Title: Security Guidelines Working Group Update
1Security Guidelines Working Group Update
CIPC Confidentiality Public Release
- CIPC Meeting
- Phoenix, AZ
- Mar 16, 2006
- Seiki Harada
- SGWG Chair
2Discussion Items
- SGWG Roster
- Change to the Guideline Preamble
- 2006 Prioritization of the Guideline Updates
- Regular Review Cycle for All Security Guidelines
- Content Review of Guidelines by SGWG
- Guideline Directions
3(No Transcript)
4SGWG Roster
- As of March 10, 2006, the SGWG comprises
- Scott McCoy (Physical)
- Scott Webber (Physical)
- Bruce Metruck (Physical)
- Mike Paszynsky (Physical)
- Larry Bugh (Cyber)
- Joe Doetzl (Cyber)
- David Baumken (Cyber)
- Roger Lampila (Operations)
- Tom Kropp (Research Institutions)
- Ken Hall (Research Institutions)
5Changes to the Preamble
A suggestion was made by a NERC legal staff to
adopt the following This
document addresses potential risks that can apply
to some electricity sector organizations and
provides practices that can help mitigate the
risks. Each organization decides for itself the
risks it can accept and the practices it deems
appropriate to manage its risks.
6Prioritization of Guideline Updates
- Of the 18 Security Guidelines, 14 were assessed
as needing updates. - The remainder, 4, are recent ones and deemed
acceptable. - It is not reasonable to expect various working
groups to re-draft all 14 of them and put through
CIPC approvals in one year (9 months now!). - SGWG recommends 7 updates this year and 7 next
year - (refer to the SGWG Reference Document No.1)
7Criteria for Prioritization
- Synchronization with, or in support of, the
permanent cyber security guidelines - Importance/relevance of the subject matter today
- How 'off' or 'dated' the content is
- Subsumed by any new guidelines ( e.g.,
elimination candidates)?
8Prioritization of Guideline Updates
Recommended Updates for 2006
9Prioritization of Guideline Updates
Recommended Updates for 2007
10Guideline Updates Further Recommendations
- The CIPC Executive Committee assign an owning
working group for each security guideline. - The owning working group will accommodate
identified updates in their 2006/2007 work
schedule. - NERC CIPC support staff will follow up with
respective working group re the timing of
completion and CIPC reviews
11Regular Guideline Reviews
- Today, there is no fixed schedule for reviewing
existing guidelines. - The Cyber Security Standard (CIP 003) asks for an
annual review of policies. - SGWG Recommendation
- Complete the identified updates for 2006 and 2007
- After that, schedule reviews of the guidelines
every two years or when there is a watershed
event in the subject area. These bi-annual
reviews may not necessarily result in updates.
12Content Review of Security Guidelines
- Background
- Comments were made that SGWG should stay away
from reviewing guideline contents. - The SGWG Terms of Reference states, in part
- review existing CIPC guidelines, and other
electric and non-electric industry reference
material, for currency and relevance.
13Content Review of Security Guidelines
- What the SGWG guideline reviews entail today
- Consistency and compatibility with security
standards and other security guidelines - Consistency of parts within a specific guideline
- Currency and relevance to the current
threats/industry practices (e.g., against IEEE,
ISO, NIST, ANSI, CSA, etc)
14Content Review of Security Guidelines
- Recommendation
- SGWG will review content only in the sense of
the above consistency checks not in value
judgement. - SGWG will provide timely comments to the Owning
working group. - The owning working group will consider the
comments provided. They are not obliged to
accommodate all comments.
15Guideline Directions
- Most new guidelines come from Working Groups or
Task forces/Teams. - SGWG may from time identify the area where a new
security guideline is appropriate. - The CIPC will have the final say in the
generation of a new (or the elimination of an
existing) security guidelines.
16Thank you!
- Thank you for working with me for the past two
years. It has been a challenge and pleasure at
the same time. - Please support Scott McCoy in the coming years!