© 2012 TITUS Inc. All rights reserved. Terms of Use and Privacy Statement
NERC reliability standards define the reliability requirements for planning and operating the North American bulk power system. NERC’s ANSI-accredited standards development process is defined in the Standard Processes Manual and is guided by reliability and market interface principles. The Reliability Functional Model defines the functions that need to be performed to ensure the bulk electric system operates reliably, and is the foundation upon which the reliability standards are based.
Currently, the legislative framework to make standards mandatory and enforceable exists through action of the regulatory authority in the United States (through FERC) and in the Canadian provinces of Alberta, British Columbia, Nova Scotia, and Quebec. Of these, only FERC has taken action to approve reliability standards as mandatory and enforceable.
An important area these standards address is Cyber Security. This section provides a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System.
Business and operational demands for managing and maintaining a reliable Bulk Electric System increasingly rely on Cyber Assets supporting critical reliability functions and processes to communicate with each other, across functions and organizations, for services and data. In this section, NERC requires that responsible entities have security management controls in place to protect these critical cyber assets.
In order to do this, NERC states that the responsible entity must implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets:
- The Critical Cyber Asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster recovery plans, incident response plans, and security configuration information.
- The Responsible Entity shall classify information to be protected under this program based on the sensitivity of the Critical Cyber Asset information.
- The Responsible Entity shall, at least annually, assess adherence to its Critical Cyber Asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment.
For each section in the NERC standards, a data retention requirement is mentioned. Dependant on the type of information, NERC requires information to be retained for a specific period of time.
TITUS solutions enable energy and utility organizations to adhere to NERC standards.
TITUS provides classification solutions which address many core information security requirements for NERC standards. By forcing users to classify their information, organizations can ensure compliance to the classification requirements of the NERC standards. Further, TITUS classification solutions generate log files from classification actions. This allows organizations to assess adherence levels and identify possible deficiencies of in their information protection program, as outlined in the NERC standards. TITUS classification solutions also automatically embed metadata into every email, document and file. This allows organizations to enhance downstream solutions, such as archiving systems, in order to retain information based on their classification level in accordance to the NERC standards.
NERC Solutions include:
Data Classification
Message Classification
Classifies, labels, and protectively marks email in Microsoft Outlook, Outlook Web Access, and mobile devices. This allows organizations to comply by ensuring every email is classified and protectively marked before being sent.
Classification for Microsoft Office
Classifies, labels, and protectively marks documents in Microsoft Office Word, Excel, and PowerPoint. This allows organizations to comply by ensuring every document is classified and protectively marked before being saved or printed.
Classification for Desktop
Classifies any file type in Windows Explorer, including Adobe PDF, multimedia files, and CAD documents.
SharePoint Security
Metadata Security
Restricts access to documents in SharePoint based on the document’s metadata properties in order to ensure the right people are seeing the right information.
Document Policy Manager
Applies visual labels to existing and new documents automatically in order to help comply with marking requirements. Converts documents to Adobe PDF to protect against unauthorized editing of sensitive information.
A Pacific Northwest utility company is using TITUS Message Classification, TITUS Classification for Microsoft Office, and TITUS Classification for Desktop to identify, classify and protect unstructured data to meet NERC data governance and compliance requirements.