Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.

Similar presentations


Presentation on theme: "1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010."— Presentation transcript:

1 1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010

2 The Question In the case where an action must be repeated on a defined schedule, must that action be performed before the start of the compliance period? 2

3 The Answer is Not Simple Q:In the case where an action must be repeated on a defined schedule, must that action be performed before the start of the compliance period? A:Generally yes, but there are exceptions. These exceptions occur where the first occurrence of a repeating action may be assumed to have taken place during the initial compliance effort. 3

4 Categories “Bookend” Required: A periodic requirement which cannot be reasonably assumed to have been performed as part of the initial compliance effort. See CIP Implementation Plan definition of “Compliant”: Compliant means the entity meets the full intent of the requirements and is beginning to maintain required “data,” “documents,” “documentation,” “logs,” and “records.” See FERC Order 706 P 72: “… responsible entities must comply with the substance of a Requirement.” 4

5 “Bookend” Required: Example CIP R1.3 requires annual review and approval of the cyber security policy by the CIP Senior Manager. During the compliance implementation effort, the policy is drafted. Drafting the policy, however, does not mean the Senior Manager has reviewed and approved it. An audit team will look for the Senior Manager’s approval of the policy on or before the first date of the compliance period (the “C” date). 5

6 “Bookend” Presumed: Example CIP R4.3 requires an annual assessment of an entity’s information protection program. The assessment is a review of the performance and effectiveness of the program. If the assessment is performed immediately after the information protection program is put in place, there will be nothing to assess. An audit team will look for an assessment of the program on each “annual” (based on the current understanding of this term at the time of the audit) anniversary of the implementation of the program. In this case the initial assessment is “presumed” to have been performed during the development of the program. 6

7 “Bookend” Required CIP R4: Approval of the lists is not an inherent part of their creation. CIP R1.3: Annual review and approval of the Cyber Security Policy by the designated Senior Manager is required. The initial approval of the Policy must have taken place prior to the initial compliance date. No other words in this requirement mandate the approval of the policy, but the plain language of the standard indicates the policy must be approved before it comes into effect. CIP R1: Awareness activity must occur during the first quarter after the initial compliance date and each quarter thereafter. 7

8 “Bookend” Required CIP R2.3: The documentation must include the initial training. CIP R4: The initial CVA must be done prior to the initial compliance date, and annually thereafter. A CVA must be performed before a network can be reasonably secure. Even if (especially if) the entity is dealing with a new network, the initial CVA is still needed. 8

9 “Bookend” Required CIP R6.1: If a new system, then the installation date of the system may be assumed to be its initial test. The entity will need to be able to document that a system has been tested within the previous three years. It is not acceptable for a system that has been in place for, say, ten years will not be tested for another three. CIP R5.1.3: The initial review of access privileges must occur before the initial compliance date. The possibility of a Critical Cyber Asset running for a year with improper account permissions is not acceptable. 9

10 “Bookend” Required CIP R5.3.3: The essence of the requirement is that no password may be more than one year old. This needs to be true upon entering the compliance period. CIP R8: The initial CVA must be done prior to the initial compliance date, and annually thereafter. A CVA must be performed before a system can be reasonably secure. Even if (especially if) the entity is dealing with a new system, the initial CVA is still needed. CIP R1.6: An incident response plan needs to be tested before it can be considered valid. This should be part of the plan's development. 10

11 “Bookend” Required CIP R2: A recovery plan needs to be tested before it can be considered valid. This should be part of the plan's development. CIP R5: The initial test of the backup media must occur before the initial compliance date. 11

12 “Bookend” Presumed CIP R2, R3: The development of the list required by the standard is the initial review of the list. The list must be in place before the compliance date. CIP R3.3: Initial approval of the exception is inherent in the authorization required by R3. CIP R4.3: The initial assessment of the information protection program is inherent in the creation process. The clear intent is to have a year go by before the adherence to the program is assessed. 12

13 “Bookend” Presumed CIP R5.1.2, R5.2: Verification of the lists can reasonably be assumed at their creation. The lists must be in place before the initial compliance date. CIP R5.3: Assessment of the process to control access privileges can reasonably be expected to need a year's data to work on. The process itself must be in place before the initial compliance date. CIP R2: Review of the program should take place a year after the program was put in place. The program must be in place before the initial compliance date. 13

14 “Bookend” Presumed CIP R4.1: A review must occur in the first quarter after the initial compliance date, and each quarter thereafter. The initial creation of the list may be assumed to be the first review and must have been complete before the initial compliance date. CIP R5.1: The creation of the documentation can be reasonably assumed to be its initial review. CIP R1.8: The creation of the Physical Security Plan can be assumed to be its initial review. The plan must be in place before the initial compliance date. 14

15 “Bookend” Presumed CIP R9: The creation of the documentation can be reasonably assumed to be its initial review. CIP R1.5: The initial creation of the Plan can be assumed to be its initial review. CIP R1: The initial creation of the Plan can be assumed to be its initial review. 15

16 Questions Questions should be ed to Matt Thomas Subject: “CIP WEBINAR” Questions will considered in the order they are received Clarifying questions are welcome and we’ll do our best to answer during the question period Challenges to a position should be addressed to the presenter and will be taken offline 16


Download ppt "1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010."

Similar presentations


Ads by Google