Docstoc

Production Database Log Sheet Template - Excel

Document Sample
Production Database Log Sheet Template - Excel Powered By Docstoc
					                                                                                                                                                                                        Attachment A-2 - April 29, 2011 Public Spreadsheet -
                                                                                                                                                                                           PRIVILEGED AND CONFIDENTIAL INFORMATION
                                                                                                                                                                                         HAS BEEN REMOVED FROM THIS PUBLIC VERSION
Region   Registered Entity NCR_ID   NERC Violation ID #   Notice of      Description of the Violation                                                   Reliability   Req. Violation   Violation    Risk Assessment                                                            Violation    Violation   Total Penalty or Sanction   Method of     Description of Mitigation Activity                                                      Mitigation    Date Regional     "Admits,"
                                                          Confirmed                                                                                     Standard           Risk Factor Severity                                                                                Start Date   End Date    ($)                         Discovery                                                                                             Completion    Entity Verified   "Neither
                                                          Violation or                                                                                                                 Level                                                                                                                                                                                                                                              Date          Completion of     Admits nor
                                                          Settlement                                                                                                                                                                                                                                                                                                                                                                                    Mitigation        Denies" or
                                                          Agreement                                                                                                                                                                                                                                                                                                                                                                                                       "Does Not
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Contest"
FRCC     FRCC_URE1       NCRXXXXX   FRCC201000324         Settlement     FRCC_URE1 could not demonstrate that 132 personnel with authorized              CIP-004-1    2.1   Lower      Lower        This violation posed a minimal risk and did not pose a serious or           9/29/2008   1/7/2010    $23,000 (Settlement of      Self-Report   FRCC_URE1 completed the following actions: 1) CIP responsible manager has                10/27/2010   3/2/2011          Neither
                                                          Agreement      unescorted physical or cyber access to Critical Cyber Assets (CCAs) were                                      (Level of    substantial risk to the reliability of the bulk power system because all of                         FRCC201000322,                            increased awareness of CIP compliance responsibilities of support staff by completing                                   Admits nor
                                                                         trained within ninety days of authorization, as it did not maintain the records                               Noncompli    the affected personnel were long-term employees in good standing.                                   FRCC201000323,                            designation letters; 2) it developed database for use in tracking and recording training                                Denies
                                                                         of completion for the 132 personnel.                                                                          ance L1      Further, FRCC_URE1 attested that training was conducted, although                                   FRCC201000324,                            dates and access privileges; 3) it reviewed and updated list of personnel with access to
                                                                                                                                                                                       2.1.2)       records for such training do not exist.                                                             FRCC201000325,                            Critical Cyber Assets (CCAs) and continues to review it in accordance with CIP-004;
                                                                                                                                                                                                                                                                                                        FRCC201000326,                            4) it reviewed database for sufficiency and made any necessary changes; 5) it
                                                                                                                                                                                                                                                                                                        FRCC201000328,                            modified training attendance sheet with a block to indicate database updated for each
                                                                                                                                                                                                                                                                                                        FRCC201000329,                            attendee. Created/completed email reminders at 4-week prior to end of the quarter to
                                                                                                                                                                                                                                                                                                        FRCC201000330,                            trigger review process. Trained managers on need to inform CIP managers of all
                                                                                                                                                                                                                                                                                                        FRCC201000331,                            personnel changes for access controls; 6) it created Memorandum of Understanding
                                                                                                                                                                                                                                                                                                        FRCC201000337, and                        (MOU) for contractors to notify it of all terminations as soon as possible but within 12
                                                                                                                                                                                                                                                                                                        FRCC201000338)                            hours; 7) it reviewed and updated the process for documenting that training has
                                                                                                                                                                                                                                                                                                                                                  occurred; 8) it created/completed process for Human Resources to notify the control
                                                                                                                                                                                                                                                                                                                                                  center of all employee terminations; 9) it developed PowerPoint slide show with notes
                                                                                                                                                                                                                                                                                                                                                  for off-site personnel to complete for FRCC_URE1 training for access requirements;
                                                                                                                                                                                                                                                                                                                                                  and 10) it developed queries in the database to facilitate reviews of access lists on a
                                                                                                                                                                                                                                                                                                                                                  routine basis.



