Presentation is loading. Please wait.

Presentation is loading. Please wait.

Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure.

Published byEugenia May Modified over 9 years ago

Similar presentations

Presentation on theme: "Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure."— Presentation transcript:

1 Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure Security Scott.Mix@NERC.net 215-853-8204

2 2 Agenda ● Personnel Issues ● Sanctions & Penalties ● Compliance ● Cyber Security Standards Status ● References

3 3 Personnel Issues

4 4 ● Most issues in CIP-004 (Personnel and Training) ● Other Standards also involved:  Leadership (CIP-003)  Access Control (CIP-003, CIP-004, CIP-005, CIP-006, CIP-007)  Information Protection (CIP-003)

5 5 CIP-004 – Personnel and Training ● R1: Awareness  General and non-specific ● R2: Training  Essential Requirements  Records Kept

6 6 CIP-004 – Personnel and Training ● R3: Personnel Risk Assessment  More than just Background Checks  Identity Checks, etc  Re-perform every seven years  Includes non-Employees  Subject to existing Agreements and Laws

7 7 Access Control ● Governance – CIP-003 ● Authorization – CIP-004 ● Access Controls – CIP-005, CIP-006 ● Account Management – CIP-007

8 8 Leadership ● Senior Manager Designation required ● May delegate some functions  Formal delegation arrangements

9 9 Sanctions & Penalties

10 10 NERC Sanction Guidelines ● ERO Sanction Guidelines  Based on FERC Policy Statement on Enforcement  Issued October 20, 2005 (Docket No. PL06-1-000) Comparable to levels of threat to reliability  Promotes compliance with standards  Rewards self-reporting & voluntary corrective actions  Flexible to adapt to all relevant facts surrounding the violation  Consistent application of guidelines

11 11 Penalties and Sanctions Statutory limit: $1,000,000 per violation per day in the U.S. Non-financial sanctions allowed Penalty funds apply to marginal cost of enforcement and reconciled in budget Other qualitative factors for consideration: ● Repeat infractions (-) ● Prior warnings (-) ● Deliberate violations (-) ● Self-reporting and self-correction (+) ● Quality of entity compliance program (+/-) ● Overall performance (+/-) (-) Negative influence (+) Positive influence (+/-) Positive or negative ftp://www.nerc.com/pub/sys/all_updl/rop/Appendix4B-SanctionGuidelines.pdf

12 12 How Will Penalties Be Applied ● Penalties will be applied by the Regional Entity  Staff will determine initial penalty or sanction  Regions may reach a settlement – must be filed with FERC  Penalties may be appealed ● Once finalized NERC files “notice of penalty”  Penalties may be adjusted by FERC  Penalties become effective 31 days after filing  Remedial actions may be applied immediately to preserve reliability

13 13 Compliance Audit & Enforcement

14 14 Compliance Audit ● NERC Compliance Program is different than most “standards conformance” auditing  All requirements must be met  “Extra Credit” doesn’t count ● Has the Requirement been met as determined by the Measure? ● Compliance uses clear decision points  “Yes” or “no”  “Done” or “not done”  Seeks to know “what”, not “how” ● Quantitative, not qualitative

15 15 Compliance Enforcement ● Can’t enforce prior to an Audit ● No audits until 2009/2010  No findings of “non compliance” until then ● Included in 2007 Compliance Enforcement Plan  Monitoring industry progress only:  Compliance evaluations (but no audit and no sanctions)

16 16 Reliability Readiness and Improvement Program ● NOT AN AUDIT ● Evaluates entities practices to:  determine capability to comply  judge the effectiveness of practices  improve performance ● Qualitative judgments using experts  Seeks to know “how”  Share best practices ● Not a search for violations  Encountered violations must be reported ● Recommendations are voluntary

17 17 Standards Status Update

18 18 ERO Actions - Standards ● Reliability Standards filed with ERO Application in April, 2006  102 Current Standards Filed  Additional standards to be filed as approved  ~10,000 pages of public comments from NERC process also requested by FERC ● Preliminary report issued 5/11/06 ● Additional Standards filed 8/28/06 ● Standards require FERC approval before they can become mandatory ● FERC NOPR on Standards issued 10/20/06 ● FERC Order 693 on Standards issued 3/16/07 ● 83 Standards become Mandatory and Enforceable with Penalties on 6/18/07 ● FERC Docket RM06-16-000

19 19 Status of NERC Cyber Security Standards ● FERC Order 693 (March 16, 2007) (non-Cyber Security Standards)  83 standards approved  56 requiring “significant improvement”  Only CIP-001 included  FERC effective date June 18, 2007 ● Staff Assessment of CIP-002 through CIP-009  Issued December 12, 2006  Responses filed February 12, 2007  FERC reviews industry responses & drafts NOPR

20 20 Status of NERC Cyber Security Standards ● Next steps expected for Cyber Security Standards  FERC issue NOPR (July 20, 2007)  NOPR Notice in Federal Register (August 6, 2007)  Industry Comment (60 days) (October 5, 2007)  FERC reviews industry comments and drafts Final Rule  FERC issue Final Rule  Notice in Federal Register  FERC effective date 60 days after notice  FERC Docket RM06-22-000

