Employee Privacy at Risk?

APPA Business & Financial ConferenceAustin, TX

September 25, 2007

Scott Mix, CISSPManager of Situation Awareness and Infrastructure SecurityScott.Mix@NERC.net215-853-8204

2

Agenda

● Personnel Issues● Sanctions & Penalties● Compliance● Cyber Security Standards Status● References

3

Personnel Issues

4

Personnel Issues

● Most issues in CIP-004 (Personnel and Training)

● Other Standards also involved: Leadership (CIP-003) Access Control (CIP-003, CIP-004, CIP-

005, CIP-006, CIP-007) Information Protection (CIP-003)

5

CIP-004 – Personnel and Training

● R1: Awareness General and non-specific

● R2: Training Essential Requirements Records Kept

6

CIP-004 – Personnel and Training

● R3: Personnel Risk Assessment More than just Background Checks Identity Checks, etc Re-perform every seven years Includes non-Employees Subject to existing Agreements and

Laws

7

Access Control

● Governance – CIP-003● Authorization – CIP-004● Access Controls – CIP-005, CIP-006● Account Management – CIP-007

8

Leadership

● Senior Manager Designation required● May delegate some functions

Formal delegation arrangements

9

Sanctions & Penalties

10

NERC Sanction Guidelines

● ERO Sanction Guidelines Based on FERC Policy Statement on

Enforcement Issued October 20, 2005 (Docket No. PL06-1-000)

Comparable to levels of threat to reliability

Promotes compliance with standards Rewards self-reporting & voluntary corrective

actions Flexible to adapt to all relevant facts

surrounding the violation Consistent application of guidelines

11

Penalties and Sanctions

Low High Low High Low High Low HighLower $1,000 $3,000 $2,000 $7,500 $3,000 $15,000 $5,000 $25,000

Medium $2,000 $30,000 $4,000 $100,000 $6,000 $200,000 $10,000 $335,000

High $4,000 $125,000 $8,000 $300,000 $12,000 $625,000 $20,000 $1,000,000

ViolationRisk

Factor

High Severe

Violation Severity Level

Range Limits Range Limits Range Limits Range LimitsLower Moderate

Statutory limit:$1,000,000 perviolation per dayin the U.S.Non-financial

sanctions allowed

Penalty funds applyto marginal cost ofenforcement andreconciled in budget

Other qualitative factors for consideration:● Repeat infractions (-)● Prior warnings (-)● Deliberate violations (-)● Self-reporting and self-correction (+)● Quality of entity compliance program (+/-)● Overall performance (+/-)

(-) Negative influence(+) Positive influence(+/-) Positive or negative

ftp://www.nerc.com/pub/sys/all_updl/rop/Appendix4B-SanctionGuidelines.pdf

12

How Will Penalties Be Applied

● Penalties will be applied by the Regional Entity Staff will determine initial penalty or sanction Regions may reach a settlement – must be

filed with FERC Penalties may be appealed

● Once finalized NERC files “notice of penalty” Penalties may be adjusted by FERC Penalties become effective 31 days after filing Remedial actions may be applied immediately

to preserve reliability

13

Compliance Audit & Enforcement

14

Compliance Audit

● NERC Compliance Program is different than most “standards conformance” auditing All requirements must be met “Extra Credit” doesn’t count

● Has the Requirement been met as determined by the Measure?

● Compliance uses clear decision points “Yes” or “no” “Done” or “not done” Seeks to know “what”, not “how”

● Quantitative, not qualitative

15

Compliance Enforcement

● Can’t enforce prior to an Audit● No audits until 2009/2010

No findings of “non compliance” until then

● Included in 2007 Compliance Enforcement Plan Monitoring industry progress only: Compliance evaluations

(but no audit and no sanctions)

16

Reliability Readiness and Improvement Program

● NOT AN AUDIT● Evaluates entities practices to:

determine capability to comply judge the effectiveness of practices improve performance

● Qualitative judgments using experts Seeks to know “how” Share best practices

● Not a search for violations Encountered violations must be reported

● Recommendations are voluntary

17

Standards Status Update

18

ERO Actions - Standards

● Reliability Standards filed with ERO Application in April, 2006 102 Current Standards Filed Additional standards to be filed as approved ~10,000 pages of public comments from NERC

process also requested by FERC● Preliminary report issued 5/11/06● Additional Standards filed 8/28/06● Standards require FERC approval before they can

become mandatory● FERC NOPR on Standards issued 10/20/06● FERC Order 693 on Standards issued 3/16/07● 83 Standards become Mandatory and Enforceable with

Penalties on 6/18/07● FERC Docket RM06-16-000

19

Status of NERC Cyber Security Standards

● FERC Order 693 (March 16, 2007) (non-Cyber Security Standards) 83 standards approved 56 requiring “significant improvement” Only CIP-001 included FERC effective date June 18, 2007

● Staff Assessment of CIP-002 through CIP-009 Issued December 12, 2006 Responses filed February 12, 2007 FERC reviews industry responses & drafts

NOPR

20

Status of NERC Cyber Security Standards

● Next steps expected for Cyber Security Standards FERC issue NOPR (July 20, 2007) NOPR Notice in Federal Register (August 6,

2007) Industry Comment (60 days) (October 5, 2007) FERC reviews industry comments and drafts

Final Rule FERC issue Final Rule Notice in Federal Register FERC effective date 60 days after notice

FERC Docket RM06-22-000

21

References

● NERC Standards CIP-002 through CIP-009 http://www.nerc.com/~filez/standards/Reliability

_Standards.html#Critical_Infrastructure_Protection

● Frequently Asked Questions ftp://www.nerc.com/pub/sys/all_updl/standards/s

ar/Revised_CIP-002-009_FAQs_06Mar06.pdf

● Implementation Plan ftp://www.nerc.com/pub/sys/all_updl/standards/r

s/Revised_Implementation_Plan_CIP-002-009.pdf

● “What” Workshop presentation files ftp://www.nerc.com/pub/sys/all_updl/cip/owg/CS

SET%20Workshop.zip

22

Questions?

Scott.Mix@NERC.net215-853-8204