FRCC     FRCC_URE1       NCRXXXXX   FRCC201000325         Settlement     FRCC_URE1, due to a lack of documentation, could not demonstrate               CIP-004-1     4.1   Lower      Lower        This violation posed a minimal risk and did not pose a serious or      7/1/2008         3/31/2010   $23,000 (Settlement of      Self-Report   FRCC_URE1 completed the following actions: 1) CIP responsible manager has                10/27/2010   3/2/2011          Neither
                                                          Agreement      compliance with CIP-004 R4.1, which requires an entity to review and                                          (Level of    substantial risk to the reliability of the bulk power system because                                FRCC201000322,                            increased awareness of CIP compliance responsibilities of support staff by completing                                   Admits nor
                                                                         update the list of users with authorized access to Critical Cyber Assets                                      Noncompli    FRCC_URE1 created and maintained the list of all authorized users with                              FRCC201000323,                            designation letters; 2) it developed database for use in tracking and recording training                                Denies
                                                                         (CCAs).                                                                                                       ance L1      access to CCAs, but FRCC_URE1 failed to document the quarterly                                      FRCC201000324,                            dates and access privileges; 3) it reviewed and updated list of personnel with access to
                                                                                                                                                                                       2.1.4)       reviews required by the standard.                                                                   FRCC201000325,                            CCAs and continues to review it in accordance with CIP-004; 4) it reviewed database
                                                                                                                                                                                                                                                                                                        FRCC201000326,                            for sufficiency and made any necessary changes; 5) it modified training attendance
                                                                                                                                                                                                                                                                                                        FRCC201000328,                            sheet with a block to indicate database updated for each attendee. Created/completed
                                                                                                                                                                                                                                                                                                        FRCC201000329,                            email reminders at 4-week prior to end of the quarter to trigger review process.
                                                                                                                                                                                                                                                                                                        FRCC201000330,                            Trained managers on need to inform CIP managers of all personnel changes for access
                                                                                                                                                                                                                                                                                                        FRCC201000331,                            controls; 6) it created Memorandum of Understanding (MOU) for contractors to
                                                                                                                                                                                                                                                                                                        FRCC201000337, and                        notify it of all terminations ASAP but within 12 hours; 7) it reviewed and updated the
                                                                                                                                                                                                                                                                                                        FRCC201000338)                            process for documenting that training has occurred; 8) it created/completed process
                                                                                                                                                                                                                                                                                                                                                  for HR to notify the control of all employee terminations; 9) it developed PowerPoint
                                                                                                                                                                                                                                                                                                                                                  slide show with notes for off-site personnel to complete for FRCC_URE1 training for
                                                                                                                                                                                                                                                                                                                                                  access requirements; and 10) it developed queries in the database to facilitate reviews
                                                                                                                                                                                                                                                                                                                                                  of access lists on a routine basis.




FRCC     FRCC_URE1       NCRXXXXX   FRCC201000337         Settlement     FRCC_URE1's evidence was insufficient to demonstrate that it conducted CIP-004-1             2.3   Lower      Lower        This violation posed a minimal risk and did not pose a serious or            1/1/2010   1/7/2010    $23,000 (Settlement of      Spot Check    FRCC_URE1 completed the following actions: 1) it developed database for use in            8/31/2010   3/2/2011          Neither
                                                          Agreement      annual training for 25 personnel that had authorized access to Critical Cyber                                 (Level of    substantial risk to the reliability of the bulk power system because all the                        FRCC201000322,                            tracking and recording training dates and access privileges; 2) it created email                                        Admits nor
                                                                         Assets (CCAs) as required by CIP-004 R2.3. Training for them occurred                                         Noncompli    personnel were long-term employees in good standing, and the longest                                FRCC201000323,                            reminders at 4-weeks prior to end of the quarter to trigger review process; 3) it                                       Denies
                                                                         late, with a delay of one to seven days.                                                                      ance L1      training lapse was seven days.                                                                      FRCC201000324,                            reviewed and updated the process for documenting that training has occurred; 4) it
                                                                                                                                                                                       2.1.2)                                                                                                           FRCC201000325,                            modified the training program to clarify the termination of access rights for failure to
                                                                                                                                                                                                                                                                                                        FRCC201000326,                            obtain annual training; and 5) it developed queries in the database to facilitate reviews
                                                                                                                                                                                                                                                                                                        FRCC201000328,                            of access lists on a routine basis.
                                                                                                                                                                                                                                                                                                        FRCC201000329,
                                                                                                                                                                                                                                                                                                        FRCC201000330,
                                                                                                                                                                                                                                                                                                        FRCC201000331,
                                                                                                                                                                                                                                                                                                        FRCC201000337, and
                                                                                                                                                                                                                                                                                                        FRCC201000338)

