Kevin Perry,
former Chief CIP Auditor of SPP RE, retired last year, but still reads my posts
(after all, what better way to spend your retirement?) and has often
corresponded with me on them – as he often did while he was an auditor. He sent
me the comment below, regarding my most recent post
on CIP 13. He said:
I look at it this way... the contract language or other documented
agreements simply show what you agreed to, and doesn’t guarantee
performance. The RFI and other
procurement solicitation documentation shows you tried, even if the vendor will
not agree to your requests. But what you
really need to focus on is managing your own risk and not assigning it to the
vendor. What can you do to mitigate
vendor risk, as opposed to what will you presume the vendor is doing to
mitigate your risk? If you approach the
issue with an assumption that the vendor will fail, then your mitigation will
be better than if you assume the vendor has your back. It is not much different than network
security between two companies. You
mitigate risk through mutual distrust...you assume something bad will get on
your partner’s network and thus you build your own defenses at your perimeter.
I couldn’t
have said it any better! And I would certainly have taken a lot longer to say it…
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
No comments:
Post a Comment