I have a couple questions in regards to NERC-CIP environments...
With NERC-CIP, everything the is connected 'inside' the Electronic Security Perimeter is considered a Cyber Asset.
Q1. CIP-007-3 R5.3.2 requires the use of 'special characters' in the password. However, the QualysGuard portal can only enforce minimum length and the use of alpha and numeric passwords. Even though the portal is 'technically' not inside the ESP, the appliance is. Without an enhancement to QualysGuard's password enforcement parameters, how are the rest of you addressing this with the NERC-CIP auditors?
Q2. CIP-007-3 R4 requires the use of antivirus/antimalware prevention on Cyber Assets. Since the Qualys appliance does not run AV, how are the rest of you addressing this with the NERC-CIP auditors?
Any comments / suggestions are welcome.