Here’s an apt summary of a day in the life of an IT guy whose job it is to ensure compliance: Fight fires Get reamed for last audit Fight more fires Grovel to CIO and CFO for budget and resources Clean up after stupid user Fill out a silly report Fight yet another fire Learn about new application that is going live tomorrow Go home. Have stiff drink. Pray beeper doesn’t go off at 3 AM.
It’s from eIQnetworks VP Mike Rothman’s Security Incite blog. He could have written a longer list if he were one of the IT people who have to ensure that hundreds of US power plants are compliant: IT security is part of a larger standards picture that includes emergency preparedness, electrical output and load balancing, worker safety, and physical security.
How do I know this? I spoke with Eric Knight, senior knowledge engineer at LogRhythm about new compliance requirements in the electric utility industry. Knight is an expert on compliance in what I think of as the traditional regulatory areas—HIPPA and SOX—and an area I’d never heard of: NERC compliance. NERC is the North American Electric Reliability Corporation, a commission that regulates power companies. NERC was born out of an event that you might have experienced, if only in-utero afterward: the 1965 New York City blackout. NERC’s Critical Infrastructure Protection (CIP) standards regulate the IT pieces.
“NERC uses very simple language but it also goes into technical detail about how the requirement should be met—not like HIPPA or SOX, where an organization comes up with how they’ll comply. NERC cuts to the chase—you have to do this, you have to do that, “ Knight says. Failure to comply with NERC standards can result in fines of a couple hundred thousand dollars to a million dollars.
One thing he noted is that among the IT people facing compliance challenges with NERC, “There’s definitely some concern about collecting and storing. Access logs have to be kept for 90 days; logs that involve outages have to be kept a year. Keeping a couple megabytes for logs doesn’t work anymore.”
Notwithstanding that he is employed by a log management company, of course, Knight knows compliance and what works. “We recommend a centralized log management process. When an incident occurs, such as system failure, a plant has 30 days to prepare and provide documentation. If you don’t already have a centralized log management process, you might not make that 30-day deadline.” Knight speaks Friday in Houston at the NERC IT Compliance Management Conference.
How does this affect you? Network security solution provider WatchGuard identified the top five security trends it says will affect IT in 2009. One was compliance: “Expect to see substantive changes to security and identity protection laws, as well as toughened industry regulations,” it said, in a list released a few weeks ago.
Okay, so your job isn’t to mull over regulations. But your job might be affected by them in the coming year. With Washington’s emphasis on funding renewable, US-based energy sources this year, perhaps you might even find yourself inside an electric utility, saying, “Yes, I’ve heard of NERC CIP.”
You can thank me later. Unless you end up having a day like Mike Rothman’s day. Then I'll pour you that drink.
End of Article
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
