Calling all NERC CIP warriors!

jpeters · ‎Aug 27, 2020

Hello everyone,

I'm looking forward to connecting here with other utilities who are using or are planning to deploy IdentityIQ and/or File Access Manager. For those who don't know my background, I've been responsible for identity governance at SMUD (Sacramento Municipal Utility District) for nearly 20 years now. I guess I would call myself something of an Identity Evangelist. Talk about an identity journey, I've only recently (past 3-4 years) become more heavily involved with NERC CIP. It was particularly challenging from the outset because of having my feet set firmly in the SailPoint space on the corporate side, and although not too many utilities were using IdentityIQ for NERC CIP just a short time ago, I knew IIQ could handle CIP-004. Why the challenge? Convincing my management and peers in compliance that IdentityIQ could handle it with flying colors. They had nothing to compare it to, and it was a matter of leveraging the trust I'd build up over the years at SMUD to convince them it would work. Fortunately, we had a small but strong technical team with good access to resources on the compliance side. We got our compliance system in place almost 3 years ago now, and it has proven very successful.

Frankly, one of the best rewards for me personally in getting our NERC CIP compliance IIQ instance up and running was the success we had with our tri-annual audit last year. Executive level visibility can put you on edge, but that just made the teamwork and the months of preparation leading up all the sweeter a success. I can't help but remember the SailPoint competitor telling me flat out that I was going to fail when SMUD picked IdentityIQ instead of their niche solution. I appreciate the nudge.

I've enjoyed meeting and talking to so many of you in the industry over the last few years, and if you've chosen to partner with SailPoint for your NERC CIP compliance needs, but haven't quite yet initiated your compliance journey, I'm always willing to lend an ear and pass along what advice I can. For those of you in the trenches like me, I'd love to hear what challenges you've come across, and maybe how you've been able to meet those challenges with all the creativity and integration possibilities that SailPoint's product offerings enable.

All the best,

John Peters

compassuser1 · ‎Feb 18, 2021

Hello John. We're wrapping up moving our NERC CIP compliance from another Identity Management solution to IIQ. May try to catch up with you sometime to share challenges and ideas.

jacosta · ‎Aug 04, 2022

IdentityIQ is proving to be a useful IAM. Which reports have you found work the best for evidence CIP 4.2? In particular the quarterly review of CIP access and checking that there is an authorization record for each Identity?

jpeters · ‎Aug 04, 2022

I use the Advanced Access Review Live Report as a basis for 4.2. Because we aggregate most of our systems on a regular basis, we avoid reviewing most authorization records for the quarterly requirement. At the moment, we don't have a solution for managing our shared accounts, so those are the only authorizations we run through the quarterlies. Hopefully in the next few months, we can aggregate even those by both acquiring and aggregating through the PAM module.

JeffreyBMarquez · ‎May 23, 2023

We just completed a NERC CIP specific SailPoint instance, as our first foray into IAM as a whole program. I am now working to determine how to 'layer' on the SOX corporate piece. Is it a separate tenant or a whole new implementation. Is there a community where this is already being discussed.

Another question: Is your SailPoint installation considered a part of the PACS or a CIP repository?

CIP, NERC, PACS