FRCC     FRCC_URE1       NCRXXXXX   FRCC201000338         Settlement     FRCC_URE1's evidence submitted for CIP-004 R3 demonstrated that it did CIP-004-1             3     Lower      Moderate     This violation posed a minimal risk and did not pose a serious or          7/1/2008     8/30/2010   $23,000 (Settlement of      Spot Check    FRCC_URE1 completed the following actions: 1) it submitted change to policy on the 9/29/2010          3/2/2011          Neither
                                                          Agreement      not conduct personnel risk assessments (PRA) for 8 personnel (including 5                                     (Level of    substantial risk to the reliability of the bulk power system because the                            FRCC201000322,                            conduct of PRAs; 2) it reviewed existing documentation for FRCC_URE1 employees                                          Admits nor
                                                                         contractors), with authorized access to FRCC_URE1 Critical Cyber Assets                                       Noncompli    missed PRAs were for long-term employees and all of the contractors                                 FRCC201000323,                            to determine if PRAs were performed or required; 3) it reviewed Contractor                                              Denies
                                                                         (CCAs) within 30 days, as required by the Standard.                                                           ance L2      were from trusted vendors who had supported the entity for several                                  FRCC201000324,                            personnel files to obtain available PRA results; 4) it reviewed process for conducting
                                                                                                                                                                                       2.2.3)       years.                                                                                              FRCC201000325,                            and documenting PRAs of personnel and contractors with authorized access to
                                                                                                                                                                                                                                                                                                        FRCC201000326,                            FRCC_URE1 CCAs, and made any necessary revisions to ensure that such PRAs are
                                                                                                                                                                                                                                                                                                        FRCC201000328,                            conducted in accordance with the reliability standard requirements and evidence is
                                                                                                                                                                                                                                                                                                        FRCC201000329,                            properly documented; and 5) it reviewed process improvements with divisional
                                                                                                                                                                                                                                                                                                        FRCC201000330,                            managers.
                                                                                                                                                                                                                                                                                                        FRCC201000331,
                                                                                                                                                                                                                                                                                                        FRCC201000337, and
                                                                                                                                                                                                                                                                                                        FRCC201000338)

FRCC     FRCC_URE1       NCRXXXXX   FRCC201000326         Settlement     FRCC_URE1 did not perform a cyber vulnerability assessment of its              CIP-005-1     4     Lower      Medium       This violation posed a minimal risk and did not pose a serious or          7/1/2009     6/7/2010    $23,000 (Settlement of      Self-Report   FRCC_URE1 completed the following actions: 1) CIP responsible manager has             9/7/2010        3/3/2011          Neither
                                                          Agreement      electronic access points to the Electronic Security Perimeter(s) as required                                  (Levels of   substantial risk to the reliability of the bulk power system because                                FRCC201000322,                            increased awareness of CIP compliance responsibilities of support staff by completing                                   Admits nor
                                                                         by CIP-005-1 R4.                                                                                              Noncompli    FRCC_URE1 had performed a cyber vulnerability assessment in 2006,                                   FRCC201000323,                            designation letters; 2) it revised the relevant Standard Operating Procedure to                                         Denies
                                                                                                                                                                                       ance L2      and no major infrastructure changes had occurred since that time.                                   FRCC201000324,                            designate personnel who shall be responsible for performing the annual cyber
                                                                                                                                                                                       2.2.3)                                                                                                           FRCC201000325,                            vulnerability assessment and review; 3) it developed the vulnerability assessment
                                                                                                                                                                                                                                                                                                        FRCC201000326,                            process document; 4) it performed the cyber vulnerability assessment; 5) it reviewed
                                                                                                                                                                                                                                                                                                        FRCC201000328,                            assessment results and developed an action plan to remediate any identified
                                                                                                                                                                                                                                                                                                        FRCC201000329,                            vulnerabilities; and 6) it completed the action plan.
                                                                                                                                                                                                                                                                                                        FRCC201000330,
                                                                                                                                                                                                                                                                                                        FRCC201000331,
                                                                                                                                                                                                                                                                                                        FRCC201000337, and
                                                                                                                                                                                                                                                                                                        FRCC201000338)




