Home
 Vendors
 Publications
 Ceritfications
 Associations
 IT Strategy Center
 Open Directory
 Other
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Sectors

NERC CIP: Don't Be a Compliance "Laggard"

By Thomas Schmidt

As numerous commentators have observed, electric power companies that can minimize error-prone manual processes when it comes to NERC CIP compliance are in a better position to eliminate the fragmentation and duplication of efforts that can occur from deploying redundant or unnecessary solutions. The need to avoid those manual processes is especially timely now, given that most responsible electric power entities were required to have begun work on becoming compliant with Cyber Security Standards CIP-002 through CIP-009 by the end of the June 2007 quarter.

This article looks at some of the strategic actions that can differentiate compliance leaders from laggards.

Leaders vs. Laggards
Ongoing research by the IT Policy Compliance Group demonstrates a clear link between business and financial risks and practices implemented in IT. Most of the costs associated with improving IT compliance come from frequently repeating time-consuming processes. These manual processes include creating, defining and distributing policies, tracking exceptions, managing standards and entitlements, remediating deviations and performing both procedural and technical assessments.

Moreover, the IT Policy Compliance Group's research reveals that companies committed to more frequent audits report fewer numbers of significant deficiencies. But these leading companies spend nearly 50% more on their IT security budget because they lack automation.

So a key question for electric power companies, therefore, is: how do you become a leader and have fewer significant deficiencies without incurring the costs typically associated with being a leader?

A Three-Step Process
Cyber security compliance process has three key stages: define, control and govern.

  • Define The first step is to define what your policies should be through policy creation. You need to understand exactly what best practices recommend and what external mandates require. You also need to manage the policy creation process with approval workflow and version control. Once a policy has been approved and published, it must be distributed to end users. End users, in turn, need to be able to log in through a web portal and see only the policies that impact them. They can approve, deny, ask for clarifications, or ask for exceptions to a policy. Exception management is critical; it allows for a two-way dialogue with end users to ensure that created policies can be complied with. If they cannot be complied with, management has a way of providing mitigating controls for these accepted risks.
  • Control The next step is to prove that the policies you have written are, in fact, in place. There are two kinds of IT controls from which evidence of compliance must be gathered. The first kind of evidence comes from technical controls. These include platform hardening, patch analysis, and vulnerability management. The second kind of evidence comes from procedural controls. These are not programmatically assessable (e.g., "Did the badge ID get taken for a terminated employee?"). These controls require human attestation of compliance, but need to be retained in a single store, alongside programmatically accessible information.
  • Govern Now that you have defined policies and assessed compliance, you must be prepared to handle deficiencies. You need to be able to detect those problems, as well as remediate any deficiencies. In some cases, new kinds of controls may be required and best practice guidance will help you reshape your policies accordingly. In others, such as procedural controls, the requirement will be to notify end users of non-compliance.

Conclusion
Electric power organizations today face the challenge not only of maintaining strong compliance with NERC CIP, but of understanding what policies and standards they should implement to achieve it. A typical organization is a complex, heterogeneous environment, with a variety of platforms and a diverse set of control objectives. Understanding requirements and how to achieve strong compliance requires comprehensive intelligence of regulations, frameworks and the relevant best practices. These organizations need to lower their risk of non-compliance and improve internal controls through a combination of automation, process improvement and training.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

Companies committed to more frequent audits report fewer numbers of significant deficiencies. But these leading companies spend nearly 50% more on their IT security budget because they lack automation.

-- IT Policy Compliance Group
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Cyberthieves Turning to More Invasive Approaches
Playtime: 8 min 53 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.