Friday, August 9, 2019

An ex-auditor provides a model for encrypting BCSI in the cloud


After my first post on BES Cyber System Information (BCSI) in the cloud on Monday, Kevin Perry, formerly Chief CIP Auditor for SPP RE, emailed me

“I believe the following model goes a long way to protect BCSI in the cloud:

  1. The cloud service provider furnishes the servers and network infrastructure necessary for the NERC entity to store and manage its BCSI. 
  2. The entity manages security for its own network and servers.
  3. The entity owns and manages the data itself.  BCSI should be protected by encrypting it. 
  4. The entity needs to control the encryption keys, as well as who has the ability to decrypt the data. 
  5. BCSI access is limited to the entity’s staff who are authorized to access it.
  6. The encryption tools should automatically encrypt the BCSI any time it’s copied or moved to the CSP. If this doesn’t happen, the staff moving the data to the cloud must ensure the data is encrypted prior to the move.
  7. The CSP’s staff has absolutely no access to or control over the encryption keys and the encryption/decryption process.”


I agree with Kevin that this is a good model.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

No comments:

Post a Comment