ES-C2M2 | Overview | Information Security Policies are Critical for Compliance | Electric Subsector Cybersecurity Capability Maturity Model
34. What is the Electric Subsector Cybersecurity Capability Maturity Model (ES-C2M2) and why are information security policies and procedures so important, and do you offer comprehensive I.T. security documentation?
ES-C2M2, officially known as the Electric Subsector Cybersecurity Capability Maturity, is a comprehensive framework (developed in conjunction with the White House, DHS, and other industry organizations) that aims to support ongoing development and measurement of cyber security capabilities within the electricity subsector through the following four (4) main objectives:
- Strengthening cyber security capabilities.
- Enabling utilities to effectively and consistently evaluate and also benchmark applicable cyber security capabilities and initiatives.
- Sharing of knowledge and best practices within the community as a whole.
- Enabling utilize to prioritize, invest, and undertake other necessary procedures for improving cyber security.
EC-C2M2 | Ten (10) Domains | Four (4) Maturity Indicator Levels (MILs)
As for the model of ES-C2M2, it’s organized into ten (10) domains, along with four (4) maturity indicator levels (MILs), with each domain effectively being a logical grouping of cyber security practices. As for the ten (10) domains, they consist of the following:
- Risk Management (RISK)
- Asset, Change, and Configuration Management (ASSET)
- Identity and Access Management (ACCESS)
- Threat and Vulnerability Management (THREAT)
- Situational Awareness (SITUATION)
- Information Sharing and Communications (SHARING)
- Event and Incident Response, Continuity of Operations (RESPONSE)
- Supply Chain and External Dependencies Management (DEPENDENCIES)
- Workforce Management (WORKFORCE)
- Cyber security Program Management (CYBER)
ES-C2M2 | Policies and Procedures are Critical for Compliance
What’s interesting to note about the ten (10) ES-C2M2 domains is the need for comprehensive operational and information security policies and procedures. Risk assessment, change management, incident response measures – the list goes on and on – these and other areas within the ES-C2M2 framework are heavily dependent upon documented policies and procedures for helping ensure compliance. While there are no doubt numerous technical requirements that must also be met for ES-C2M2, developing well-written and in-depth policy and procedural material can be an extremely challenging and time-consuming process. What’s needed are the FLANK21 set of operational, business specific, and information security documents from FLANK, a global leader in offering professionally developed, high-quality security documentation.
With literally hundreds of templates to choose from, the FLANK21 can help facilitate compliance regarding ES-C2M2.
As for version 1.0 of the ES-C2M2 publication, dated 31May, 2012, it’s available for download from http://www.energy.gov.