The Importance of Workflows and Diagrams
Workflows and diagrams are a great tool in taking personnel and auditors through a visual interpretation of an entity’s procedures. While the first step to demonstrate compliance with NERC CIP Standards and Requirements is to develop and implement strong compliance documentation, generally in the form of policies and procedures; CRSI has learned that policy and procedure documentation is often not sufficient. Utilities must next consider added documentation that is related to their compliance evidence.
Some examples of added documentation that may support compliance or enterprise-wide organizational readiness include:
- Network diagrams which include ESP and PSP diagrams.
- Procedural or situational workflows to take personnel or auditors through the visual process of how a procedure is accomplished.
- Organizational Charts that provide visual representation of the chain-of-command within an enterprise.
Per NERC CIP Standards such as CIP-005-5 R1, for example, an entity must prove it is compliant with this Standard by demonstrating that all External Routable Connectivity (ERC) is through an identified Electronic Access Point (EAP). While this will be stated in its compliance documentation, NERC advises that entities provide evidence by showing all external routable communication paths and the identified EAPs. CRSI can assist with both the creation of these diagrams or a third-party review to ensure the entity has not overlooked anything that could potentially place it in noncompliance during an audit.Read More
Though NERC does not directly advise the development of a workflow to prove compliance, oftentimes it is a useful tool in guiding personnel through this complex process, whether during an actual event or for training purposes. Several utilities may also find it useful to have organizational charts in place to provide structural guidance in showing the chain-of-command within a company. Though also not required by NERC, management accountability, as well as knowing personnel responsibilities, is very important for any organization in demonstrating a clear line of authority. This may also include the roles and responsibilities of individuals or any support personnel that is linked to a certain role.
An organized company structure is important in executing seamless operations and planning within an organization. CRSI’s team has led clients in implementing and supporting enterprise-wide documentation that not only is useful in passing a NERC CIP audit, but in providing entities with unified organizational readiness within a company to ensure business continuity.
CRSI strategically partnered with more than 250 electric utilities in the last five (5) years for their NERC CIP Compliance Solutions. To find out more about how to create your Security Compliance Roadmap, call us today to schedule a free, no obligation consultation.