                                                                                                                                                                                                                                  Page 1
                                                                                                                                                                                       Attachment A-2 - April 29, 2011 Public Spreadsheet -
                                                                                                                                                                                          PRIVILEGED AND CONFIDENTIAL INFORMATION
                                                                                                                                                                                        HAS BEEN REMOVED FROM THIS PUBLIC VERSION
Region   Registered Entity NCR_ID   NERC Violation ID #   Notice of      Description of the Violation                                                  Reliability   Req. Violation   Violation    Risk Assessment                                                            Violation    Violation   Total Penalty or Sanction   Method of     Description of Mitigation Activity                                                      Mitigation   Date Regional     "Admits,"
                                                          Confirmed                                                                                    Standard           Risk Factor Severity                                                                                Start Date   End Date    ($)                         Discovery                                                                                             Completion   Entity Verified   "Neither
                                                          Violation or                                                                                                                Level                                                                                                                                                                                                                                              Date         Completion of     Admits nor
                                                          Settlement                                                                                                                                                                                                                                                                                                                                                                                  Mitigation        Denies" or
                                                          Agreement                                                                                                                                                                                                                                                                                                                                                                                                     "Does Not
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Contest"
FRCC     FRCC_URE1       NCRXXXXX   FRCC201000322         Settlement     FRCC determined that FRCC_URE1 did not document and implement the CIP-006-1                 3     Medium     Moderate     This violation posed a minimal risk and did not pose a serious or        7/1/2009       2/1/2010    $23,000 (Settlement of      Self-Report   FRCC_URE1 completed the following actions: 1) A log sheet is now used to record         2/1/2010     7/7/2010          Neither
                                                          Agreement      technical and procedural controls for monitoring physical access at all                                      (Level of    substantial risk to the reliability of the bulk power system because the                            FRCC201000322,                            physical access to FRCC_URE1's backup control center; and 2) personnel installed                                       Admits nor
                                                                         access points of the Physical Security Perimeter(s) (PSP) twenty-four hours                                  Noncompli    PSP was within a controlled area (gated and locked). Access to the PSP                              FRCC201000323,                            video surveillance at FRCC_URE1's backup control center.                                                               Denies
                                                                         a day, seven days a week.                                                                                    ance L2      was always restricted only to authorized personnel, and FRCC_URE1                                   FRCC201000324,
                                                                                                                                                                                      2.2.2)       used manual key controls.                                                                           FRCC201000325,
                                                                                                                                                                                                                                                                                                       FRCC201000326,
                                                                                                                                                                                                                                                                                                       FRCC201000328,
                                                                                                                                                                                                                                                                                                       FRCC201000329,
                                                                                                                                                                                                                                                                                                       FRCC201000330,
                                                                                                                                                                                                                                                                                                       FRCC201000331,
                                                                                                                                                                                                                                                                                                       FRCC201000337, and
                                                                                                                                                                                                                                                                                                       FRCC201000338)

FRCC     FRCC_URE1       NCRXXXXX   FRCC201000323         Settlement     FRCC determined that FRCC_URE1 failed to implement and document the CIP-006-1               4     Lower      Moderate     This violation posed a minimal risk and did not pose a serious or          7/1/2009     1/19/2010   $23,000 (Settlement of      Self-Report   FRCC_URE1 completed the following actions: 1) A log sheet is now used to record         2/1/2010     7/7/2010          Neither
                                                          Agreement      technical and procedural mechanisms for logging physical entry at its                                        (Level of    substantial risk to the reliability of the bulk power system because the                            FRCC201000322,                            physical access to FRCC_URE1's backup control center; and 2) personnel installed                                       Admits nor
                                                                         backup control center.                                                                                       Noncompli    Physical Security Perimeter (PSP) was within a controlled area (gated                               FRCC201000323,                            video surveillance at FRCC_URE1's backup control center.                                                               Denies
                                                                                                                                                                                      ance L2      and locked). FRCC_URE1 used manual key controls, and confirmed                                      FRCC201000324,
                                                                                                                                                                                      2.2.2)       that only authorized personnel had accessed the PSP.                                                FRCC201000325,
                                                                                                                                                                                                                                                                                                       FRCC201000326,
                                                                                                                                                                                                                                                                                                       FRCC201000328,
                                                                                                                                                                                                                                                                                                       FRCC201000329,
                                                                                                                                                                                                                                                                                                       FRCC201000330,
                                                                                                                                                                                                                                                                                                       FRCC201000331,
                                                                                                                                                                                                                                                                                                       FRCC201000337, and
                                                                                                                                                                                                                                                                                                       FRCC201000338)

