Catalog of Control Systems Security: Recommendations for Standards Developers
Catalog of Control Systems Security: Recommendations for Standards Developers
Catalog of Control Systems Security: Recommendations for Standards Developers
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
2.3.2.4 References<br />
NIST SP 800-53r3 PS-2<br />
API 1164r2 3.1<br />
NERC CIPS CIP 003-3, B.R5.1, B.5.1.1<br />
NRC RG 5.71 App. B.1.21<br />
2.3.3 Personnel Screening<br />
2.3.3.1 Requirement<br />
The organization screens individuals requiring access to the control system be<strong>for</strong>e access is<br />
authorized.<br />
2.3.3.2 Supplemental Guidance<br />
The organization maintains consistency between the screening process and organizational policy,<br />
regulations, guidance, and the criteria established <strong>for</strong> the risk designation <strong>of</strong> the assigned position.<br />
Basic screening requirements include:<br />
1. Past 5 years <strong>of</strong> employment<br />
2. Past 5 years <strong>of</strong> education, with verification <strong>of</strong> the highest degree received<br />
3. Past 3 years <strong>of</strong> residency<br />
4. References<br />
5. Past 5 years <strong>of</strong> law en<strong>for</strong>cement records.<br />
2.3.3.3 Requirement Enhancements<br />
The organization rescreens individuals with access to organizational control systems based on a<br />
defined list <strong>of</strong> conditions requiring rescreening and the frequency <strong>of</strong> such rescreening.<br />
2.3.3.4 References<br />
NIST SP 800-53r3 PS-3<br />
API 1164r2 Annex A<br />
NERC CIPS CIP 004-3, B.R5.1, B.R5.1.2<br />
NRC RG 5.71 App. B.1.21<br />
2.3.4 Personnel Termination<br />
2.3.4.1 Requirement<br />
When an employee is terminated, the organization revokes logical and physical access to control<br />
systems and facilities and ensures all organization-owned property is returned and that<br />
organization-owned documents and data files relating to the control system that are in the employee’s<br />
possession are transferred to the new authorized owner within the organization. Complete execution <strong>of</strong><br />
this control occurs within 24 hours <strong>for</strong> employees or contractors terminated <strong>for</strong> cause.<br />
2.3.4.2 Supplemental Guidance<br />
Organization-owned property includes system administration manuals, keys, identification cards,<br />
building passes, computers, cell phones, and personal data assistants. Organization-owned documents<br />
include field device configuration and operational in<strong>for</strong>mation, control system network documentation.<br />
10