Here’s an apt summary of a day in the life of an IT guy whose job it is to ensure compliance:
Fight fires
Get reamed for last audit
Fight more fires
Grovel to CIO and CFO for budget and resources
Clean up after stupid user
Fill out a silly report
Fight yet another fire
Learn about new application that is going live tomorrow
Go home.
Have stiff drink.
Pray beeper doesn’t go off at 3 AM.
It’s from eIQnetworks VP Mike Rothman’s Security Incite blog. He could have written a longer list if he were one of the IT people who have to ensure that hundreds of US power plants are compliant: IT security is part of a larger standards picture that includes emergency preparedness, electrical output and load balancing, worker safety, and physical security.
How do I know this? I spoke with Eric Knight, senior knowledge engineer at LogRhythm about new compliance requirements in the electric utility industry. Knight is an expert on compliance in what I think of as the traditional regulatory areas—HIPPA and SOX—and an area I’d never heard of: NERC compliance. NERC is the North American Electric Reliability Corporation, a commission that regulates power companies. NERC was born out of an event that you might have experienced, if only in-utero afterward: the 1965 New York City blackout. NERC’s Critical Infrastructure Protection (CIP) standards regulate the IT pieces.
“NERC uses very simple language but it also goes into technical detail about how the requirement should be met—not like HIPPA or SOX, where an organization comes up with how they’ll comply. NERC cuts to the chase—you have to do this, you have to do that, “ Knight says. Failure to comply with NERC standards can result in fines of a couple hundred thousand dollars to a million dollars.
One thing he noted is that among the IT people facing compliance challenges with NERC, “There’s definitely some concern about collecting and storing. Access logs have to be kept for 90 days; logs that involve outages have to be kept a year. Keeping a couple megabytes for logs doesn’t work anymore.”
Notwithstanding that he is employed by a log management company, of course, Knight knows compliance and what works. “We recommend a centralized log management process. When an incident occurs, such as system failure, a plant has 30 days to prepare and provide documentation. If you don’t already have a centralized log management process, you might not make that 30-day deadline.” Knight speaks Friday in Houston at the NERC IT Compliance Management Conference.
How does this affect you? Network security solution provider WatchGuard identified the top five security trends it says will affect IT in 2009. One was compliance: “Expect to see substantive changes to security and identity protection laws, as well as toughened industry regulations,” it said, in a list released a few weeks ago.
Okay, so your job isn’t to mull over regulations. But your job might be affected by them in the coming year. With Washington’s emphasis on funding renewable, US-based energy sources this year, perhaps you might even find yourself inside an electric utility, saying, “Yes, I’ve heard of NERC CIP.”
You can thank me later. Unless you end up having a day like Mike Rothman’s day. Then I'll pour you that drink.