FRCC     FRCC_URE1       NCRXXXXX   FRCC201000328         Settlement     FRCC_URE1 did not create, maintain, or document a procedure for the          CIP-007-1      1     Medium     High         This violation posed a minimal risk and did not pose a serious or        7/1/2009       10/2/2010   $23,000 (Settlement of      Self-Report   FRCC_URE1 completed the following actions: 1) it initiated weekly review of threat 10/2/2010         3/3/2011          Neither
                                                          Agreement      addition of, or changes to, Critical Cyber Assets (CCAs) as required by CIP-                                 (Levels of   substantial risk to the reliability of the bulk power system because the                            FRCC201000322,                            traffic reports; 2) CIP responsible manager has increased awareness of CIP                                             Admits nor
                                                                         007-1 R1.                                                                                                    Noncompli    testing of changes to cyber assets was being performed by                                           FRCC201000323,                            compliance responsibilities of support staff by completing designation letters; 3) CIP                                 Denies
                                                                                                                                                                                      ance L3      FRCC_URE1's vendor that specializes in CIP-related testing.                                         FRCC201000324,                            responsible manager has developed internal controls to verify the completion of
                                                                                                                                                                                      2.3.1)       FRCC_URE1's vendor created a test environment that replicated the                                   FRCC201000325,                            compliance activities; 4) it developed test procedures for implementing any significant
                                                                                                                                                                                                   separation of FRCC_URE1's key software equipment from the rest of its                               FRCC201000326,                            changes to cyber assets; and 5) FRCC_URE1 support staff developed a process for
                                                                                                                                                                                                   computer systems. FRCC_URE1 did not document the procedure or                                       FRCC201000328,                            ensuring that testing is performed in a manner that reflects the production
                                                                                                                                                                                                   the results of these tests of changes of CCAs within the Electronic                                 FRCC201000329,                            environment and that the results of such testing are retained.
                                                                                                                                                                                                   Security Perimeter (ESP).                                                                           FRCC201000330,
                                                                                                                                                                                                                                                                                                       FRCC201000331,
                                                                                                                                                                                                                                                                                                       FRCC201000337, and
                                                                                                                                                                                                                                                                                                       FRCC201000338)

FRCC     FRCC_URE1       NCRXXXXX   FRCC201000329         Settlement     FRCC_URE1 did not document the process to ensure that only port and           CIP-007-1     2     Lower      Lower        This violation posed a minimal risk and did not pose a serious or     7/1/2009          7/23/2010   $23,000 (Settlement of      Self-Report   FRCC_URE1 completed the following actions: 1) it initiated weekly review of threat 7/23/2010         3/3/2011          Neither
                                                          Agreement      services required for normal and emergency operations are enabled as                                         (Levels of   substantial risk to the reliability of the bulk power system because                                FRCC201000322,                            traffic reports; 2) CIP responsible manager increased awareness of CIP compliance                                      Admits nor
                                                                         required CIP-007 R2.                                                                                         Noncompli    FRCC_URE1 reduced vulnerabilities by only performing changes                                        FRCC201000323,                            responsibilities of support staff by completing designation letters; 3) CIP responsible                                Denies
                                                                                                                                                                                      ance L1      approved by its key software vendor and using trusted source                                        FRCC201000324,                            manager developed internal controls to verify the completion of compliance activities;
                                                                                                                                                                                      2.1.1)       applications. By reducing the number of changes and new applications,                               FRCC201000325,                            4) it compiled a list of baseline configurations for all equipment inside the Electronic
                                                                                                                                                                                                   FRCC_URE1 was better able to control the configurations of its ports                                FRCC201000326,                            Security Perimeter and evaluated the ports and services that are required for normal
                                                                                                                                                                                                   and services.                                                                                       FRCC201000328,                            operations; and 5) it reviewed and updated its process for review of ports and
                                                                                                                                                                                                                                                                                                       FRCC201000329,                            services.
                                                                                                                                                                                                                                                                                                       FRCC201000330,
                                                                                                                                                                                                                                                                                                       FRCC201000331,
                                                                                                                                                                                                                                                                                                       FRCC201000337, and
                                                                                                                                                                                                                                                                                                       FRCC201000338)

