Establish and maintain information system assurance categories.

UCF ID: 01608
Control Type: Establish/Maintain Documentation
Status: Live

Supporting and supported controls

This control directly supports:

    Identify significant information processes, applications, and systems that fall under internal or external governance or compliance laws, regulations, or rules. [UCF Control ID 00688]

There are no supporting controls.

Authority documents complied with:

North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-002-1 R1 thru CIP-002-1 R1.2; The GAIT Methodology, Phase 1.2 thru Phase 1.4; Defense Industrial Base Information Assurance Standard, § 6.1.1 Table 6-2 Goal 5; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, § 2.5

Energy Guidance

The Responsible Entity shall identify and document a risk-based assessment methodology to use to identify its Critical Assets.
The Responsible Entity shall maintain documentation describing its risk-based assessment methodology that includes procedures and evaluation criteria.
The risk-based assessment shall consider the following assets:
Control centers and backup control centers performing the functions of the entities listed in the Applicability section of this standard. R1.2.2. Transmission substations that support the reliable operation of the Bulk Electric System.
Generation resources that support the reliable operation of the Bulk Electric System.
Systems and facilities critical to system restoration, including black start generators and substations in the electrical path of transmission lines used for initial system restoration.
Systems and facilities critical to automatic load shedding under a common control system capable of shedding 300 MW or more.
Special Protection Systems that support the reliable operation of the Bulk Electric System.
Any additional assets that support the reliable operation of the Bulk Electric System that the Responsible Entity deems appropriate to include in its assessment.
The cyber security policy addresses the requirements in Standards CIP-002 through CIP-009, including provision for emergency situations.
The cyber security policy addresses the requirements in Standards CIP-002 through CIP-009, including provision for emergency situations. [CIP-002-1 R1 thru CIP-002-1 R1.2, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

US Federal Security Guidance

The organization should implement and measure information assurance methods to protect the critical DIB asset, control processes over the production or provisioning of the critical product or service, and the product or service delivery systems, including the supply chain. [§ 6.1.1 Table 6-2 Goal 5, Defense Industrial Base Information Assurance Standard]

NIST Guidance

The organization should implement security control assurance by assessing the design, development, implementation, operation, and maintenance of security controls for third-party information systems. Compliance with organizational security policies and standards should be included in assurance assessments. [§ 2.5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

General Guidance

The organization must develop a list of critical IT functionality that is relied upon, including both automated controls and other critical IT functionality. This is a key part of establishing information categories for each of the information types because each category must assess both fully automated controls, and application functionality. The organization must then assess if the automated controls failed, there is at least a reasonable likelihood that a material error would not be detected. In other words, if manual key controls would detect either a failure in an automated key control before it could lead to a material error or unauthorized change, the manual controls could be identified as key and could play a part in the assurance category for the information type.
The organization must also assess additional critical IT functionality in the applications not identified as a key control, where a failure might not be detected and could reasonably lead to a material error in the financial statements. Their reasoning is that applications perform calculations and other procedures that are relied upon in the processing of financial transactions and maintenance of related accounting records. If the functionality failed, material errors might be introduced without detection from key manual or automated controls. [Phase 1.2 thru Phase 1.4, The GAIT Methodology]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of key organizational functions for which an assurance strategy has been implemented. [UCF Control ID 01658]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.