LinkedIn Life Page


Come join us!

https://keydata.ca/careers


  • 250+

    BES Cyber Systems

  • NERC

    CIP v5 Complaince

WITH THE INTRODUCTION OF NERC CIP v5, THE MAJOR OBJECTIVES WERE AS FOLLOWS:

  • Address NERC CIP v5 compliance requirements for over 250 BES Cyber Systems and BES Cyber Assets;
  • Reduce operational risks to the environment;
  • Reduce reliance on manual processes for access governance and access administration;
  • Improve role management capability for the BES Cyber Systems.

KeyData assisted the client to achieve NERC CIP v5 compliance. Achievements included the following:

  • Conducted an in-depth gap analysis and control risk assessment of the current state of Identity and Access Management (IAM) and Privileged Account Management (PAM), measured against industry-leading best practices and NERC CIP v5 requirements.
  • Recommended comprehensive operational improvements focused on governance, people, processes, and technology.
  • Developed an access management policy, target state remediated access management processes and baseline control standards for NERC CIP compliance.
  • Developed an IAM architecture and multi-phase IAM roadmap to achieve target state.
  • Defined a strategy and approach to collect application data and entitlements through common integration patterns.
  • Developed and implemented a role-based access control strategy, by analyzing business and application roles for departments.
  • On-boarded 250+ BES Cyber Systems and BES Cyber Assets into a commercial IAM system.
  • Integrated IAM with IT Operations monitoring (SCOM) to support the operations of the IAM solution.

Implemented the following CIP v5 compliant improvements:

  • Onboarding (birthright) process to ensure security training and background checks are valid prior to provisioning;
  • Cross-boarding process requiring managers to review BES access to ensure access is still appropriate after department transfers;
  • Termination process to automatically disable network, remote and physical access within 24 hours of termination;
  • Quarterly access certification process where managers would review access based on business roles for ease of use;
  • Access request process to enable the organization to easily report on access and the authorization of that access;
  • Issued reminders and automatic disablement of access when security training and security background checks expire.