In the previous article on the SigmaFlow’s integration with Tripwire, we talked about Evidence.
People are often confused by the terms “Approved” and “Provisioned,” yet it is an extremely important part of NERC CIP compliance. Approved and Provisioned data primarily apply to Cyber Asset baselines, logical access rights, and physical access rights.
Approved data is just that – it’s what we approved.
The NERC CIP standards require that utilities maintain approved evidence in three specific areas:
- Baselines for cyber assets
- Logical access rights for people
- Physical access rights for people
In order to qualify as evidence, approved baselines and access rights must go through a compliance process prior to actual implementation. Each change to these approved areas requires additional supporting evidence demonstrating that the utility’s process was followed prior to making the change.
For example, any change to a cyber asset must go through the utility’s change management process. This is one of the workflow templates included in the SigmaFlow solution. It doesn’t matter if the change adds something or takes something away – the change management process is required for all cyber asset changes. The same goes for any change (grant and revoke) to logical and physical access rights.
Provisioned data is what’s really there.
Provisioned data demonstrates what has actually been configured directly on the cyber assets. Everything that is provisioned must have corresponding process evidence to demonstrate that the change was made in the appropriate manner. Provisioned data must come directly from the assets.
Where SigmaFlow manages and demonstrates compliance for approvals, Tripwire collects and reports on what has actually been implemented.
Read the next article in this series: SigmaFlow & Tripwire for NERC CIP Compliance: Data Validation
You may also be interested in the recording of our recent webinar: