Security Guidelines Working Group Update CIPC Meeting Phoenix, AZ Mar 16, 2006 Seiki Harada SGWG Chair CIPC Confidentiality: Public Release

SGWG Foil 2 Discussion Items 1.SGWG Roster 2.Change to the Guideline Preamble Prioritization of the Guideline Updates 4.Regular Review Cycle for All Security Guidelines 5.Content Review of Guidelines by SGWG 6.Guideline Directions

SGWG Foil 3

SGWG Foil 4 SGWG Roster: As of March 10, 2006, the SGWG comprises: 1.Scott McCoy (Physical) 2.Scott Webber (Physical) 3.Bruce Metruck (Physical) 4.Mike Paszynsky (Physical) 5.Larry Bugh (Cyber) 6.Joe Doetzl (Cyber) 7.David Baumken (Cyber) 8.Roger Lampila (Operations) 9.Tom Kropp (Research Institutions) 10.Ken Hall (Research Institutions)

SGWG Foil 5 Changes to the Preamble A suggestion was made by a NERC legal staff to adopt the following: “ This document addresses potential risks that can apply to some electricity sector organizations and provides practices that can help mitigate the risks. Each organization decides for itself the risks it can accept and the practices it deems appropriate to manage its risks. “

SGWG Foil 6 Prioritization of Guideline Updates: 1.Of the 18 Security Guidelines, 14 were assessed as needing updates. 2.The remainder, 4, are recent ones and deemed acceptable. 3.It is not reasonable to expect various working groups to re-draft all 14 of them and put through CIPC approvals in one year (9 months now!). 4.SGWG recommends 7 updates this year and 7 next year (refer to the SGWG Reference Document No.1)

SGWG Foil 7 Criteria for Prioritization: 1.Synchronization with, or in support of, the permanent cyber security guidelines 2.Importance/relevance of the subject matter today 3.How 'off' or 'dated' the content is 4.Subsumed by any new guidelines ( e.g., elimination candidates)?

SGWG Foil 8 Prioritization of Guideline Updates: Recommended Updates for 2006: SG001Vulnerability and Risk Assessment SG002Emergency Plans SG003Continuity of Business Processes SG005Physical Security SG006Cyber Security – Risk Management SG007Cyber Security – Access Controls SG018Threat Alert System and Cyber Response

SGWG Foil 9 Prioritization of Guideline Updates: Recommended Updates for 2007: SG004Communications SG008Cyber Security – IT Firewalls SG009Cyber Security – Intrusion Detection SG010Employment Background Screening SG011Protecting Potentially Sensitive Information SG012Securing Remote Access to Electronic CPS SG014Threat and Incident Reporting

SGWG Foil 10 Guideline Updates – Further Recommendations: 1.The CIPC Executive Committee assign an ‘owning’ working group for each security guideline. 2.The ‘owning’ working group will accommodate identified updates in their 2006/2007 work schedule. 3.NERC CIPC support staff will follow up with respective working group re the timing of completion and CIPC reviews

SGWG Foil 11 Regular Guideline Reviews: 1.Today, there is no fixed schedule for reviewing existing guidelines. 2.The Cyber Security Standard (CIP 003) asks for an annual review of policies. 3.SGWG Recommendation: Complete the identified updates for 2006 and 2007 After that, schedule reviews of the guidelines every two years or when there is a watershed event in the subject area. These bi-annual reviews may not necessarily result in updates.

SGWG Foil 12 Content Review of Security Guidelines: Background: 1.Comments were made that SGWG should stay away from reviewing guideline contents. 2.The SGWG Terms of Reference states, in part: “review existing CIPC guidelines, and other electric and non-electric industry reference material, for currency and relevance”.

SGWG Foil 13 Content Review of Security Guidelines: What the SGWG guideline reviews entail today: 1.Consistency and compatibility with security standards and other security guidelines 2.Consistency of parts within a specific guideline 3.Currency and relevance to the current threats/industry practices (e.g., against IEEE, ISO, NIST, ANSI, CSA, etc)

SGWG Foil 14 Content Review of Security Guidelines: Recommendation: 1.SGWG will review ‘content’ only in the sense of the above consistency checks – not in value judgement. 2.SGWG will provide timely comments to the ‘Owning’ working group. 3.The ‘owning’ working group will consider the comments provided. They are not obliged to accommodate all comments.

SGWG Foil 15 Guideline Directions: 1.Most new guidelines come from Working Groups or Task forces/Teams. 2.SGWG may from time identify the area where a new security guideline is appropriate. 3.The CIPC will have the final say in the generation of a new (or the elimination of an existing) security guidelines.

SGWG Foil 16 Thank you! 1.Thank you for working with me for the past two years. It has been a challenge and pleasure at the same time. 2.Please support Scott McCoy in the coming years!