1 / 22

Employee Privacy at Risk?

Employee Privacy at Risk?. APPA Business & Financial Conference Austin, TX September 25, 2007. Scott Mix, CISSP Manager of Situation Awareness and Infrastructure Security Scott.Mix@NERC.net 215-853-8204. Agenda. Personnel Issues Sanctions & Penalties Compliance

arlo
Download Presentation

Employee Privacy at Risk?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure Security Scott.Mix@NERC.net 215-853-8204

  2. Agenda • Personnel Issues • Sanctions & Penalties • Compliance • Cyber Security Standards Status • References

  3. Personnel Issues

  4. Personnel Issues • Most issues in CIP-004 (Personnel and Training) • Other Standards also involved: • Leadership (CIP-003) • Access Control (CIP-003, CIP-004, CIP-005, CIP-006, CIP-007) • Information Protection (CIP-003)

  5. CIP-004 – Personnel and Training • R1: Awareness • General and non-specific • R2: Training • Essential Requirements • Records Kept

  6. CIP-004 – Personnel and Training • R3: Personnel Risk Assessment • More than just Background Checks • Identity Checks, etc • Re-perform every seven years • Includes non-Employees • Subject to existing Agreements and Laws

  7. Access Control • Governance – CIP-003 • Authorization – CIP-004 • Access Controls – CIP-005, CIP-006 • Account Management – CIP-007

  8. Leadership • Senior Manager Designation required • May delegate some functions • Formal delegation arrangements

  9. Sanctions & Penalties

  10. NERC Sanction Guidelines • ERO Sanction Guidelines • Based on FERC Policy Statement on Enforcement • Issued October 20, 2005 (Docket No. PL06-1-000) Comparable to levels of threat to reliability • Promotes compliance with standards • Rewards self-reporting & voluntary corrective actions • Flexible to adapt to all relevant facts surrounding the violation • Consistent application of guidelines

  11. Penalties and Sanctions Statutory limit: $1,000,000 per violation per day in the U.S. Non-financial sanctions allowed Penalty funds apply to marginal cost of enforcement and reconciled in budget Other qualitative factors for consideration: • Repeat infractions (-) • Prior warnings (-) • Deliberate violations (-) • Self-reporting and self-correction (+) • Quality of entity compliance program (+/-) • Overall performance (+/-) (-) Negative influence (+) Positive influence (+/-) Positive or negative ftp://www.nerc.com/pub/sys/all_updl/rop/Appendix4B-SanctionGuidelines.pdf

  12. How Will Penalties Be Applied • Penalties will be applied by the Regional Entity • Staff will determine initial penalty or sanction • Regions may reach a settlement – must be filed with FERC • Penalties may be appealed • Once finalized NERC files “notice of penalty” • Penalties may be adjusted by FERC • Penalties become effective 31 days after filing • Remedial actions may be applied immediately to preserve reliability

  13. Compliance Audit & Enforcement

  14. Compliance Audit • NERC Compliance Program is different than most “standards conformance” auditing • All requirements must be met • “Extra Credit” doesn’t count • Has the Requirement been met as determined by the Measure? • Compliance uses clear decision points • “Yes” or “no” • “Done” or “not done” • Seeks to know “what”, not “how” • Quantitative, not qualitative

  15. Compliance Enforcement • Can’t enforce prior to an Audit • No audits until 2009/2010 • No findings of “non compliance” until then • Included in 2007 Compliance Enforcement Plan • Monitoring industry progress only: • Compliance evaluations (but no audit and no sanctions)

  16. Reliability Readiness and Improvement Program • NOT AN AUDIT • Evaluates entities practices to: • determine capability to comply • judge the effectiveness of practices • improve performance • Qualitative judgments using experts • Seeks to know “how” • Share best practices • Not a search for violations • Encountered violations must be reported • Recommendations are voluntary

  17. Standards Status Update

  18. ERO Actions - Standards • Reliability Standards filed with ERO Application in April, 2006 • 102 Current Standards Filed • Additional standards to be filed as approved • ~10,000 pages of public comments from NERC process also requested by FERC • Preliminary report issued 5/11/06 • Additional Standards filed 8/28/06 • Standards require FERC approval before they can become mandatory • FERC NOPR on Standards issued 10/20/06 • FERC Order 693 on Standards issued 3/16/07 • 83 Standards become Mandatory and Enforceable with Penalties on 6/18/07 • FERC Docket RM06-16-000

  19. Status of NERC Cyber Security Standards • FERC Order 693 (March 16, 2007) (non-Cyber Security Standards) • 83 standards approved • 56 requiring “significant improvement” • Only CIP-001 included • FERC effective date June 18, 2007 • Staff Assessment of CIP-002 through CIP-009 • Issued December 12, 2006 • Responses filed February 12, 2007 • FERC reviews industry responses & drafts NOPR

  20. Status of NERC Cyber Security Standards • Next steps expected for Cyber Security Standards • FERC issue NOPR (July 20, 2007) • NOPR Notice in Federal Register (August 6, 2007) • Industry Comment (60 days) (October 5, 2007) • FERC reviews industry comments and drafts Final Rule • FERC issue Final Rule • Notice in Federal Register • FERC effective date 60 days after notice • FERC Docket RM06-22-000

  21. References • NERC Standards CIP-002 through CIP-009 • http://www.nerc.com/~filez/standards/Reliability_Standards.html#Critical_Infrastructure_Protection • Frequently Asked Questions • ftp://www.nerc.com/pub/sys/all_updl/standards/sar/Revised_CIP-002-009_FAQs_06Mar06.pdf • Implementation Plan • ftp://www.nerc.com/pub/sys/all_updl/standards/rs/Revised_Implementation_Plan_CIP-002-009.pdf • “What” Workshop presentation files • ftp://www.nerc.com/pub/sys/all_updl/cip/owg/CSSET%20Workshop.zip

  22. Questions? Scott.Mix@NERC.net 215-853-8204

More Related