1 / 16

Compliance Guidance for Initial Compliance Review Dates

Compliance Guidance for Initial Compliance Review Dates. Lew Folkerth lew.folkerth@rfirst.org 2Q2010 Webinar June 22, 2010. The Question. In the case where an action must be repeated on a defined schedule, must that action be performed before the start of the compliance period?.

sabine
Download Presentation

Compliance Guidance for Initial Compliance Review Dates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compliance Guidance for Initial Compliance Review Dates Lew Folkerth lew.folkerth@rfirst.org 2Q2010 Webinar June 22, 2010 1

  2. The Question • In the case where an action must be repeated on a defined schedule, must that action be performed before the start of the compliance period? 2

  3. The Answer is Not Simple Q: In the case where an action must be repeated on a defined schedule, must that action be performed before the start of the compliance period? A: Generally yes, but there are exceptions. These exceptions occur where the first occurrence of a repeating action may be assumed to have taken place during the initial compliance effort. 3

  4. Categories • “Bookend” Required: A periodic requirement which cannot be reasonably assumed to have been performed as part of the initial compliance effort. • See CIP Implementation Plan definition of “Compliant”: Compliant means the entity meets the full intent of the requirements and is beginning to maintain required “data,” “documents,” “documentation,” “logs,” and “records.” • See FERC Order 706 P 72: “… responsible entities must comply with the substance of a Requirement.” 4

  5. “Bookend” Required: Example • CIP-003-2 R1.3 requires annual review and approval of the cyber security policy by the CIP Senior Manager. • During the compliance implementation effort, the policy is drafted. Drafting the policy, however, does not mean the Senior Manager has reviewed and approved it. An audit team will look for the Senior Manager’s approval of the policy on or before the first date of the compliance period (the “C” date). 5

  6. “Bookend” Presumed: Example • CIP-003-2 R4.3 requires an annual assessment of an entity’s information protection program. • The assessment is a review of the performance and effectiveness of the program. If the assessment is performed immediately after the information protection program is put in place, there will be nothing to assess. An audit team will look for an assessment of the program on each “annual” (based on the current understanding of this term at the time of the audit) anniversary of the implementation of the program. In this case the initial assessment is “presumed” to have been performed during the development of the program. 6

  7. “Bookend” Required • CIP-002-2 R4: Approval of the lists is not an inherent part of their creation. • CIP-003-2 R1.3: Annual review and approval of the Cyber Security Policy by the designated Senior Manager is required. The initial approval of the Policy must have taken place prior to the initial compliance date. No other words in this requirement mandate the approval of the policy, but the plain language of the standard indicates the policy must be approved before it comes into effect. • CIP-004-2 R1: Awareness activity must occur during the first quarter after the initial compliance date and each quarter thereafter. 7

  8. “Bookend” Required • CIP-004-2 R2.3: The documentation must include the initial training. • CIP-005-2 R4: The initial CVA must be done prior to the initial compliance date, and annually thereafter. A CVA must be performed before a network can be reasonably secure. Even if (especially if) the entity is dealing with a new network, the initial CVA is still needed. 8

  9. “Bookend” Required • CIP-006-2 R6.1: If a new system, then the installation date of the system may be assumed to be its initial test. The entity will need to be able to document that a system has been tested within the previous three years. It is not acceptable for a system that has been in place for, say, ten years will not be tested for another three. • CIP-007-2 R5.1.3: The initial review of access privileges must occur before the initial compliance date. The possibility of a Critical Cyber Asset running for a year with improper account permissions is not acceptable. 9

  10. “Bookend” Required • CIP-007-2 R5.3.3: The essence of the requirement is that no password may be more than one year old. This needs to be true upon entering the compliance period. • CIP-007-2 R8: The initial CVA must be done prior to the initial compliance date, and annually thereafter. A CVA must be performed before a system can be reasonably secure. Even if (especially if) the entity is dealing with a new system, the initial CVA is still needed. • CIP-008-2 R1.6: An incident response plan needs to be tested before it can be considered valid. This should be part of the plan's development. 10

  11. “Bookend” Required • CIP-009-2 R2: A recovery plan needs to be tested before it can be considered valid. This should be part of the plan's development. • CIP-009-2 R5: The initial test of the backup media must occur before the initial compliance date. 11

  12. “Bookend” Presumed • CIP-002-2 R2, R3: The development of the list required by the standard is the initial review of the list. The list must be in place before the compliance date. • CIP-003-2 R3.3: Initial approval of the exception is inherent in the authorization required by R3. • CIP-003-2 R4.3: The initial assessment of the information protection program is inherent in the creation process. The clear intent is to have a year go by before the adherence to the program is assessed. 12

  13. “Bookend” Presumed • CIP-003-2 R5.1.2, R5.2: Verification of the lists can reasonably be assumed at their creation. The lists must be in place before the initial compliance date. • CIP-003-2 R5.3: Assessment of the process to control access privileges can reasonably be expected to need a year's data to work on. The process itself must be in place before the initial compliance date. • CIP-004-2 R2: Review of the program should take place a year after the program was put in place. The program must be in place before the initial compliance date. 13

  14. “Bookend” Presumed • CIP-004-2 R4.1: A review must occur in the first quarter after the initial compliance date, and each quarter thereafter. The initial creation of the list may be assumed to be the first review and must have been complete before the initial compliance date. • CIP-005-2 R5.1: The creation of the documentation can be reasonably assumed to be its initial review. • CIP-006-2 R1.8: The creation of the Physical Security Plan can be assumed to be its initial review. The plan must be in place before the initial compliance date. 14

  15. “Bookend” Presumed • CIP-007-2 R9: The creation of the documentation can be reasonably assumed to be its initial review. • CIP-008-2 R1.5: The initial creation of the Plan can be assumed to be its initial review. • CIP-009-2 R1: The initial creation of the Plan can be assumed to be its initial review. 15

  16. Questions • Questions should be emailed to Matt Thomas (matt.thomas@rfirst.org), Subject: “CIP WEBINAR” • Questions will considered in the order they are received • Clarifying questions are welcome and we’ll do our best to answer during the question period • Challenges to a position should be addressed to the presenter and will be taken offline 16

More Related