- Who should have access to what?
- Who does have access to what?
- Who could have access to what?
- Who did have access to what?
- Can we sustain our primary mission if everything fails?
If you can answer all of these questions and have the data
to back it up, you have good grasp on complying with the NERC CIP
standards. If you cannot answer these questions, take a hard look at getting software to automate
change management, and watch our webinar
to learn more.
Very good questions. Management of Personnel Eligibility list (PEL) generally answers Who should have access to what. The challenge is in Who does have access to what as it requires usage of manual review and software scans to determine current access. Who could have access is probable more aimed at open ports and services which need to be documented and scanned. Who did have access i think should be covered if 1-4 are managed properly. The last one is a big one requiring a comprehensive DR plan including a response plan and risk management.
ReplyDeleteVinit - those are awesome additions. On the software side of the access equation, I have found that granting, and to a degree, determining, access often rests on the shoulders of the help/service desk. Which in many instances can be the wrong approach. In the past, I had to work very hard (with success) to push this responsibility back up through the organization. This was only achievable by partnering with specific leaders within the organization. Unfortunately, I often saw that this was a challenge many do not want to tackle. Thanks again for the feedback!
ReplyDelete