The Controls Guidance and Compliance Failure Points document guides registered entities in assessing risks associated with their business activities and designing appropriate internal controls in response. To help entities get started, WECC has identified generic control objectives to mitigate the risks associated with the risk categories mentioned above and CIP-007-6. You may want to consider these five objectives:
Control Objective 1: Reduce the attack surface by preventing any unnecessary accessibility to the BES Cyber System and associated cyber assets. (Identity Management and Access Control)
Control Objective 2: Identify, analyze, and mitigate known software and firmware vulnerabilities. (Identity Management and Access Control, Asset/System Management and Maintenance)
Control Objective 3: Take measures to protect against harm from malicious code. (Identity Management and Access Control)
Control Objective 4: Monitor security events to aid in the identification of Cyber Security Incidents. (Identity Management and Access Control)
Control Objective 5: Prevent electronic access by unauthorized individuals. (Identity Management and Access Control)