Five days
ago, I wrote a post calling attention to Lew Folkerth’s December article on
CIP-010 R1 (configuration management) compliance. In that post, I mentioned
that you can now sign up to receive notices of new RF newsletters (where Lew’s
column appears). I signed up and I’m glad I did, because yesterday I got notice
of a new newsletter.
This time, Lew’s article (which as usual goes under the name “The Lighthouse”)
is about CIP-007 R2 patch management mitigation plans. Lew’s articles are
always excellent, but this is still one of his best yet, in my opinion.
I must admit
I hadn’t thought very much about patch management mitigation plans. R2.3 says “Mitigation
plans shall include the Responsible Entity’s planned actions to mitigate the
vulnerabilities addressed by each security patch and a timeframe to complete
these mitigations.” I had always just assumed this was all you need to know
about these plans.
It turns out
I was wrong. Lew does an excellent job of pulling out what really needs to be
in a mitigation plan and how it needs to be handled. None of this is in any way
an add-on to the requirement, by the way. Lew is simply following the logical
implications of what the mitigation plan needs to accomplish, both for security
and compliance. Lew has always been most concerned about what makes the most
sense from a security point of view. I won’t say everything he says in this
article is needed strictly for compliance with the requirement, but doing it
will certainly allow you to tell a good story when you get audited.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
Tom Alrich LLC can help you with NERC CIP issues or challenges like what is
discussed in this post. To discuss this, you can email me at the same address
or call me at 312-515-8996.
No comments:
Post a Comment