ID if available; or REG-NCRnnnnn-YYYYMMDD RSAW Version: RSAW_CIP-003-7_2019_v1 Revision Date: May 14, 2019 RSAW Template: RSAW2018R4.0 6
Made with FlippingBook - Online magazine maker