Guest Blog by Nick Santora, Chief Executive Officer of Curricula
NERC CIP is constantly evolving. But the principals of being audited have been around for decades and decades. Why do some organizations do so well on their NERC CIP audits and some don’t? Why can some organizations struggle to find evidence and understand their own processes? I call it “The CIP Scramble”.
What Is “The CIP Scramble”?
The scramble is a classic technique inherited by organizations that just aren’t prepared. Think of it like this. If the IRS was about to audit you and asked you to provide every receipt for the past 7 years, would you be able to do it? Probably not. I would put money on it that something would go wrong and you wouldn’t be able to find everything you need. There are just too many unknowns in this situation that cause an influx of issues and cause us to scramble if we are not adequately prepared.
How Does It Relate To NERC?
Now, Let’s apply the requirements for your security awareness training program under CIP-004 R1. Responsible entities are required to deliver quarterly security awareness campaigns to personnel that are in scope for those with access to High and Medium Impact BES Cyber Systems. Doesn’t seem too hard right? Just write a one-sentence email to the staff at the end of the quarter that says “Staff, please don’t get hacked.” Effective? No. Compliant? Yes. But that’s a story for another day.
Alright, let’s make the situation more complicated. Let’s say you are actually sending out real security awareness content to all of your staff, contractors, and vendors. But the situation gets a bit more difficult- you have each department responsible for sending out campaigns and ensuring it is made available for in scope personnel. How do you know everyone did their job? How do you know that everyone had the content made available to them? How do you know if you will be compliant and dodge? This is a situation I have seen far too many times in my career at NERC that ultimately led to the scramble. Every department is searching dramatically through past emails, scraping file servers, calling their vendors, and reaching out to contractors for answers.
Evidence Slips Through The Cracks
The scramble isn’t fun for anyone, and this is a primary example of how evidence falls through the cracks. Anyone can say they did something, and even have a process for it. But that doesn’t mean they actually implemented what they said they did and followed the process. You need to be accountable for your program and think ahead before the scramble. You know you are going to get audited, so why take the risk of waiting until the last minute to find out that you are missing data and evidence, or your process is not being followed.
Documenting evidence is only part of the puzzle. You need to have a community surrounding how you gather evidence and why. So for example, when we are talking about the evidence needed for your security awareness program, you need to ensure your entire team is documenting and making available a content distribution strategy for all personnel in scope including responsible departments, contractors, vendors, etc. NERC CIP doesn’t require you to document that each and every individual is completing or engaging with security awareness content, but if you are putting in the effort, why not see the results?
SigmaFlow can help organize all of the data taken out of Curricula’s security awareness training platform to ensure a consistent view is taken on the compliance approach to this standard. You can even grab your phishing training results and organize them alongside all of the effort that has been put forward towards educating staff about cyber security.
About the Author
Chief Executive Officer | Curricula
Nick Santora founded Curricula after a 7-year career at the North American Electric Reliability Corporation (NERC), the enforcement agency responsible for regulating the power grid across North America. Nick is internationally recognized as a cyber security expert and speaks regularly at security conferences across North America on the psychology behind influencing employees within security awareness programs.
Nick holds a Bachelor of Science and Master of Business Administration from Rider University. He also earned his CISSP (Certified Information Systems Security Professional) and CISA (Certified Information Systems Auditor). Nick also serves on the board of advisors for Veracity.