In case any
of you aren’t sure, the initial compliance date for CIP v5/v6 is 15 days from
today, July 1. Entities with High, Medium and Low impact assets all have
compliance obligations on that day. And the ever-vigilant Lew Folkerth of RF
has just put out a last-minute “checklist” listing some areas where he thinks
entities may be deficient. You can find it in RF’s most recent newsletter
in Lew’s usual column, “The Lighthouse”.
I won’t try
to summarize the article, but here are a few high points:
- Being part of a Regional Entity, he emphasizes evidence
you will need to have starting July 1.
- There is a sidebar listing five things that Lows have to
do by that date.
- There is only one point on which I disagree with him. It
is found in the second column of page 11, starting with “Ensure your
reliability…” He says “In implementing a compliance program, it is
important that we not only obey the letter of the Standard, but that we
achieve the intent of the Standard
as well.”
Regarding
this last point, I have previously written
about the fallacy of believing that it would ever be possible to determine the
intent of one of the CIP standards. Thinking that you will be able to justify a
particular compliance action you have taken (or not taken) based on some
“knowledge” you may have of what the Standards Drafting Team “intended” a
requirement to mean is a fool’s errand.
On the other
hand, I know well that Lew doesn’t mean that. I believe what he is saying here
is that entities always need to be looking beyond the CIP requirements to what
is really required from a pure cyber security point of view. And that the
auditors won’t be just looking strictly at whether you have complied with the
letter of the requirement, but whether you have taken the steps you should
reasonably take for cyber security, even if they aren’t mandated by the CIP
standards.
However, it
is important to keep in mind that, when you’re audited, you won’t get a PV for
not going beyond the CIP standards. You may get a Recommendation that you do
that, but it can never become a PV, even if you choose not to follow the
Recommendation. For a more in depth discussion of this point, see Lew’s
discussion in this
post.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
No comments:
Post a Comment