cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jpeters
Lookout

Calling all NERC CIP warriors!

Hello everyone,

I'm looking forward to connecting here with other utilities who are using or are planning to deploy IdentityIQ and/or File Access Manager.  For those who don't know my background, I've been responsible for identity governance at SMUD (Sacramento Municipal Utility District) for nearly 20 years now.  I guess I would call myself something of an Identity Evangelist.  Talk about an identity journey, I've only recently (past 3-4 years) become more heavily involved with NERC CIP.  It was particularly challenging from the outset because of having my feet set firmly in the SailPoint space on the corporate side, and although not too many utilities were using IdentityIQ for NERC CIP just a short time ago, I knew IIQ could handle CIP-004.  Why the challenge?  Convincing my management and peers in compliance that IdentityIQ could handle it with flying colors.  They had nothing to compare it to, and it was a matter of leveraging the trust I'd build up over the years at SMUD to convince them it would work.  Fortunately, we had a small but strong technical team with good access to resources on the compliance side.  We got our compliance system in place almost 3 years ago now, and it has proven very successful.

Frankly, one of the best rewards for me personally in getting our NERC CIP compliance IIQ instance up and running was the success we had with our tri-annual audit last year.  Executive level visibility can put you on edge, but that just made the teamwork and the months of preparation leading up all the sweeter a success.  I can't help but remember the SailPoint competitor telling me flat out that I was going to fail when SMUD picked IdentityIQ instead of their niche solution.  I appreciate the nudge. 

I've enjoyed meeting and talking to so many of you in the industry over the last few years, and if you've chosen to partner with SailPoint for your NERC CIP compliance needs, but haven't quite yet initiated your compliance journey, I'm always willing to lend an ear and pass along what advice I can.  For those of you in the trenches like me, I'd love to hear what challenges you've come across, and maybe how you've been able to meet those challenges with all the creativity and integration possibilities that SailPoint's product offerings enable.

 

All the best,

 

John Peters

0 Kudos
Reply
10 Replies
compassuser1
Deckhand II

Hello John. We're wrapping up moving our NERC CIP compliance from another Identity Management solution to IIQ. May try to catch up with you sometime to share challenges and ideas.
jacosta
Deckhand II

IdentityIQ is proving to be a useful IAM.  Which reports have you found work the best for evidence CIP 4.2? In particular the quarterly review of CIP access and checking that there is an authorization record for each Identity?

0 Kudos
Reply
jpeters
Lookout

I use the Advanced Access Review Live Report as a basis for 4.2.  Because we aggregate most of our systems on a regular basis, we avoid reviewing most authorization records for the quarterly requirement.  At the moment, we don't have a solution for managing our shared accounts, so those are the only authorizations we run through the quarterlies.  Hopefully in the next few months, we can aggregate even those by both acquiring and aggregating through the PAM module.

0 Kudos
Reply
JeffreyBMarquez
Deckhand III

We just completed a NERC CIP specific SailPoint instance, as our first foray into IAM as a whole program. I am now working to determine how to 'layer' on the SOX corporate piece. Is it a separate tenant or a whole new implementation. Is there a community where this is already being discussed. 

Another question: Is your SailPoint installation considered a part of the PACS or a CIP repository?

CIP, NERC, PACS

0 Kudos
Reply
LynnBales
Deckhand

I'm wondering if any NERC CIP004 folks using IIQ are also required to use the Evidence Request Tool (ERT) to display all the evidence necessary for compliance. If so, do you have a custom report out of Sailpoint or is it a gathering of various reports that you use to populate the ERT? I am not sure if ERT is just used at ReliabilityFirst or other regions. We are currently working on our deployment and hope to be in production by the fall. I'd be appreciative to hear from others with more experience. Seems like some of the comments here were posted a few years ago so hoping you've been able to grow your tool and could help us out with lessons learned. Thanks!!

0 Kudos
Reply
jpeters
Lookout

We have two separate instances for our corporate side and our CIP side.  We initially stood up our CIP instance as an EACMS and a PACS, but our regional entity just recently made the determination that it is neither, since it doesn't actually directly authenticate or authorize anyone into an ESP or PSP.  Our CIP program manager doesn't believe it is a BCSI repository either, as there is not enough context associated with the information in the IIQ database.  The latter is dependent on our internal definition of what constitutes BCSI.  Your mileage may vary depending on your regional entity and your own internal procedures.

jpeters
Lookout

We used the ERT last year for our audit (I think we were one of the first?).  It was an intensive manual process on my part to document evidence for the ERT.  IIRC, I essentially had to go through our Leaver events and associated system-generated requests for access removal, our access requests, certification history from each identity, take screenshots, etc.  Same as the previous audit (which didn't use the ERT), I told my team that we really needed to automate the evidence gathering.  LOL.  Since our auditor changed the formatting requirements between audits, there would have been some rework.  Hopefully we will have the bandwidth to develop this out in the next year or two.  We have a custom report that can tell us who was authorized for what on any given day, and show the associated PRA and training requirements were met at that time (generally more capability than we've ever been asked), but it's still a matter of lining that up with the ERT.

0 Kudos
Reply
JeffreyBMarquez
Deckhand III

Thank you for your response. Did you continue with the two separate instances, or did you combine them, given the new information, to reduces costs. I would be interested in understanding the architecture of the two separate instances. 

0 Kudos
Reply
JeffreyBMarquez
Deckhand III

We are experiencing the same issues with reporting. Nothing quite gets us to the requirement without a lot of manual work and intervention, which is not ideal in a compliance environment. 

0 Kudos
Reply