CIP-003-4 R5 in the IT Foundation
CIP-003-4 is focused on Security Management Controls. Section R5 is titled “Access Control” and is further defined as:
Access Control — The Responsible Entity shall document and implement a program for managing access to protected Critical Cyber Asset information. R5.1.The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information. Personnel shall be identified by name, title, and the information for which they are responsible for authorizing access. R5.1.2.The list of personnel responsible for authorizing access to protected information shall be verified at least annually. R5.2 The Responsible Entity shall review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities. R5.3.The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information.
This is an area where policies often end up being supported in a piecemeal fashion with multiple tools, processes, and practices. That can be a nightmare to oversee and maintain while it injects a significant degree of risk into the practice. This is an important area for IT Foundation Management.
IT Foundation Management flips that on its head with a comprehensive role-based access and control model for all privileged users who are authorized to access the IT Foundation. The access management program should be directly deployed in the IT Foundation Management software so that it can implement and enforce the access management program at the IT Foundation level.
In all cases, IT Foundation Management maintains a definitive record of personnel who are able to authorize access to systems managed by the software including what assets they can access and what privileges they have been granted. This information is readily accessible in the IT Foundation Management software for auditing and reporting purposes.
Access privileges, access activity (logon, logoff), and activity (commands) while accessing assets is all captured automatically with IT Foundation Management and can be used to review and validate that access privileges are appropriate to policy.
This is another example of directly implementing policy into supporting technology to ensure policy is executed properly at all times with a comprehensive, and automatically generated, audit trail. While this is a recurring theme in the discussion of IT Foundation Management for the Utility sector, this particular section is comprehensively covered by IT Foundation Management over the entire IT Foundation.