SOURCE: LockPath, Inc.


June 01, 2015 00:00 ET

NERC CIP v5 Suggests Compliance Does Not Equal Security

OVERLAND PARK, KS--(Marketwired - June 01, 2015) - What's the difference between compliance and security? One might think being compliant also means being secure. There is perhaps no bigger misconception in the information security world.

What should be understood is that compliance with whatever regulations your organization must follow should be the byproduct of a solid security program. Compliance should be viewed as a retrospective "check box" approach to threat mitigation. Security would be all prospective actions that are in flux as the landscape of threats changes. Those who believe compliance rewards them with ample security are flirting with the threat of being breached.

NERC's Critical Infrastructure Protection standards takes this understanding into account. The upcoming Version 5 standards will require compliance with standards that increase awareness of security. In particular:

  • CIP-003-5: Cybersecurity Management Controls
    This standard requires all responsible entities to review documented cybersecurity policies that pertain to CIP standards and also obtain verification/approval every 15 months.
  • CIP-004-5: Cybersecurity - Personnel and Training
    This standard requires documented processes and programs that augment cybersecurity awareness, including cybersecurity training, personnel risk assessment, and access management.
  • CIP-008-5: Cybersecurity - Incident Reporting and Response Planning
    This standard requires organizations to provide a documented cybersecurity incident response plan.

What's more, each standard requires periodic testing (every three to 15 months, depending on the standard) and evaluation to ensure security awareness is optimal.

These standards, with their requirements of documentation, assessment, and processes, are a lot to juggle, especially when you factor in the seven other standards involved with CIP v5. An automated risk management and compliance solution, like LockPath's Keylight, can take the manual, laborious processes out of complying with any and all CIP standards. Focusing solely on the three aforementioned standards dealing with security awareness, a risk management and compliance solution can:

1) Schedule awareness events for policy review and gain verification/approval through documented, time stamped workflow;
2) Centralize the documentation of training activities and personnel completion, automate delivery of assessments, and score risk based on results of assessments; and
3) Track all security and compliance incidents including investigatory and remediation efforts via workflow with the ability to document deviations and lessons learned.

Compliance means you won't be fined. Security means you won't end up in the headlines. A friendly security suggestion would be to look beyond CIP compliance and use it as a baseline for your security policies.

About LockPath
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas.

Image Available:

Contact Information