As a kid, our lives are filled with compliance policies. We have to obey guidelines and regulations set down by numerous governing bodies: our parents, our teachers, our coaches and babysitters and, well, pretty much anyone who had power over us. And, when we were out of compliance, when we didn’t make our bed or clean our room or do our homework, we faced consequences – grounding or summer school or maybe even a spanking. We yearned for the day when we would be our own bosses and would not have to be compliant to anyone.
Unfortunately, though, as we grew up, we realized that compliance policy never lets up. Now we have to be compliant with rules set down by our bosses and the government. And, if we are involved in a utility company, we have learned how important it is to develop a proper policy for NERC compliance. This is especially true because NERC (News - Alert) takes security compliance very, very seriously.
“Regulatory compliance is considered one of the primary business risks for industries such as the energy utilities. The National Energy Regulatory Commission (NERC) can fine a company up to $1 million a day for non-compliance," said Rick Doten, vice president of cyber security for DMI.
With that in mind, there are some simple tips that utility companies can use when developing their NERC compliance policy. For example, companies need to know the difference between a policy, a standard and a procedure. “A policy is management's definitive position on a specific issue to ensure consistency,” said Jeff VanSickel, practice leader for compliance at SystemsExperts. “A standard is a specific measurable requirement that governs an operation, configuration or process in order to satisfy a policy. A procedure is a set of step-by-step instructions required to satisfy a given standard."
Once these definitions are clear, it is then essential to develop a framework. Frameworks are important tools for developing unified policies. These frameworks provide guidance for a starting point, allowing utilities to then develop their own checklists and procedures to meet individual needs.
It is also important to make these policies wide-ranging. They should cover not only IT risks but also business risks. Utilities can get bogged down with the details of IT security and forget to make not of company policies and procedures that can lead to vulnerabilities or other issues.
Finally, these policies and procedures need to be flexible. Companies that do not allow for audits and changes run the risk of complacency and stagnation. Organizations should continuously fine-tune policies and procedures in order to make them watertight. In the end, with so much on the line, and harsh penalties for violations, these procedures are smart ways to ensure NERC compliance
Edited by Carrie Schmelkin