33. What is the NERC Critical Infrastructure Protection (CIP) program and why are information security policies and procedures so important, and do you offer comprehensive I.T. security documentation?

The NERC Critical Infrastructure Protection (CIP) program, according to the North American Electric Reliability Corporation, is a program that essentially coordinates all of NERC’s efforts in improving and advancing numerous physical and cyber security initiatives for the bulk power system of North America, particularly as it relates to reliability, along with other critically important adjunct measures, such as safety and security. Additionally, the NERC CIP program has becoming very well-known, due in large part to its affiliation with FERC, the Federal Energy Regulatory Commission, which is a US federal agency with broad oversight and jurisdiction over the energy sector as a whole.

As for the actual NERC CIP standards, for which you can learn more about at nerc.com, they consist of the following:

  • CIP 001 Sabotage Reporting
  • CIP 002 Critical Cyber Asset Identification
  • CIP 003 Security Management Controls
  • CIP 004 Personnel & Training
  • CIP 005 Electronic Security Perimeter(s)
  • CIP 006 Physical Security of Critical Cyber Assets
  • CIP 007 Systems Security Management
  • CIP 008 Incident Reporting and Response Planning
  • CIP 009 Recovery Plans for Critical Cyber Assets
  • CIP 010 Configuration Change Management and Vulnerability Assessments
  • CIP 011 Information Protection

NERC CIP Compliance | Information Security Policies are Important

The NERC CIP program is in-depth and comprehensive – that goes without saying – but what’s fundamentally crucial to the success of this compliance framework for many organizations is having documented operational and information security policies and procedures in place. Stop and think about all the various policy and procedure requirements within the NERC CIP program, quite a bit indeed. If you’re considering undertaking compliance with the actual NERC CIP program, obtaining a comprehensive set of well-written, high-quality, industry leading set of operational and information security templates is a good idea.

And an even better idea is to start with the FLANK and the FLANK21 set of policies and procedures that contains literally hundreds of industry leading operational, business specific, and information security policies, procedures, forms, checklists, provisioning and hardening documents – and more.