NERC CIP-002 through CIP-014 Revision 6
Security Event Monitoring
CIP-007-6 4.2
4.2 Generate alerts for security events that the Responsible Entity determines necessitates an alert that includes as a minimum each of the following types of events (per Cyber Asset or BES Cyber System capability): 4.2.1. Detected malicious code from Part 4.1; and4.2.2. Detected failure of Part 4.1 event logging.
M4. Evidence must include each of the documented processes that collectively include each of the applicable requirement parts in CIP-007-6 Table R4–Security Event Monitoring and additional evidence to demonstrate implementation as described in the Measures column of the table.CIP-007-6 Table R4– Security Event Monitoring Part Applicable Systems Requirements Measures 4.1 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems and their associated: EACMS;PACS; andPCALog events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of and after-the-fact investigations of Cyber Security Incidents that includes as a minimum each of the following types of events: 4.1.1. Detected successful login attempts; 4.1.2. Detected failed access attempts and failed login attempts; 4.1.3. Detected malicious code. Examples of evidence may include but are not limited to a paper or system generated listing of event types for which the BES Cyber System is capable of detecting and for generated events is configured to log. This listing must include the required types of events. CIP-007-6 Table R4– Security Event Monitoring Part Applicable Systems Requirements Measures 4.2 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems with External Routable Connectivity and their associated: EACMS;PACS; andPCAGenerate alerts for security events that the Responsible Entity determines necessitates an alert that includes as a minimum each of the following types of events (per Cyber Asset or BES Cyber System capability): 4.2.1. Detected malicious code from Part 4.1; and 4.2.2. Detected failure of Part 4.1 event logging. Examples of evidence may include but are not limited to paper or systemgenerated listing of security events that the Responsible Entity determined necessitate alerts including paper or system generated list showing how alerts are configured. CIP-007-6 Table R4– Security Event Monitoring Part Applicable Systems Requirements Measures 4.3 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems at Control Centers and their associated: EACMS;PACS; andPCAWhere technically feasible retain applicable event logs identified in Part 4.1 for at least the last 90 consecutive calendar days except under CIP Exceptional Circumstances. Examples of evidence may include but are not limited to documentation of the event log retention process and paper or system generated reports showing log retention configuration set at 90 days or greater. 4.4 High Impact BES Cyber Systems and their associated: EACMS; andPCAReview a summarization or sampling of logged events as determined by the Responsible Entity at intervals no greater than 15 calendar days to identify undetected Cyber Security Incidents. Examples of evidence may include but are not limited to documentation describing the review any findings from the review (if any) and dated documentation showing the review occurred.
Click here to Start your FREE trial today!
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- HIPAA
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- NIST-CSF
- CIS Framework Controls V8
Click here to Start your FREE trial today!