21 21 References ● NERC Standards CIP-002 through CIP-009  http://www.nerc.com/~filez/standards/Reliability_Stan dards.html#Critical_Infrastructure_Protection http://www.nerc.com/~filez/standards/Reliability_Stan dards.html#Critical_Infrastructure_Protection ● Frequently Asked Questions  ftp://www.nerc.com/pub/sys/all_updl/standards/sar/Re vised_CIP-002-009_FAQs_06Mar06.pdf ftp://www.nerc.com/pub/sys/all_updl/standards/sar/Re vised_CIP-002-009_FAQs_06Mar06.pdf ● Implementation Plan  ftp://www.nerc.com/pub/sys/all_updl/standards/rs/Rev ised_Implementation_Plan_CIP-002-009.pdf ftp://www.nerc.com/pub/sys/all_updl/standards/rs/Rev ised_Implementation_Plan_CIP-002-009.pdf ● “What” Workshop presentation files  ftp://www.nerc.com/pub/sys/all_updl/cip/owg/CSSET %20Workshop.zip ftp://www.nerc.com/pub/sys/all_updl/cip/owg/CSSET %20Workshop.zip

22 22 Questions? Scott.Mix@NERC.net 215-853-8204

Download ppt "Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure."

Similar presentations

Reliability in the International Arena Alberta Perspective

Reliability in the International Arena Alberta Perspective
NERC ERO Specifics for WECC Regional Differences in Reliability Standards Delegation of Compliance Enforcement ERO Budgets and Funding Paul Barber 1.

NERC ERO Specifics for WECC Regional Differences in Reliability Standards Delegation of Compliance Enforcement ERO Budgets and Funding Paul Barber 1.
Standards Development and Approval Process Steve Rueckert Director of Standards Joint Guidance Committee WECC Leadership Annual Training Session Salt Lake.

Standards Development and Approval Process Steve Rueckert Director of Standards Joint Guidance Committee WECC Leadership Annual Training Session Salt Lake.
Document Categorization Steve Ashbaker Director of Operations Joint Guidance Committee WECC Leadership Annual Training Session Salt Lake City, UT May 6-7,

Document Categorization Steve Ashbaker Director of Operations Joint Guidance Committee WECC Leadership Annual Training Session Salt Lake City, UT May 6-7,
1 Compliance Report WECC Board of Directors Meeting December 7-8, 2006 Steve Rueckert Director, Standards and Compliance.

1 Compliance Report WECC Board of Directors Meeting December 7-8, 2006 Steve Rueckert Director, Standards and Compliance.
Reliability Provisions of EPAct of 2005 & FERC’s Final Rule

Reliability Provisions of EPAct of 2005 & FERC’s Final Rule
Road Map for Audit Preparation FRCC Compliance Workshops September / October 2008.

Road Map for Audit Preparation FRCC Compliance Workshops September / October 2008.
Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.

Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.
CIP Spot Check Process Gary Campbell Manager of Compliance Audits ReliabilityFirst Corporation August, 2009.

CIP Spot Check Process Gary Campbell Manager of Compliance Audits ReliabilityFirst Corporation August, 2009.
Compliance Application Notice Process Update and Discussion with NERC MRC.

Compliance Application Notice Process Update and Discussion with NERC MRC.
2009 Performance Assessment Member Representatives Committee Meeting October 28, 2008.

2009 Performance Assessment Member Representatives Committee Meeting October 28, 2008.
1 8 th Annual Financial Reporting Conference Baruch College Paul Beswick Deputy Chief Accountant April 30, 2009.

1 8 th Annual Financial Reporting Conference Baruch College Paul Beswick Deputy Chief Accountant April 30, 2009.
Jeffery J. Gust IOWA INDUSTRIAL ENERGY GROUP FALL CONFERENCE Tuesday, October 14, 2014 MidAmerican Energy Company.

Jeffery J. Gust IOWA INDUSTRIAL ENERGY GROUP FALL CONFERENCE Tuesday, October 14, 2014 MidAmerican Energy Company.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Physical Security CIP-014-1 NERC Standing Committees December 9-10, 2014.

Physical Security CIP NERC Standing Committees December 9-10, 2014.
Federal Energy Regulatory Commission Large Generator Interconnection Final Rule RM02-1-000 July 23, 2003.

Federal Energy Regulatory Commission Large Generator Interconnection Final Rule RM July 23, 2003.
Mandatory Reliability Rules Implementing the Electric Reliability Organization David W. Hilt Vice President & Director of Compliance APPA Reliability Symposium.

Mandatory Reliability Rules Implementing the Electric Reliability Organization David W. Hilt Vice President & Director of Compliance APPA Reliability Symposium.
Current Status Of The ERO Transition Activities To Comply With The 2005 EPAC ERCOT Board Meeting February 21, 2006 Sam Jones, COO.

Current Status Of The ERO Transition Activities To Comply With The 2005 EPAC ERCOT Board Meeting February 21, 2006 Sam Jones, COO.
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
1 Texas Regional Entity Report December 2007. 2 Performance Highlights ERCOT’s Control Performance Standard (NERC CPS1) score for October – 118.38 Initial.

1 Texas Regional Entity Report December Performance Highlights ERCOT’s Control Performance Standard (NERC CPS1) score for October – Initial.

Similar presentations

Ads by Google