By Pam Johnson 
CIP-005-4 is focused on Electronic Security Perimeter(s). Section R1 is titled “Electronic Security Perimeter” and is further defined as:
Electronic Security Perimeter — The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s). R1.1. Access points to the Electronic Security Perimeter(s) shall include any externally connected communication end point (for example, dial-up modems) terminating at any device within the Electronic Security Perimeter(s). R1.2. For a dial-up accessible Critical Cyber Asset that uses a non-routable protocol, the Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device. R1.3. Communication links connecting discrete Electronic Security Perimeters shall not be considered part of the Electronic Security Perimeter. However, end points of these communication links within the Electronic Security Perimeter(s) shall be considered access points to the Electronic Security Perimeter(s). R1.4. Any non-critical Cyber Asset within a defined Electronic Security Perimeter shall be identified and protected pursuant to the requirements of Standard CIP-005-4a. R1.5. Cyber Assets used in the access control and/or monitoring of the Electronic Security Perimeter(s) shall be afforded the protective measures as a specified in Standard CIP-003-4; Standard CIP-004-4 Requirement R3; Standard CIP-005-4a Requirements R2 and R3; Standard CIP-006-4c Requirement R3; Standard CIP-007-4 Requirements R1 and R3 through R9; Standard CIP-008-4; and Standard CIP-009-4. R1.6. The Responsible Entity shall maintain documentation of Electronic Security Perimeter(s), all interconnected Critical and non-critical Cyber Assets within the Electronic Security Perimeter(s), all electronic access points to the Electronic Security Perimeter(s) and the Cyber Assets deployed for the access control and monitoring of these access points.
IT Foundation Management is used to consolidated access point security and management. This approach effectively reduces large numbers of access points into a single access point that can be effectively managed. All serial traffic under this approach is captured and monitored by IT Foundation Management to ensure access points while monitoring the serial traffic to the console. It enables companies to consolidate access points that may otherwise be highly-distributed. The result is that IT Foundation Management becomes a “single” access point versus multiple, distributed access points.
Out-of-band access points are frequently a point of failure for Utility security strategies against NERC-CIP-005-4 R2. Out-of-band access points include baseboard management controllers (i.e. – iLo2 (HP), DRAC (DELL), and ALOM, ILOM (SUN/ORACLE) and serial configuration ports. They are privileged interfaces that exist on almost every cyber security and non-cyber security asset in the Utility IT infrastructure. IT Foundation Management is a comprehensive solution for out-of-band access point management.
IT Foundation Management acts as the Electronic Security Perimeter for the systems that it manages and can include both in-band and out-of-band access points. Capabilities can easily span critical and non-critical cyber assets and apply specific policies to each as well as to selected subgroups in either category. Accurate information is captured and retained at all times, including every access or attempted access, all system messages generated during a session, and all activity by every user down to the keystroke for a comprehensive end-to-end forensic record to support the access control policy.