FERC/NERC Information Security Solutions

About the Mandatory Reliability Standards for Critical Infrastructure Protection

The Federal Energy Regulatory Commission (FERC) has approved eight mandatory cyber-security standards that extend to all entities connected to the nation's power grid. The standards were originally developed in 2006 by the North American Electric Reliability Corp (NERC) and periodically updated.

The mandatory reliability standards require certain users, owners and operators of the bulk power system to establish policies, plans and procedures to safeguard physical and electronic access to control systems, to train personnel on security matters, to report security incidents, and to be prepared to recover from a cyber incident. Written information security policies and quarterly employee security awareness are both required elements of standard.

Section R1 (Security Policy Controls) of CIP-003-1 of the standard requires the development and implementation of a written security policy that addresses all of the various security requirements of the entire cyber-security standard. Requirement R3 provides that a responsible entity must document exceptions to its policy with documentation and senior management approval.

The new PolicyShield Security Policy Subscription Service contains everything an organization needs to build and maintain a complete set of written information security policies. Includes a comprehensive library of over 1400 pre-written information security policies and expert commentary covering each of the security areas identified FERC security standard, with regular updates based on the latest threats.   » Learn More

Policy topics include:
Critical Cyber Asset Identification; Security Management Controls; Personnel and Training; Electronic Security Perimeters; Physical Security of Critical Cyber Assets; Systems Security Management; Incident Reporting and Response Planning; and Recovery Plans for Critical Cyber Assets.

Section R1 of the Personnel and Training (CIP-004-1) requirements specifies that organizations must provide regular, ongoing security awareness education on at least a quarterly basis.

Protecting Information is a new quarterly security and privacy awareness newsletter designed for this exact requirement. Protecting Information is edited by data privacy and security expert Rebecca Herold, CISSP, CISM and goes well beyond traditional newsletters, providing audio files and interactive exercises to engage personnel and help them truly understand security and privacy concepts.   » Learn More

Protecting Information is published four times a year and each issue of features information security and data privacy topics that impact employees both within and outside the workplace. Topics such as social-networking, social engineering, mobile computing, e-mail and safe data handling are covered using real-world examples from today’s headlines. Each issue is published in MS-Word and PDF formats and can be customized easily with the organization’s logo and content.

As an additional bonus, each issue includes a companion subscription to Awareness Advisor, a special newsletter containing practical, time-saving advice for security and privacy practitioners written by security, privacy and education expert Rebecca Herold. Contact us for a free evaluation version of Protecting Information.