Compliance Conundrum: To Comply or To Prove Compliance?

摘要

There are two important aspects to compliance with the NERC CIP 002-009 CyberSecurity standards. The first aspect of NERC CIP compliance involves deploying hardware and software solutions or processes to accomplish cyber security goals. This could involve deploying firewalls, intrusion detection systems, video surveillance systems, or authentication software. The second aspect of NERC CIP compliance involves managing data that substantiates and documents an organization's compliance efforts. NERC CIP has very challenging requirements which not only require detailed documentation on deployed solutions (e.g. firewalls, etc), but documentation on how those solutions were tested, documentation on back-up plans if the solution fails, and documentation on testing the back-up solution. It is natural to focus on the deployment of hardware and software or enacting processes and practices to adhere to compliance requirements. Just as important, but often overlooked, is establishing a framework for proving one's compliance to both internal and external audiences. NERC CIP makes it hard to overlook compliance proof because of its strong theme of compliance accountability.