Page 26 of 44
NERC Reliability Standard Audit Worksheet
Compliance Assessment Approach Specific to CIP-003-7, R2 This section to be completed by the Compliance Enforcement Authority Attachment 1, Section 1
For each asset containing a low impact BES Cyber System, verify that the Responsible Entity has documented a plan to reinforce cyber security practices (which may include associated physical security practices) at least once every 15 calendar months. Attachment 1, Section 1 For each asset containing a low impact BES Cyber System, verify that the Responsible Entity has implemented its plan to reinforce cyber security practices (which may include associated physical security practices) at least once every 15 calendar months. Attachment 1, Section 1 For each asset containing a low impact BES Cyber System, verify that the Responsible Entity has achieved the security objective of ensuring personnel with access to low impact BES Cyber Systems remain aware of cyber security practices. Attachment 1, Section 2 For each asset containing a low impact BES Cyber System, verify that the Responsible Entity has documented a plan to control physical access, based on need as determined by the Responsible Entity, to: 1. The asset or the locations of the low impact BES Cyber Systems within the asset; and 2. The Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any. Attachment 1, Section 2 For each asset containing a low impact BES Cyber System, verify that the Responsible Entity has implemented its plan to control physical access. Attachment 1, Section 2 For each asset containing a low impact BES Cyber System, verify that the Responsible Entity has achieved the security objective of controlling physical access to: 1. The asset or the locations of the low impact BES Cyber Systems within the asset; and 2. The Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any. Attachment 1, Section 3.1 For each asset containing a low impact BES Cyber System, verify that the Responsible Entity has documented a plan to control inbound and outbound electronic access, based on need as determined by the Responsible Entity, for any communications that are: 1. Between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s); 2. Using a routable protocol when entering or leaving the asset containing the low impact BES Cyber System(s); and 3. Not used for time-sensitive protection or control functions between intelligent electronic devices (e.g. communications using protocol IEC TR-61850-90-5 R- GOOSE).
NERC Reliability Standard Audit Worksheet Audit ID: Audit ID if available; or REG-NCRnnnnn-YYYYMMDD RSAW Version: RSAW_CIP-003-7_2019_v1 Revision Date: May 14, 2019 RSAW Template: RSAW2018R4.0 8
Made with FlippingBook - Online magazine maker