Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure Security

2 Agenda ● Personnel Issues ● Sanctions & Penalties ● Compliance ● Cyber Security Standards Status ● References

3 Personnel Issues

4 ● Most issues in CIP-004 (Personnel and Training) ● Other Standards also involved:  Leadership (CIP-003)  Access Control (CIP-003, CIP-004, CIP-005, CIP-006, CIP-007)  Information Protection (CIP-003)

5 CIP-004 – Personnel and Training ● R1: Awareness  General and non-specific ● R2: Training  Essential Requirements  Records Kept

6 CIP-004 – Personnel and Training ● R3: Personnel Risk Assessment  More than just Background Checks  Identity Checks, etc  Re-perform every seven years  Includes non-Employees  Subject to existing Agreements and Laws

7 Access Control ● Governance – CIP-003 ● Authorization – CIP-004 ● Access Controls – CIP-005, CIP-006 ● Account Management – CIP-007

8 Leadership ● Senior Manager Designation required ● May delegate some functions  Formal delegation arrangements

9 Sanctions & Penalties

10 NERC Sanction Guidelines ● ERO Sanction Guidelines  Based on FERC Policy Statement on Enforcement  Issued October 20, 2005 (Docket No. PL ) Comparable to levels of threat to reliability  Promotes compliance with standards  Rewards self-reporting & voluntary corrective actions  Flexible to adapt to all relevant facts surrounding the violation  Consistent application of guidelines

11 Penalties and Sanctions Statutory limit: $1,000,000 per violation per day in the U.S. Non-financial sanctions allowed Penalty funds apply to marginal cost of enforcement and reconciled in budget Other qualitative factors for consideration: ● Repeat infractions (-) ● Prior warnings (-) ● Deliberate violations (-) ● Self-reporting and self-correction (+) ● Quality of entity compliance program (+/-) ● Overall performance (+/-) (-) Negative influence (+) Positive influence (+/-) Positive or negative ftp://

12 How Will Penalties Be Applied ● Penalties will be applied by the Regional Entity  Staff will determine initial penalty or sanction  Regions may reach a settlement – must be filed with FERC  Penalties may be appealed ● Once finalized NERC files “notice of penalty”  Penalties may be adjusted by FERC  Penalties become effective 31 days after filing  Remedial actions may be applied immediately to preserve reliability

13 Compliance Audit & Enforcement

14 Compliance Audit ● NERC Compliance Program is different than most “standards conformance” auditing  All requirements must be met  “Extra Credit” doesn’t count ● Has the Requirement been met as determined by the Measure? ● Compliance uses clear decision points  “Yes” or “no”  “Done” or “not done”  Seeks to know “what”, not “how” ● Quantitative, not qualitative

15 Compliance Enforcement ● Can’t enforce prior to an Audit ● No audits until 2009/2010  No findings of “non compliance” until then ● Included in 2007 Compliance Enforcement Plan  Monitoring industry progress only:  Compliance evaluations (but no audit and no sanctions)

16 Reliability Readiness and Improvement Program ● NOT AN AUDIT ● Evaluates entities practices to:  determine capability to comply  judge the effectiveness of practices  improve performance ● Qualitative judgments using experts  Seeks to know “how”  Share best practices ● Not a search for violations  Encountered violations must be reported ● Recommendations are voluntary

17 Standards Status Update

18 ERO Actions - Standards ● Reliability Standards filed with ERO Application in April, 2006  102 Current Standards Filed  Additional standards to be filed as approved  ~10,000 pages of public comments from NERC process also requested by FERC ● Preliminary report issued 5/11/06 ● Additional Standards filed 8/28/06 ● Standards require FERC approval before they can become mandatory ● FERC NOPR on Standards issued 10/20/06 ● FERC Order 693 on Standards issued 3/16/07 ● 83 Standards become Mandatory and Enforceable with Penalties on 6/18/07 ● FERC Docket RM

19 Status of NERC Cyber Security Standards ● FERC Order 693 (March 16, 2007) (non-Cyber Security Standards)  83 standards approved  56 requiring “significant improvement”  Only CIP-001 included  FERC effective date June 18, 2007 ● Staff Assessment of CIP-002 through CIP-009  Issued December 12, 2006  Responses filed February 12, 2007  FERC reviews industry responses & drafts NOPR

20 Status of NERC Cyber Security Standards ● Next steps expected for Cyber Security Standards  FERC issue NOPR (July 20, 2007)  NOPR Notice in Federal Register (August 6, 2007)  Industry Comment (60 days) (October 5, 2007)  FERC reviews industry comments and drafts Final Rule  FERC issue Final Rule  Notice in Federal Register  FERC effective date 60 days after notice  FERC Docket RM

21 References ● NERC Standards CIP-002 through CIP-009  dards.html#Critical_Infrastructure_Protection dards.html#Critical_Infrastructure_Protection ● Frequently Asked Questions  ftp:// vised_CIP _FAQs_06Mar06.pdf ftp:// vised_CIP _FAQs_06Mar06.pdf ● Implementation Plan  ftp:// ised_Implementation_Plan_CIP pdf ftp:// ised_Implementation_Plan_CIP pdf ● “What” Workshop presentation files  ftp:// %20Workshop.zip ftp:// %20Workshop.zip

22 Questions?