ensure the following: This cyber security policy must be readily available to all personnel who have access to, or are responsible for, critical cyber assets.
The responsible entity must assign a senior manager with overall responsibility for leading and managing the entity’s implementation of, and adherence to, the policy. This senior manager shall be identifed by name, title, business phone, business address, and date of designation. Changes to the senior manager must be documented within 30 calendar days of the effective date. The senior manager or delegate(s) shall authorize and document any exception from the requirements of the cyber security policy.
The responsible entity shall implement and document a program to identify, classify, and protect information associated with critical cyber assets. The critical cyber asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists of critical assets, network topology or similar diagrams, foor plans of computing centers that contain critical cyber assets, equipment layouts of critical cyber assets, disaster recovery plans, incident response plans, and security confguration information.
The responsible entity shall, at least annually, assess adherence to its critical cyber asset information protection program, document the assessment results, and implement an action plan to remediate defciencies identifed during the assessment.
The responsible entity must document and implement a program for managing access to protected critical cyber asset information. The responsible entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information. Personnel are identifed by name, title, business phone, and the information for which they are responsible for authorizing access. At least annually, the responsible entity must review the access privileges to protected information to confrm that access privileges are correct and that they correspond with the responsible entity’s needs and appropriate personnel roles and responsibilities.
Change Control and Confguration Management
The responsible entity must establish and document a process of change control and confguration management for adding, modifying, replacing, or removing critical cyber asset hardware or software, and must implement supporting confguration management activities to identify, control, and document all entity- or vendor-related changes to hardware and software components of critical cyber assets pursuant to the change control process.
ELECTRONIC SECURITY PERIMETER(S)
The identifcation and protection of the electronic security perimeter(s) inside which all critical cyber assets reside, as well as all access points on the perimeter, are required.
Electronic Security Perimeter
The responsible entity must ensure that every critical cyber asset resides within an electronic security perimeter. The responsible entity must identify and document the electronic security perimeter(s) and all access points to the perimeter(s).
1. Access points to the electronic security perimeter(s) must include any externally connected communication end point (for example, dial-up modems) terminating at any device within the electronic security perimeter(s).
2. For a dial-up-accessible critical cyber asset that uses a non-routable protocol, the responsible entity must defne an electronic security perimeter for that single access point at the dial-up device.
3. Communication links connecting discrete electronic security perimeters must not be considered part of the electronic security perimeter. However, end points of these communication links within the electronic security perimeter(s) must be considered access points to the electronic security perimeter(s).
4. Any non-critical cyber asset within a defned electronic security perimeter must be identified and protected.
5. Cyber assets used in the access control and monitoring of the electronic security perimeter(s) must be afforded certain protective measures.
6. The responsible entity must maintain documentation on the electronic security perimeter(s), all interconnected critical and non-critical cyber assets within the electronic security perimeter(s), all electronic access points to the electronic security perimeter(s), and the cyber assets deployed for the access control and monitoring of these access points.
Electronic Access Controls
The responsible entity must implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the electronic security perimeter(s).