FERC cyber security

How’s about a federally mandated Information Security Assessment?

I had a eureka moment recently that I’d like to share.

In considering the implications of the recently announced changes by MasterCard that will now require PCI Level 2 merchants to be assessed by a Qualified Security Assessor (QSA) it occurred to me that they may be onto something. Why would the credit card industry restrict who needs to be assessed based on size? Why not simply require any business entity that either issues, accepts or processes credit cards to be regularly assessed against the PCI standard by a properly trained practitioner? The size factor could come into play based on the frequency of these assessments but in general everyone would need to have one conducted.

That wasn’t the eureka moment.

It wasn’t until a day or two later, while reading about newly emerging state data privacy laws, that the clouds parted and the sun shone through. With the MasterCard news kicking around in the back of my mind, I started thinking about how these state-based laws were going to come into play, and when I tried to tie all of this back to the Obama administration’s cybersecurity plan, it happened.

What if all business entities that issue, accept or process personal information, regardless of their vertical, are required to have an information security assessment conducted (think GLBA meets NERC CIP meets PCI) by a Certified Information Security Auditor? Think about it; ISACA could be broken up with the subset that oversees the CISA process becoming federally chartered to both manage the framework and issue the certification (think PCI on steroids). The framework would include portions that are of the one-size-fits-all variety and others that are specific to an industry and would be scalable based on the size of an entity. The CISA practitioners would all be trained on the framework and how to apply it properly and would need to attend agency-sponsored seminars at least annually.

Rather than have multiple frameworks to wrestle with, business entities would be able to distill information security regulations down to a single, stronger entity (and reduce all the redundant activities that so many of my clients are forced to struggle with). It would bump the IT general controls audit up a level to encompass more than just bits and bytes and allow the entity to tie together related activities that are assessed through a single pass. And the icing on the cake is that the resulting report could also be used in place of a SAS 70 (and finally provide a modicum of consistency to the SAS 70 process as well).

But the best part of my idea is that the business entity could staff up with their own certified assessors that would not only conduct the required work, but also serve as internal advisors year-round. They’d still need to be properly certified and maintain that certification, but there would be no need to constantly pay premium prices for external firms and/or resources.

Maybe the idea was inspired by the fact that I’m just burned out a little from working on multiple compliance initiatives or maybe it stems from my concerns that true IT governance is a generation away. However, after my eureka moment and after sharing the idea with a few associates of mine I’m still liking it.

Does anyone have a direct line to the White House I can use?

Why financial institutions might want to keep an eye on the energy industry.

Through an odd turn of events over the past few months I’ve found myself actively engaged with a group that’s focusing quite a bit of effort on NERC CIP. For those of you not in the know, NERC (North American Electric Reliability Corporation) is to the energy sector what PCI is to the credit card industry and CIP (Critical Infrastructure Protection), like the PCI-DSS, is a set of controls that need to be complied with. My involvement came by way of a relationship I established earlier this year with a security firm that takes a really innovative and interesting approach to helping clients identify risks and vulnerabilities. The firm reached out to me because I have this soapbox and was looking for exposure. In the time since I’ve not only continued the conversation but have become part of group of security and compliance thought leaders that the company’s compiled to help further refine and focus their vision. As luck would have it, I happen to be actively engaged with a client that’s in the energy sector (I was brought in because of my SOX and PCI genius) and so here I am with my worlds converging on me….. again.  As such I’ve been thinking about NERC CIP quite a bit these days despite typically hanging around banks and credit unions.

So why am I bothering to bring this up? I mean, this site is focused on the financial world not energy. And it’s not like there’s ever any shortage of things to discuss with regards to security, compliance and the financial verticals.

Because NERC CIP may prove to be the standard that ultimately becomes the framework used by President Obama’s administration as a baseline for national cybersecurity measures. It’s already federally mandated, courtesy of the Federal Energy Regulatory Commission (FERC) which oversees NERC, it’s high-level enough to work across business verticals (though it would need a reasonably thorough rewrite for which I hereby volunteer to help with), and has already been validated as strong enough to be used to make sure the electric grid is not needlessly exposed. And at this point in the evolution of information security and regulatory compliance, I doubt there’s a need for yet another new framework. So I’m putting it out there right now that I’m betting money that the soon-to-be-announced cyber security czar will eventually find his/her way to NERC CIP and recognize it as a viable baseline.

Here’s the view from up-high:

• CIP-001-1 Sabotage Reporting
• CIP-002-1 Critical Cyber Asset Identification
• CIP-003-1 Security Management Controls
• CIP-004-1 Personnel and Training
• CIP-005-1 Electronic Security Protection
• CIP-006-1 Physical Security Program
• CIP-007-1 Systems Security Management
• CIP-008-1 Incident Response and Reporting
• CIP-009-1 Disaster Recovery

You have to admit, it’s straightforward and pretty much covers what’s needed. And yes, I know, there’s way more detail to be found underneath the section headings but let’s keep it simple for the purposes of this post. What else would you want to include for a federally mandated cybersecurity framework?

As for why this seemed like a good topic for this particular forum, it’s really quite simple: Something like NERC CIP is coming soon to every business vertical and not just those within shouting distance of the financial industry. And it will potentially be here before anyone can even say “Happy New Year’s” again. While most of those in the banking sector are already accustomed to such requirements almost everyone else isn’t. With PCI having been a shocker, I can only imagine how this is going to play out. I’m just using my digital pulpit to try and jolt people into thinking about what’s rolling down the regulatory highway towards them so that when the headlights are upon them they’ll maybe be just a little bit prepared.

As an aside regarding President Obama’s press conference last week discussing the cybersecurity 10-point plan, the only truly great thing to come out of it was the fact that it pushed information security to the front pages for the day. Professionally speaking, I thought it lacked any real bite and while I know these things take time I was expecting that there would at least be dates and names aligned against the bullet points to set expectation and assign responsibility. Considering that the plan was based on a report generated by some pretty sharp minds who were likely ready to begin rolling weeks (if not months) ago I was less than thrilled.