CIP-004: Cyber Security Sub-Requirements

  • R2.1. This training program must ensure that all personnel with access to Critical Cyber Assets, including contractors and service vendors, are trained before they are granted access except in specified circumstances such as an emergency.
  • R2.2. Training shall cover the policies, access controls, and procedures as developed for the Critical Cyber Assets covered by CIP-004 and include, at a minimum, the following required items appropriate to personnel roles and responsibilities:
    • R2.2.1. The proper use of Critical Cyber Assets
    • R2.2.2. Physical and electronic access controls to Critical Cyber Assets
    • R2.2.3. The proper handling of Critical Cyber Asset information
    • R2.2.4. Action plans and procedures to recover or reestablish Critical Cyber Assets and access then after following a Cyber Security Incident
  • R2.3. The Responsible Entity shall maintain documentation that training is conducted at least annually, including the date the training was completed and attendance records.
  • R4.1. The Responsible Entity shall review the list(s) of its personnel who have access to Critical Cyber Assets quarterly and update the list(s) within seven calendar days of any change of personnel with such access to Critical Cyber Assets, or any change in the access rights of such personnel. The Responsible Entity shall ensure access list(s) for contractors and service vendors are properly maintained.
  • R4.2. The Responsible Entity shall revoke access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets.