1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
CIP Cyber Security – Security Management Controls
Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.
1 Hot Topics in the CIP Standards First Quarter 2010 Dial-in Number: Meeting ID: 1299 Password:  If possible, please consolidate your.
Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.
Data Ownership Responsibilities & Procedures
Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
© Chery F. Kendrick & Kendrick Technical Services.
Information Security Policies and Standards
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice
Payment Card Industry (PCI) Data Security Standard
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
ICT School Policies 6 th November Suggested Policies for Schools Not always a requirement, but useful to cover you, your school and the students.
Cyber Security Standard Workshop Status of Draft Cyber Security Standards Larry Bugh ECAR Standard Drafting Team Chair January 2005.
Incident Response Updated 03/20/2015
June 6, 2007 TAC Meeting NERC Registration Issues Andrew Gallo, Assistant General Counsel, Litigation and Business Operations ERCOT Legal Dept.
Key changes and transition process
Key changes from OHSAS 18001:1999
Technical Feasibility Exceptions (TFEs) ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Steve Garn, Sr. Engineer.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
General Awareness Training
CIP 43 ReliabilityFirst Audit Observations ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance.
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Comments Presentation for Part11 FDA Public Meeting Docket # 2004N-0133 Venue and Date: 429 L'Enfant Plaza, SW Washington, DC June 11, 2004.
1 Hot Topics in the CIP Standards Second Quarter 2010 Questions by Audience Answers by RFC Staff June 22, 2010.
1 CIP Physical Security of Critical Cyber Assets A Compliance Perspective Lew Folkerth CIP Compliance Workshop Baltimore, MD August 19-20, 2009 ©
1 Remote Access Update ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Information Systems Security Operational Control for Information Security.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.
Status Report for Critical Infrastructure Protection Advisory Group
Click anywhere to continue Click here to go back Presented by Sam Sciacca – Working Group C1 Chair Substations C0 Subcommittee IEEE Standard for Substation.
H UMAN R ESOURCES M ANAGEMENT Beki Webster Director, HR, Intelligence Systems Division Northrop Grumman Information Systems July 31, 2009.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
1 Audit Preparation - Evidence ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Government Recordkeeping Survey 2008 Natalie Dewson, Senior Advisor, Government Recordkeeping Programme, Archives New Zealand.
Date CIP Standards Update Chris Humphreys Texas RE CIP Compliance.
Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.
Tony Purgar June 22,  Background  Portal Update ◦ CIP 002 thru 009 Self Certification Forms  Functional Specific (i.e. BA, RC, TOP – SCC, Other)
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Provincial Blue Drop challenges
Team 1 – Incident Response
ERCOT Technical Advisory Committee June 2, 2005
Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY
NERC Cyber Security Standards Pre-Ballot Review
Security Awareness Training: System Owners
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
HIPAA Security Standards Final Rule
Drew Hunt Network Security Analyst Valley Medical Center
Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005
The General Data Protection Regulations 2016
Introduction to the PACS Security
Risk Management NDS Forum June 23rd 2010.
Presentation transcript:

1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010

The Question In the case where an action must be repeated on a defined schedule, must that action be performed before the start of the compliance period? 2

The Answer is Not Simple Q:In the case where an action must be repeated on a defined schedule, must that action be performed before the start of the compliance period? A:Generally yes, but there are exceptions. These exceptions occur where the first occurrence of a repeating action may be assumed to have taken place during the initial compliance effort. 3

Categories “Bookend” Required: A periodic requirement which cannot be reasonably assumed to have been performed as part of the initial compliance effort. See CIP Implementation Plan definition of “Compliant”: Compliant means the entity meets the full intent of the requirements and is beginning to maintain required “data,” “documents,” “documentation,” “logs,” and “records.” See FERC Order 706 P 72: “… responsible entities must comply with the substance of a Requirement.” 4

“Bookend” Required: Example CIP R1.3 requires annual review and approval of the cyber security policy by the CIP Senior Manager. During the compliance implementation effort, the policy is drafted. Drafting the policy, however, does not mean the Senior Manager has reviewed and approved it. An audit team will look for the Senior Manager’s approval of the policy on or before the first date of the compliance period (the “C” date). 5

