CIP-003: Cyber Security Illustrative Approach

Before an effective information security program can be created, each agency must identify and list its critical assets and critical cyber assets through a risk-based assessment methodology as defined in CIP-002. This process involves the gathering of asset information from all business units within the entity. Each asset on this list must then be classified based on the magnitude of harm or inconvenience that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of the asset to the entity and the safety of its information. Typical classification levels used in describing cyber assets include:

• Public - Information that may be safely released to the general public. Examples include outage statistics and estimated restoration time. This level also includes information to be disclosed to the public, such as financial results.
• Proprietary - Information that may be obtained by an employee but should not be released to the public. Examples may include organization charts, telephone lists, or budget information.
• Sensitive - Information that may contribute to understanding or identifying an essential system. Examples may include operational procedures, lists of assets, network diagrams, floor plans, equipment layouts, and disaster recovery plans.
• Confidential - Information that significantly enhances the probability of a successful compromise of an essential system. Examples may include incident response plans, security configurations, password lists, and results of physical or cyber vulnerability assessments.

After all cyber assets are identified and classified, the agency must identify and prioritize all known and unknown threats and vulnerabilities that pose information security risks and could affect its cyber assets. Then (and only then) can the entity create, monitor, and enforce adequate policies, procedures and controls that cost-effectively reduce information security risks to an acceptable level throughout the entity’s networks, facilities, and the life cycle of each information system or groups of information systems, as appropriate.

Examples for such security policies and controls include access controls and change management controls.

• Access Controls – Each entity should control access to protected information. The access restrictions should be consistent with the asset classification levels that are established, for example, public, proprietary, sensitive, or confidential. The following list describes some commonly used access levels:
  • Public access level allows read-only access. Write permissions should only be granted to those authorized to modify information.
  • Proprietary access level restricts access to employees only. Access to contractors and third parties is permitted only under a signed nondisclosure agreement (NDA).
  • Sensitive access level enables you to grant access to employees, contractors with an NDA, and third parties with NCA may be granted access. Access may be granted to groups of sensitive documents or to all sensitive documents.
  • Confidential access must be given only to personnel with a need-to-know requirement. Contractors or third parties with need for confidential information should be granted access only after legal review of the NDA to ensure that NDA is sufficient for this level of access. Access should be granted only to individual applications, databases, or files for a defined time period. When the time period expires, the access privileged should be reviewed and renewed only if still needed.
• Change Control and Configuration Management – These controls ensure that only authorized and fully tested software is placed in operation. They also limit and monitor access to powerful programs and sensitive files associated with computer operations. They are important in providing reasonable assurance that access controls are not compromised and that the system will not be impaired. This includes patch management to mitigate the risks of software vulnerabilities.

Policy monitoring is accomplished by implementing system or security software that provides an audit trail with logs of all system activity. Done properly, entities should configure their software to collect and maintain audit trails that are sufficient to track all security-relevant events.

The security risk management practices must include the following automated capabilities:

• Asset identification and classification
• Risk assessment
• Risk-based policy and procedure implementation
• Cost-effective implementation of risk-based controls
• Real-time vulnerability assessment, monitoring, and alert generation

Security risk management and CIP compliance are business problem that needs to be addressed by an enterprise-wide methodology that leverages the right people, practices, and technology on a continuous basis – not a limited point-in-time project basis. A static and incomplete security program provides a false sense of security and is increasingly ineffective over time. Monitoring and updating the security program is an important part of the ongoing cyclical security process. Entities should continuously gather and analyze information regarding: critical cyber assets; new threats and vulnerabilities; actual attacks on the organization, its assets, and its interlinked business partners; and the effectiveness of the existing security controls.

Deploying a series of diverse security technologies at multiple layers helps to mitigate the risk of successful cyber attacks. Technology solutions can add significant value in jumpstarting successful information security risk management best practice initiatives.