employee privacy at risk? appa business & financial conference austin, tx september 25, 2007...
TRANSCRIPT
Employee Privacy at Risk?
APPA Business & Financial ConferenceAustin, TX
September 25, 2007
Scott Mix, CISSPManager of Situation Awareness and Infrastructure [email protected]
2
Agenda
● Personnel Issues● Sanctions & Penalties● Compliance● Cyber Security Standards Status● References
3
Personnel Issues
4
Personnel Issues
● Most issues in CIP-004 (Personnel and Training)
● Other Standards also involved: Leadership (CIP-003) Access Control (CIP-003, CIP-004, CIP-
005, CIP-006, CIP-007) Information Protection (CIP-003)
5
CIP-004 – Personnel and Training
● R1: Awareness General and non-specific
● R2: Training Essential Requirements Records Kept
6
CIP-004 – Personnel and Training
● R3: Personnel Risk Assessment More than just Background Checks Identity Checks, etc Re-perform every seven years Includes non-Employees Subject to existing Agreements and
Laws
7
Access Control
● Governance – CIP-003● Authorization – CIP-004● Access Controls – CIP-005, CIP-006● Account Management – CIP-007
8
Leadership
● Senior Manager Designation required● May delegate some functions
Formal delegation arrangements
9
Sanctions & Penalties
10
NERC Sanction Guidelines
● ERO Sanction Guidelines Based on FERC Policy Statement on
Enforcement Issued October 20, 2005 (Docket No. PL06-1-000)
Comparable to levels of threat to reliability
Promotes compliance with standards Rewards self-reporting & voluntary corrective
actions Flexible to adapt to all relevant facts
surrounding the violation Consistent application of guidelines
11
Penalties and Sanctions
Low High Low High Low High Low HighLower $1,000 $3,000 $2,000 $7,500 $3,000 $15,000 $5,000 $25,000
Medium $2,000 $30,000 $4,000 $100,000 $6,000 $200,000 $10,000 $335,000
High $4,000 $125,000 $8,000 $300,000 $12,000 $625,000 $20,000 $1,000,000
ViolationRisk
Factor
High Severe
Violation Severity Level
Range Limits Range Limits Range Limits Range LimitsLower Moderate
Statutory limit:$1,000,000 perviolation per dayin the U.S.Non-financial
sanctions allowed
Penalty funds applyto marginal cost ofenforcement andreconciled in budget
Other qualitative factors for consideration:● Repeat infractions (-)● Prior warnings (-)● Deliberate violations (-)● Self-reporting and self-correction (+)● Quality of entity compliance program (+/-)● Overall performance (+/-)
(-) Negative influence(+) Positive influence(+/-) Positive or negative
ftp://www.nerc.com/pub/sys/all_updl/rop/Appendix4B-SanctionGuidelines.pdf
12
How Will Penalties Be Applied
● Penalties will be applied by the Regional Entity Staff will determine initial penalty or sanction Regions may reach a settlement – must be
filed with FERC Penalties may be appealed
● Once finalized NERC files “notice of penalty” Penalties may be adjusted by FERC Penalties become effective 31 days after filing Remedial actions may be applied immediately
to preserve reliability
13
Compliance Audit & Enforcement
14
Compliance Audit
● NERC Compliance Program is different than most “standards conformance” auditing All requirements must be met “Extra Credit” doesn’t count
● Has the Requirement been met as determined by the Measure?
● Compliance uses clear decision points “Yes” or “no” “Done” or “not done” Seeks to know “what”, not “how”
● Quantitative, not qualitative
15
Compliance Enforcement
● Can’t enforce prior to an Audit● No audits until 2009/2010
No findings of “non compliance” until then
● Included in 2007 Compliance Enforcement Plan Monitoring industry progress only: Compliance evaluations
(but no audit and no sanctions)
16
Reliability Readiness and Improvement Program
● NOT AN AUDIT● Evaluates entities practices to:
determine capability to comply judge the effectiveness of practices improve performance
● Qualitative judgments using experts Seeks to know “how” Share best practices
● Not a search for violations Encountered violations must be reported
● Recommendations are voluntary
17
Standards Status Update
18
ERO Actions - Standards
● Reliability Standards filed with ERO Application in April, 2006 102 Current Standards Filed Additional standards to be filed as approved ~10,000 pages of public comments from NERC
process also requested by FERC● Preliminary report issued 5/11/06● Additional Standards filed 8/28/06● Standards require FERC approval before they can
become mandatory● FERC NOPR on Standards issued 10/20/06● FERC Order 693 on Standards issued 3/16/07● 83 Standards become Mandatory and Enforceable with
Penalties on 6/18/07● FERC Docket RM06-16-000
19
Status of NERC Cyber Security Standards
● FERC Order 693 (March 16, 2007) (non-Cyber Security Standards) 83 standards approved 56 requiring “significant improvement” Only CIP-001 included FERC effective date June 18, 2007
● Staff Assessment of CIP-002 through CIP-009 Issued December 12, 2006 Responses filed February 12, 2007 FERC reviews industry responses & drafts
NOPR
20
Status of NERC Cyber Security Standards
● Next steps expected for Cyber Security Standards FERC issue NOPR (July 20, 2007) NOPR Notice in Federal Register (August 6,
2007) Industry Comment (60 days) (October 5, 2007) FERC reviews industry comments and drafts
Final Rule FERC issue Final Rule Notice in Federal Register FERC effective date 60 days after notice
FERC Docket RM06-22-000
21
References
● NERC Standards CIP-002 through CIP-009 http://www.nerc.com/~filez/standards/Reliability
_Standards.html#Critical_Infrastructure_Protection
● Frequently Asked Questions ftp://www.nerc.com/pub/sys/all_updl/standards/s
ar/Revised_CIP-002-009_FAQs_06Mar06.pdf
● Implementation Plan ftp://www.nerc.com/pub/sys/all_updl/standards/r
s/Revised_Implementation_Plan_CIP-002-009.pdf
● “What” Workshop presentation files ftp://www.nerc.com/pub/sys/all_updl/cip/owg/CS
SET%20Workshop.zip