North American Electric Reliability Corporation (NERC) Compliance

CIP–002–1
Critical Cyber Asset Identification
All network assets must be audited to identify Critical Cyber Assets. A risk-based assessment methodology should be utilized with annual reviews.

• The SAINT scanner can assess your network to identify all assets and services running.
• The SAINT team can regularly audit your IT systems to identify assets.

CIP–003–1
Security Management Controls
Policies with adherence monitoring and change control must be documented and in place. Change control policies and processes must be adhered to. Definitions and documentation on access control levels for critical assets such as Internet facing systems and critical backend solutions. Solutions should be in place to mitigate risks. These requirements mandate having minimum security management controls in place to protect Critical Cyber Assets.

• The SAINT team can evaluate your security management controls and security policies to identify gaps and recommend changes.

CIP–004
Personnel and Training
Employees should be trained on policies, access controls and general awareness issues around Social Engineering. Background checks should be performed on all users with access to computer assets.

• SAINTexploit includes social engineering and phishing assessment functionality.
• The SAINT team provides security awareness training.
• The SAINT team can review your Personnel and Training policies to identify weaknesses and recommend corrective actions.
• The SAINT team can provide social engineering assessments as part of your personnel security training.

CIP–005
Electronic Security Perimeter(s)
An Electronic Security Perimeter should be established that provides the following:

• Disable ports and services that are not required
• Monitor and Log Access 24x7x365
• Perform Annual Vulnerability Assessments (at a minimum)
• Documentation of Network Changes

• The SAINT scanner lets you perform the required annual vulnerability assessment.
• The SAINT scanner will assess your network to identify all ports and services.
• The SAINT team can perform the required Annual Vulnerability Assessments, as well as help you identify your Critical Cyber Assets and evaluate your Electronic Security Perimeter.

CIP–006–1
Physical Security
Physical Security controls should be documented and implemented that provide perimeter monitoring and logging along with robust access controls. All cyber assets used for Physical Security are considered Critical and should be treated as such.

• The SAINT team can assess and document your physical security controls; identify weaknesses and recommend corrective action.

CIP–007–1
Systems Security Management
All methods, processes and procedures for securing Critical Assets and all technology solutions should be well-defined and include automated controls. System and network events should be monitored automatically with alerts sent to key personnel. An annual vulnerability assessment should be performed.

• The SAINT team can provide annual vulnerability assessment and penetration testing.

CIP–008–1
Incident Reporting and Response Planning
All cyber security incidents should be addressed by an internal computer incident response team (CIRT) and reported to the Electricity Sector Information Sharing and Analysis Center (ES ISAC).

• The SAINT team can work with you to develop your Incident Response Plan and ensure that it exceeds minimum CIP requirements.

CIP–009–1
Recovery Plans for Critical Cyber Assets
A disaster recovery plan should be created and tested with annual drills.

• The SAINT team can develop your Disaster Recovery Plan.
• The SAINT team can assist you with annual drills.