CIP-005-5 Audit Approach CIP Version 5 Workshop October 1-2, 2015 Bob Yates, CISSP, MBA - Principal Technical Auditor Rhonda Bramer, CISSP, CISA, CISM, CRISC, GSEC - Senior CIP Auditor
CIP-005-5 Audit Approach
CIP Version 5 Workshop
October 1-2, 2015
Bob Yates, CISSP, MBA - Principal Technical Auditor
Rhonda Bramer, CISSP, CISA, CISM, CRISC, GSEC - Senior CIP Auditor
Forward Together • ReliabilityFirst 2
Audit to the requirements and Applicability
Use the following for guidance
• Guidelines and Technical Basis
• V5 Transition Advisory Group Lessons Learned
• V5 Transition Advisory Group Frequently Asked Questions
CIP-005-5 R1 General Audit Approach
Forward Together • ReliabilityFirst 3
CIP-005-5 R1 Part 1.1
Forward Together • ReliabilityFirst 4
Audit Approach
• Verify the entity has documented one or more processes.
• For each sampled BES Cyber System, verify each associated
BES Cyber Asset and Cyber Asset that is connected to a
network via a routable protocol resides within a defined ESP.
• For each ESP associated with a sampled BES Cyber System,
verify all devices residing within the ESP are identified.
• For each ESP associated with a sampled BES Cyber System,
verify each device residing within the ESP is properly classified
as:
‒ A component of the highest-rated BES Cyber System within
the ESP, or
‒ A PCA associated with the highest-rated BES Cyber System
within the ESP.
CIP-005-5 R1 Part 1.1
Forward Together • ReliabilityFirst 5
Types of Evidence
• Lists of BCAs and PCAs within each ESP
• Detailed ESP Diagrams showing BCAs and PCAs
• Site visits to verify ESPs
CIP-005-5 R1 Part 1.1
Forward Together • ReliabilityFirst
CIP-005-5 R1 Part 1.2
6
Forward Together • ReliabilityFirst 7
Audit Approach
• Verify the entity has documented one or more processes.
• For each ESP associated with a sampled BES Cyber
System, verify that all EAPs have been identified.
CIP-005-5 R1 Part 1.2
Forward Together • ReliabilityFirst 8
Types of Evidence
• Lists of EAPs and associated ESP
• Detailed ESP Diagrams showing all EAPs
• Site visits to verify EAPs
CIP-005-5 R1 Part 1.2
Forward Together • ReliabilityFirst
CIP-005-5 R1 Part 1.3
9
Forward Together • ReliabilityFirst 10
Audit Approach
• Verify the entity has documented one or more processes.
• Verify inbound and outbound access permissions are
implemented.
• Verify each inbound and each outbound permission
includes the reason for granting access.
• Verify inbound and outbound access is denied by default.
CIP-005-5 R1 Part 1.3
Forward Together • ReliabilityFirst 11
Types of Evidence
• Lists of access permissions (Firewall rules, access control
lists, etc..)
• Screen shots of access permissions
• Documented reason for each rule
CIP-005-5 R1 Part 1.3
Forward Together • ReliabilityFirst 12
CIP-005-5 R1 Part 1.4
Forward Together • ReliabilityFirst 13
Audit Approach
• Verify the entity has documented one or more processes.
• For each Cyber Asset accessible via Dial-up Connectivity,
verify authentication is performed when establishing a
connection, or that an approved TFE covers the device.
• If a TFE is applicable to a device, verify the compensating
measures identified by the TFE are in place.
CIP-005-5 R1 Part 1.4
Forward Together • ReliabilityFirst 14
Types of Evidence
• List of Cyber Assets with dial-up capability
• Description and Screen shots of authentication method
• TFEs
• Evidence of compensating and mitigating measures
• Site visits
CIP-005-5 R1 Part 1.4
Forward Together • ReliabilityFirst
CIP-005-5 R1 Part 1.5
15
Forward Together • ReliabilityFirst 16
Audit Approach
• Verify the entity has documented one or more processes.
• For each EAP, verify the entity has implemented at least
one method for detecting known or suspected malicious
communications for both inbound and outbound
communications.
CIP-005-5 R1 Part 1.5
Forward Together • ReliabilityFirst 17
Types of Evidence
• List of IDS/IPS Devices
• IDS/IPS Device Configurations
• Distinct security measure (Dual protection architecture)
• Site Visits
CIP-005-5 R1 Part 1.5
Forward Together • ReliabilityFirst
CIP-005-5 R2.1
18
Forward Together • ReliabilityFirst 19
Audit Approach
• Verify the entity has documented one or more processes.
• Verify Interactive Remote Access is configured to utilize an
Intermediate System, or that an approved TFE covers this
circumstance.
• Verify no applicable Cyber Assets are directly accessible
from assets outside an ESP, other than through an
Intermediate System, or that an approved TFE covers this
circumstance.
• If a TFE covers one or more of these issues, verify the
compensating measures identified by the TFE are in place.
CIP-005-5 R1 Part 2.1
Forward Together • ReliabilityFirst 20
Types of Evidence
• Network Diagrams
• Architecture Documents
• Screenshots of configurations
• Lists of firewall rules (Firewall rules, access control lists,
etc..)
• TFEs
• Evidence of compensating and mitigating measures
• Site Visits
CIP-005-5 R1 Part 2.1
Forward Together • ReliabilityFirst
CIP-005-5 R2.2
21
Forward Together • ReliabilityFirst 22
Audit Approach
• Verify the entity has documented one or more processes.
Verify all Interactive Remote Access utilizes encryption that
terminates at an Intermediate System, or that an approved
TFE covers this circumstance.
• If a TFE covers one or more of these issues, verify the
compensating measures identified by the TFE are in place.
CIP-005-5 R1 Part 2.2
Forward Together • ReliabilityFirst 23
Types of Evidence
• Network Diagrams
• Architecture Documents
• Screenshots of configurations
• TFEs
• Evidence of compensating and mitigating measures
• Site Visits
CIP-005-5 R1 Part 2.2
Forward Together • ReliabilityFirst 24
CIP-005-5 R2.3
Forward Together • ReliabilityFirst 25
Audit Approach
• Verify the entity has documented one or more processes
which address this Part.
• Verify all Interactive Remote Access sessions require
multi-factor authentication, or that an approved TFE covers
this circumstance.
• If a TFE covers one or more of these issues, verify the
compensating measures identified by the TFE are in place.
CIP-005-5 R1 Part 2.3
Forward Together • ReliabilityFirst 26
Types of Evidence
• Network Diagrams
• Architecture Documents
• Screen shots of multi-factor authentication
• TFEs
• Evidence of compensating and mitigating measures
• Site Visits
CIP-005-5 R1 Part 2.3
Forward Together • ReliabilityFirst
Questions & Answers
Forward Together ReliabilityFirst
27