I’ve been doing process for longer than I care to mention, and one thing that has often frustrated me is the limitation in most products to deal with dynamic, contextual work assignments. In the BPM industry, these kinds of processes are typically termed “ad-hoc” or “situational” processes. They follow a rules-based pattern, but the pattern […]
So what’s the big deal about patch management? We’ve already been applying patches to our cyber assets for many years and there’s really not that much new about the actual activity of patching assets. It should be easy to address compliance requirements, right? Well, perhaps, but let’s look at some of the elements of the […]
Managing cyber asset baselines in a NERC CIP compliant manner is no simple task. While on the surface it can appear to be straightforward, that illusion quickly evaporates the closer you get to the challenge. To help with that, here’s my recipe for baselines management.
By now it should be obvious to everyone that it’s not good enough to cobble together a NERC CIP program and call it a day. That will keep you in compliance – well – about a day. It’s not just the fact that the NERC CIP Standards are changing. We’ve recently gone from version 3, […]
One of the areas I work on extensively with utilities is Change Management. What I find is that while most utilities have a process in place for actually making changes (implementation), the CIP compliance side of the equation is often far less formalized and structured. With the additional requirements in the version 5 and 6 […]
It’s easy to misunderstand the importance of process in achieving NERC CIP Compliance. Oftentimes our attention is focused on the evidence we need without realizing what has to happen to create that evidence. Guess what, in most cases what has to happen is a process! Now when the subject turns to process, it’s important to […]