FRCC     FRCC_URE1       NCRXXXXX   FRCC201000330         Settlement     FRCC_URE1 did not establish and document a program for tracking,              CIP-007-1     3     Lower      Moderate     This violation posed a minimal risk and did not pose a serious or          7/1/2009     10/6/2010   $23,000 (Settlement of      Self-Report   FRCC_URE1 completed the following actions: 1) it initiated weekly review of threat 10/6/2010         3/3/2011          Neither
                                                          Agreement      evaluating, testing and installing the applicable cyber security patches as                                  (Levels of   substantial risk to the reliability of the bulk power system because                                FRCC201000322,                            traffic reports; 2) CIP responsible manager increased awareness of CIP compliance                                      Admits nor
                                                                         required by CIP-007-1 R3.                                                                                    Noncompli    FRCC_URE1 maintained its cyber systems per vendor                                                   FRCC201000323,                            responsibilities of support staff by completing designation letters; 3) CIP responsible                                Denies
                                                                                                                                                                                      ance L2      recommendations. Patches were installed when necessary, but                                         FRCC201000324,                            manager developed internal controls to verify the completion of compliance activities;
                                                                                                                                                                                      2.2.1)       FRCC_URE1 failed to maintain documentation for compliance.                                          FRCC201000325,                            4) FRCC_URE1 support staff reviewed its current change control and configuration
                                                                                                                                                                                                                                                                                                       FRCC201000326,                            management process; 5) it reviewed and updated its process for implementation of
                                                                                                                                                                                                                                                                                                       FRCC201000328,                            security patches; and 6) it implemented security patch management.
                                                                                                                                                                                                                                                                                                       FRCC201000329,
                                                                                                                                                                                                                                                                                                       FRCC201000330,
                                                                                                                                                                                                                                                                                                       FRCC201000331,
                                                                                                                                                                                                                                                                                                       FRCC201000337, and
                                                                                                                                                                                                                                                                                                       FRCC201000338)

FRCC     FRCC_URE1       NCRXXXXX   FRCC201000331         Settlement     FRCC_URE1 did not perform a cyber vulnerability assessment of all cyber CIP-007-1           8     Lower      Lower        This violation posed a minimal risk and did not pose a serious or          7/1/2009     9/7/2010    $23,000 (Settlement of      Self-Report   FRCC_URE1 completed the following actions: 1) FRCC_URE1 initiated weekly               9/7/2010      3/2/2011          Neither
                                                          Agreement      assets within its Electronic Security Perimeter (ESP) as required by CIP-                                    (Levels of   substantial risk to the reliability of the bulk power system because                                FRCC201000322,                            review of threat traffic reports; 2) CIP responsible manager increased awareness of                                    Admits nor
                                                                         007 R8.                                                                                                      Noncompli    FRCC_URE1 had performed a cyber vulnerability assessment in 2006,                                   FRCC201000323,                            CIP compliance responsibilities of support staff by completing designation letters; 3)                                 Denies
                                                                                                                                                                                      ance L1      and no major infrastructure changes had occurred since that time.                                   FRCC201000324,                            FRCC_URE1 developed the vulnerability assessment process document; 4)
                                                                                                                                                                                      2.1.1)                                                                                                           FRCC201000325,                            FRCC_URE1 performed the cyber vulnerability assessment; 5) CIP responsible
                                                                                                                                                                                                                                                                                                       FRCC201000326,                            manager developed internal controls to verify the completion of compliance activities;
                                                                                                                                                                                                                                                                                                       FRCC201000328,                            6) FRCC_URE1 reviewed assessment results and developed an action plan to
                                                                                                                                                                                                                                                                                                       FRCC201000329,                            remediate any identified vulnerabilities; and 7) FRCC_URE1 completed the Action
                                                                                                                                                                                                                                                                                                       FRCC201000330,                            Plan.
                                                                                                                                                                                                                                                                                                       FRCC201000331,
                                                                                                                                                                                                                                                                                                       FRCC201000337, and
                                                                                                                                                                                                                                                                                                       FRCC201000338)

