NERC CIP Evaluation


Does your organization’s documented programs, processes, and procedures meet NERC CIP standards?

  • Is your organization “going overboard” in certain areas while not doing enough in others?
  • Are personnel actually following your policies and procedures?
  • Is your NERC CIP training program adequate?
  • Is your change Management and configuration control in line with NERC CIP-003 R6 and with industry best procedures?
  • Do your test procedures and test environments meet CIP-007?
  • Do you have auditable results?

A Comprehensive NERC CIP Health Check performed by Ibridge will help you evaluate your current security status.  You can leverage this evaluation within your organization to achieve compliance with the standards in an effective manner and more importantly, help improve your organization’s cyber security posture.

CIP-007 in particular is often misunderstood and misinterpreted.  Ibridge consultants can break-down the standard in detailed technical fashion to assist your personnel in the daunting task of meeting the standard.

Ibridge performs an assessment of your organization’s cyber security posture based on the NERC Critical Infrastructure Protection.  We conduct a series of discovery interviews with key personnel pertaining to standards 2 through 9. 

  • CIP-002 - Evaluate your Critical Asset Identification Methodology.
  • CIP-003 - Evaluate your TFEs, Information Protection Program, Program for Access Control and your Change Control and Configuration Management Process.
  • CIP-004 - Evaluate your training program and Access Control Mechanisms.
  • CIP-005 - Review construction of your ESP and your monitoring processes.  Review application of applicable CIP standards to your ESP perimeter devices.
  • CIP-006 - Review construction of your PSPs, mechanisms for physical access control, monitoring, logging and testing. Review compliance of PSP monitoring equipment with applicable standards.
  • CIP-007 - “The Big One”.  Unlike many security consulting firms, Ibridge has the technical capability to evaluate your compliance with the difficult requirements placed on all your organization’s cyber assets by this standard.
  • CIP-008 - Review your incident response plans as per the language of the standard.  Ensure the connectivity between CIP-008 and CIP-07 R6.
  • CIP-009 - Evaluate your organization’s recovery plans for Critical Cyber Assets and your records of exercising those plans.  Although easy to comprehend, many organizations do not have documented recovery plans for all of their CCAs.

Copyright Ibridge Inc., 2010