“Bookend” Presumed: Example CIP R4.3 requires an annual assessment of an entity’s information protection program. The assessment is a review of the performance and effectiveness of the program. If the assessment is performed immediately after the information protection program is put in place, there will be nothing to assess. An audit team will look for an assessment of the program on each “annual” (based on the current understanding of this term at the time of the audit) anniversary of the implementation of the program. In this case the initial assessment is “presumed” to have been performed during the development of the program. 6

“Bookend” Required CIP R4: Approval of the lists is not an inherent part of their creation. CIP R1.3: Annual review and approval of the Cyber Security Policy by the designated Senior Manager is required. The initial approval of the Policy must have taken place prior to the initial compliance date. No other words in this requirement mandate the approval of the policy, but the plain language of the standard indicates the policy must be approved before it comes into effect. CIP R1: Awareness activity must occur during the first quarter after the initial compliance date and each quarter thereafter. 7

“Bookend” Required CIP R2.3: The documentation must include the initial training. CIP R4: The initial CVA must be done prior to the initial compliance date, and annually thereafter. A CVA must be performed before a network can be reasonably secure. Even if (especially if) the entity is dealing with a new network, the initial CVA is still needed. 8

“Bookend” Required CIP R6.1: If a new system, then the installation date of the system may be assumed to be its initial test. The entity will need to be able to document that a system has been tested within the previous three years. It is not acceptable for a system that has been in place for, say, ten years will not be tested for another three. CIP R5.1.3: The initial review of access privileges must occur before the initial compliance date. The possibility of a Critical Cyber Asset running for a year with improper account permissions is not acceptable. 9

“Bookend” Required CIP R5.3.3: The essence of the requirement is that no password may be more than one year old. This needs to be true upon entering the compliance period. CIP R8: The initial CVA must be done prior to the initial compliance date, and annually thereafter. A CVA must be performed before a system can be reasonably secure. Even if (especially if) the entity is dealing with a new system, the initial CVA is still needed. CIP R1.6: An incident response plan needs to be tested before it can be considered valid. This should be part of the plan's development. 10

“Bookend” Required CIP R2: A recovery plan needs to be tested before it can be considered valid. This should be part of the plan's development. CIP R5: The initial test of the backup media must occur before the initial compliance date. 11

“Bookend” Presumed CIP R2, R3: The development of the list required by the standard is the initial review of the list. The list must be in place before the compliance date. CIP R3.3: Initial approval of the exception is inherent in the authorization required by R3. CIP R4.3: The initial assessment of the information protection program is inherent in the creation process. The clear intent is to have a year go by before the adherence to the program is assessed. 12

“Bookend” Presumed CIP R5.1.2, R5.2: Verification of the lists can reasonably be assumed at their creation. The lists must be in place before the initial compliance date. CIP R5.3: Assessment of the process to control access privileges can reasonably be expected to need a year's data to work on. The process itself must be in place before the initial compliance date. CIP R2: Review of the program should take place a year after the program was put in place. The program must be in place before the initial compliance date. 13

“Bookend” Presumed CIP R4.1: A review must occur in the first quarter after the initial compliance date, and each quarter thereafter. The initial creation of the list may be assumed to be the first review and must have been complete before the initial compliance date. CIP R5.1: The creation of the documentation can be reasonably assumed to be its initial review. CIP R1.8: The creation of the Physical Security Plan can be assumed to be its initial review. The plan must be in place before the initial compliance date. 14

“Bookend” Presumed CIP R9: The creation of the documentation can be reasonably assumed to be its initial review. CIP R1.5: The initial creation of the Plan can be assumed to be its initial review. CIP R1: The initial creation of the Plan can be assumed to be its initial review. 15

Questions Questions should be ed to Matt Thomas Subject: “CIP WEBINAR” Questions will considered in the order they are received Clarifying questions are welcome and we’ll do our best to answer during the question period Challenges to a position should be addressed to the presenter and will be taken offline 16

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.