FERC/NERC Information Security Solutions

About the Mandatory Reliability Standards for Critical Infrastructure Protection (CIP)

The Federal Energy Regulatory Commission (FERC) has approved eight mandatory cyber-security standards that extend to all entities connected to the nation’s power grid. The standards were originally developed in 2006 by the North American Electric Reliability Corp (NERC) and periodically updated as the Critical Infrastructure Protection (CIP) Standard.

The mandatory reliability standards require certain users, owners and operators of the bulk power system to establish policies, plans and procedures to safeguard physical and electronic access to control systems, to train personnel on security matters, to report security incidents, and to be prepared to recover from a cyber incident. Written information security policies and quarterly employee security awareness are both required elements of standard.

Information Security Policy Solutions

Section R1 (Security Policy Controls) of CIP-003-1 of the standard requires the development and implementation of a written security policy that addresses all of the various security requirements of the entire cyber-security standard. Requirement R3 provides that a responsible entity must document exceptions to its policy with documentation and senior management approval.

Information Security Policies Made Easy - Version 13Information Security Policies Made Easy provides everything an organization needs to build and maintain a complete set of written information security policies. Includes a comprehensive library of over 1400 pre-written information security policies and expert commentary covering each of the security areas of the NERC-CIP security standard.
» Learn More  » Request a Sample

Policy topics include:
Critical Cyber Asset Identification; Security Management Controls; Personnel and Training; Electronic Security Perimeters; Physical Security of Critical Cyber Assets; Systems Security Management; Incident Reporting and Response Planning;
and Recovery Plans for Critical Cyber Assets.

Ongoing Security Awareness Training

Security Awareness TrainingSection R1 of the Personnel and Training (CIP-004-1) requirements specifies that organizations must provide regular, ongoing security awareness education on at least a quarterly basis.  Information Shield offers a variety of security awareness and training options to fit any organization.  » Learn More