NERC CIP Controls Matrix
FRCC Spring Workshop
May 7 – 11, 2012
AGENDA
Background
What the Control Matrix Is/Isn’t
Benefits
Control Matrix itself
Overview Tab
Control Matrix Tab
FAQs
2
BACKGROUND
Control Matrix was:
suggested by Internal Audit Dept.
set as a precedent from Sarbanes-Oxley audit
developed by external consultant
NOTE1: Two tabs: Overview, Control Matrix
NOTE2: Current Artifacts column contains links
3
WHAT IT IS/ CAN BE/ ISN’T
The control matrix is:
A list of evidence of for each requirement
A reference guide to who is a contact for that evidence
A link to where the evidence is
The control matrix can be:
A document that shows when reviews are needed
A document that shows when reviews are completed
Part of a process for alerting when reviews are needed
The control matrix is not:
 A list of people’s access, or who has access to what
A list of people who have approval authority
A substitute for transfer and termination procedures
4
BENEFITS
More efficient RSAW creation (especially for
multiple regions)
FRCC Evidence Index
SERC by Business Unit
Shows owners or contacts for evidence
Can show timelines for when reviews' needed
Can show when reviews are completed
Is a foundation, or framework to build on
Could be transformed into a database
5
OVERVIEW TAB
Your Company Name NERC CIP Controls Matrix [Confidential]
Overview
Control
Matrix
Provides a list of the NERC CIP Controls. The list includes the following fields:
Control No.
Control Identifier
NERC CIP
Requirement
Requirement
Description
Business Unit
Indicates the number of the NERC CIP requirement related to the control
Frequency
Indicates the schedule upon which the control is to be performed
Indicates the title of the NERC CIP requirement related to the control
Indicates the group (e.g., division or organization) responsible for the control
Policy / Procedure(s) Indicates the name of the policy or procedure which includes the control
Mandatory Artifacts Describes the documentation required to evidence completion of the control
Current Artifacts
Point of Contact
6
Describes the specific documentation that has been identified as evidence of
completion of the control
Indicates the person(s) or group(s) accountable for tracking completion and
artifacts for the control
CONTROL MATRIX TAB
NERC CIP
Requirement Business
Control No. Requireme
Description
Unit
nt
Frequency
Policy /
Procedure(s)
Mandatory Artifacts
Current Artifacts
Point of Contact
Name
Email
CIP-002
CIP-002 R1
002.1.1
CIP-002 R2
002.2.1
CIP-002 R3
002.3.1
CIP-002 R4
002.4.1
002.4.2
CIP-002, R1 Risk-Based
Assessment
Methodology
(RBAM)
Annually
Documented RBAM
CIP-002, R2 List of Critical
Assets
Annually
List of identified Critical
Assets
CIP-002, R3 List of Critical
Cyber Assets
Annually
List of associated Critical
Cyber Assets essential to the
operation of the Critical Asset
CIP-002, R4 Annual
Approvals:
CA
Methodology
, CA List, CCA
List
CIP-002, R4 Annual
Approvals:
CA
Methodology
, CA List, CCA
List
Annually
Annual Signed and Dated
Approval of RBAM;
List of CA
Annually
Annual Signed and Dated
Approval of RBAM;
List of CCA
7
\\mainserver\NERC Wiley E.
CIP\CIP 002 R1\
Coyote
wecoyote@H
appyPowerCo
mpany.com
FAQS AND TEMPLATE
For spaghetti requirements, put artifacts underneath the
high level requirement, i.e., for CIP 005 RX.X “Please
refer to CIP 007 RX.X.”
If you have multiple artifacts, add another row with a
new control number
NOTE3: For a copy of the CIP Controls Template,
download from FRCC’s website, found under the:
Compliance tab/Documents/Compliance Workshop
Presentations/2012 Spring Cyber Workshop Presentations
8