NERC CIP-002 through CIP-014 Revision 6_CIP-004-6 R5

Lionfish Cyber Security | January 24th 2023 |

NERC CIP-002 through CIP-014 Revision 6

Access Revocation

CIP-004-6 R5

R5. Each Responsible Entity shall implement one or more documented access revocation program(s) that collectively include each of the applicable requirement parts in CIP-004-6 Table R5 ? Access Revocation. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations and Operations Planning].

M5. Evidence must include each of the applicable documented programs that collectively include each of the applicable requirement parts in CIP-004-6 Table R5– Access Revocation and additional evidence to demonstrate implementation as described in the Measures column of the table.CIP-004-6 Table R5– Access Revocation Part Applicable Systems Requirements Measures 5.1 High Impact BES Cyber Systems and their associated: EACMS; andPACSMedium Impact BES Cyber Systems with External Routable Connectivity and their associated: EACMS; andPACSA process to initiate removal of an individuals ability for unescorted physical access and Interactive Remote Access upon a termination action and complete the removals within 24 hours of the termination action (Removal of the ability for access may be different than deletion disabling revocation or removal of all access rights). An example of evidence may include but is not limited to documentation of all of the following: Dated workflow or sign-off form verifying access removal associated with the termination action; andLogs or other demonstration showing such persons no longer have access.CIP-004-6 Table R5– Access Revocation Part Applicable Systems Requirements Measures 5.2 High Impact BES Cyber Systems and their associated: EACMS; andPACSMedium Impact BES Cyber Systems with External Routable Connectivity and their associated: EACMS; andPACSFor reassignments or transfers revoke the individuals authorized electronic access to individual accounts and authorized unescorted physical access that the Responsible Entity determines are not necessary by the end of the next calendar day following the date that the Responsible Entity determines that the individual no longer requires retention of that access. An example of evidence may include but is not limited to documentation of all of the following: Dated workflow or sign-off form showing a review of logical and physical access; andLogs or other demonstration showing such persons no longer have access that theResponsible Entity determines is not necessary.CIP-004-6 Table R5– Access Revocation Part Applicable Systems Requirements Measures 5.3 High Impact BES Cyber Systems and their associated: EACMS; andPACSMedium Impact BES Cyber Systems with External Routable Connectivity and their associated: EACMS; andPACSFor termination actions revoke the individuals access to the designated storage locations for BES Cyber System Information whether physical or electronic (unless already revoked according to Requirement R5.1) by the end of the next calendar day following the effective date of the termination action. An example of evidence may include but is not limited to workflow or signoff form verifying access removal to designated physical areas or cyber systems containing BES Cyber System Information associated with the terminations and dated within the next calendar day of the termination action. CIP-004-6 Table R5– Access Revocation Part Applicable Systems Requirements Measures 5.4 High Impact BES Cyber Systems and their associated: EACMSFor termination actions revoke the individuals non-shared user accounts (unless already revoked according to Parts 5.1 or 5.3) within 30 calendar days of the effective date of the termination action. An example of evidence may include but is not limited to workflow or signoff form showing access removal for any individual BES Cyber Assets and software applications as determined necessary to completing the revocation of access and dated within thirty calendar days of the termination actions. CIP-004-6 Table R5– Access Revocation Part Applicable Systems Requirements Measures 5.5 High Impact BES Cyber Systems and their associated: EACMSFor termination actions change passwords for shared account(s) known to the user within 30 calendar days of the termination action. For reassignments or transfers change passwords for shared account(s) known to the user within 30 calendar days following the date that the Responsible Entity determines that the individual no longer requires retention of that access. If the Responsible Entity determines and documents that extenuating operating circumstances require a longer time period change the password(s) within 10 calendar days following the end of the operating circumstances. Examples of evidence may include but are not limited to: Workflow or sign-off form showing password reset within 30 calendar days of the termination;Workflow or sign-off form showing password reset within 30 calendar days of the reassignments or transfers; orDocumentation of the extenuating operating circumstance and workflow or sign-off form showing password reset within 10 calendar days following the end of the operating circumstance.

 

Click here to Start your FREE trial today!

Explainer video

 

What is a Cybersecurity Compliance Framework?

You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.

With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.

The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:

Click here to Start your FREE trial today!

Explainer video