CIP-004: Cyber Security Illustrative Approach

Cyber security training programs should encompass training on the networking hardware and software and other issues of electronic interconnectivity supporting the operation and control of critical cyber assets. Cyber security training concerning a critical cyber asset should encompass the electronic environment in which the asset is situated and the attendant vulnerabilities.

Personnel training should be appropriate for an employee’s duties, functions, experience, or access level. Any training information that concerns vulnerabilities should be revealed on a need-to-know basis and not universally.

Newly hired personnel and vendors should not have access to critical cyber assets prior to the satisfactory completion of a personnel risk assessment, except in specified circumstances such as an emergency. Current employees and vendors with existing contractual relationships with the entity should have an initial personnel risk assessment completed as soon as reasonably possible, for example, before they are to be auditably compliant with this Requirement.

Timely system updates to access rights are important because access to critical cyber assets by employees, contractors, or vendors represents a gap in security when such access is no longer needed.

When an employee, contractor, or vendor no longer performs a function that requires authorized physical or electronic access to a critical cyber asset for any reason (including disciplinary action, transfer, retirement or termination), their access privileges should be revoked immediately. Need for a brief lag in revoking such privileges, must be documented for audit purposes. There may be operational reasons that justify retention of privileges after an employee transfers, but the default procedure should be to cancel access privileges at transfer.

In addition, unescorted physical access should be denied to individuals that are not identified on the authorization list.