Subscribe to AssurX blogNews FeedSubscribe to AssurX blogComments

Browse > Home / Electric Reliability, Regulatory, Sal Lucido / Time to Shift Some Priorities When Tackling NERC Requirements

Time to Shift Some Priorities When Tackling NERC Requirements

0

electricitylightbulbBased on the latest information from NERC, the Critical Infrastructure Protection Standards, CIP-002 thru CIP-009 reach the Auditably Compliant stage on July 1st, 2009. Up until now most of us have been focusing on the Sabotage Reporting Standard, CIP-001. Most of the violations associated with CIP-001 are a result of not having an established contact with the FBI for sabotage reporting or for deficiencies in the procedures or training related to sabotage reporting. Given that CIP-001 is only one standard and is fairly simplistic as compared to the other eight standards we all assume that a lot more effort will be required for compliance.  We also assume there will be significantly more violations and significantly higher fines associated with CIP-002 thru CIP-009.

Given companies have limited resources and time it may be helpful to look at what is ‘common’ amongst these standards as they relate to processes and workflows. One process that repeatedly shows up in the requirements are reviews or assessments.  For example, CIP-006 Requirement 1.9 says that companies need to establish a process for ensuring that the physical security plan is reviewed at least annually. CIP-009 Requirement 1 says that companies should perform a review of their recovery plans for Critical Cyber Assets annually. While each of these processes must be tailored to meet their specific requirements, there are many common elements that can be leveraged to save time. For example a typical ‘review’ process includes the following steps:

  • Initiate the review
  • Perform the review and document any recommendations for change
  • Approve the determination and recommendations
  • Implement all approved changes
  • Request approval that that changes were implemented and close the review
  • Schedule the next review based on the required period

Once you have agreed on a general workflow you can then customize the process to meet specific needs. For example, determine who should be approving recommend changes and closure for the specific processes being implemented. So prior to developing your workflows read through the entire set of CIP Standards and look for repeated processes. It may help you to save time and money. Let me know what processes you have found in the CIP Standards that may be repeated.

  • Twitter
  • Delicious
  • LinkedIn
  • Digg
  • Yahoo Buzz
  • NewsVine
  • Google Bookmarks
  • Facebook
  • Technorati Favorites
  • StumbleUpon
  • PrintFriendly
  • Share/Bookmark

Posted by Sal Lucido on Wednesday, May 13, 2009 at 8:14 am 
Filed under Electric Reliability, Regulatory, Sal Lucido · Tagged with , ,

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!