CIP-007: Cyber Security Sub-Requirements

  • R1.1. The Responsible Entity shall create, implement, and maintain cyber security test procedures ensuring minimal adverse effects on the production system or its operation.
  • R1.2. The Responsible Entity shall document testing procedures to reflect the production environment.
  • R1.3. The Responsible Entity shall document test results.
  • R2.1. The Responsible Entity shall enable only those ports and services required for normal and emergency operations.
  • R2.2. The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all Cyber Assets inside the Electronic Security Perimeter(s).
  • R2.3. In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.
  • R3.1. The Responsible Entity shall document the assessment of security patches and security upgrades for applicability within thirty calendar days of availability of the patches or upgrades.
  • R3.2. The Responsible Entity shall document the implementation of security patches. In any case where the patch is not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.
  • R4.1. The Responsible Entity shall document and implement anti-virus and malware prevention tools. In the case where anti-virus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.
  • R4.2. The Responsible Entity shall document and implement a process for the update of anti-virus and malware prevention “signatures.” The process must address testing and installation of the signatures.
  • R5.1. The Responsible Entity shall ensure that individual and shared system accounts and authorized access permissions are consistent with the concept of “need to know” with respect to the work functions performed.
  • R5.1.1. The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. Refer to Standard CIP-003 Requirement R5.
  • R5.1.2. The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days.
  • R5.1.3. The Responsible Entity shall review, at least annually, user accounts to verify access privileges are in accordance with Standard CIP-003 Requirement R5 and Standard CIP-004 Requirement R4.
  • R5.2. The Responsible Entity shall implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges including factory default accounts.
    • R5.2.1. The policy shall include the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service.
    • R5.2.2. The Responsible Entity shall identify the individuals with access to shared accounts.
    • R5.2.3. Where such accounts must be shared, the Responsible Entity shall have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination).
  • R5.3. At a minimum, the Responsible Entity shall require and use passwords, subject to the following, depending on feasibility:
    • R5.3.1. Each password shall be a minimum of six characters.
    • R5.3.2. Each password shall consist of a combination of alphanumeric, and “special” characters.
    • R5.3.3. Each password shall be changed at least annually or more frequently based on the risk.
  • R6.1. The Responsible Entity shall implement and document the organizational processes, and technical and procedural mechanisms for monitoring security events on all Cyber Assets within the Electronic Security Perimeter.
  • R6.2. The security monitoring controls shall issue automated or manual alerts for detected Cyber Security Incidents.
  • R6.3. The Responsible Entity shall maintain logs of system events related to cyber security, where technically feasible, to support incident response as required in Standard CIP-008.
  • R6.4. The Responsible Entity shall retain all logs specified in Requirement R6 for ninety calendar days.
  • R6.5. The Responsible Entity shall review logs of system events related to cyber security and maintain records documenting review of logs.
  • R7.1. Prior to the disposal of such assets, the Responsible Entity shall destroy or erase the data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data.
  • R7.2. Prior to redeployment of such assets, the Responsible Entity shall, at a minimum, erase the data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data.
  • R7.3. The Responsible Entity shall maintain records that such assets were disposed of or redeployed in accordance with documented procedures.