NPCC     NPCC_URE2       NCRXXXXX   NPCC201000163         Settlement     When a physical security equipment vendor was called in to repair two       CIP-006-2       1.6   Medium     N/A          NPCC determined that the violation posed a minimal risk and did not     3/31/2010       4/30/2010   $4,000                      Self-Report   NPCC_URE2 performed a review of the physical security database for accuracy             7/30/2010    1/11/2011         Does Not
                                                          Agreement      control room doors, it was discovered that the vendor, without                                                            pose a serious or substantial risk to the reliability of the bulk power                                                                       versus the list of authorized persons and reviewed Electronic Security Perimeter logs                                  Contest
                                                                         authorization, had possession of an authorized access test card that had                                                  system because the vendor did not breach any electronic security                                                                              for any attempts for unauthorized access. Vendor access cards were de-activated and
                                                                         remained activated since commissioning of the security system in late 2009.                                               perimeters or configurations of the cyber assets, as determined by                                                                            all passwords for the physical access computer and application programs were
                                                                         The vendor had utilized this card on four separate occasions to perform                                                   review of the cyber logs. The vendor was part of the original team that                                                                       updated to assure vendors could no longer gain access with the cards. Signs were
                                                                         repairs: March 31, 2010, April 7, 2010, April 12, 2010, and April 30, 2010.                                               installed NPCC_URE2's physical security system to comply with the CIP                                                                         posted at physical access points listing access requirements and escort policy,
                                                                         On these occasions, the vendor had not been escorted at all times during                                                  Standards. The vendor was a trusted contractor, and the vendor's                                                                              awareness training was administered, and escorted access requirements of
                                                                         these periods as required by CIP-006-2 Requirement 1.6.                                                                   employee was in good standing.                                                                                                                unauthorized persons with site personnel were reinforced with company personnel.




                                                                                                                                                                                                                                 Page 2
                                                                                                                                                                                    Attachment A-2 - April 29, 2011 Public Spreadsheet -
                                                                                                                                                                                       PRIVILEGED AND CONFIDENTIAL INFORMATION
                                                                                                                                                                                     HAS BEEN REMOVED FROM THIS PUBLIC VERSION
Region   Registered Entity NCR_ID   NERC Violation ID #   Notice of      Description of the Violation                                               Reliability   Req. Violation   Violation   Risk Assessment                                                          Violation    Violation   Total Penalty or Sanction   Method of     Description of Mitigation Activity                                                     Mitigation   Date Regional     "Admits,"
                                                          Confirmed                                                                                 Standard           Risk Factor Severity                                                                             Start Date   End Date    ($)                         Discovery                                                                                            Completion   Entity Verified   "Neither
                                                          Violation or                                                                                                             Level                                                                                                                                                                                                                                          Date         Completion of     Admits nor
                                                          Settlement                                                                                                                                                                                                                                                                                                                                                                           Mitigation        Denies" or
                                                          Agreement                                                                                                                                                                                                                                                                                                                                                                                              "Does Not
                                                                                                                                                                                                                                                                                                                                                                                                                                                                 Contest"
NPCC     NPCC_URE3       NCRXXXXX   NPCC201000183         Settlement     1. A contractor had unescorted physical access rights at various substations CIP-004-1   3     Medium     High        NPCC Enforcement determined that the violation posed a minimal risk 7/1/2009          7/21/2010   $7,500 (Settlement of       Self-Report   NPCC_URE3 completed the following actions: 1) All requests for access to CCAs are 12/6/2010         2/16/2011         Neither
                                                          Agreement      to Critical Cyber Assets (CCAs) within the Physical Security Perimeter                                                and did not pose a serious or substantial risk to the reliability of the bulk                     NPCC201000183,                            now accepted only by use of an updated on-line badge request form; 2) it                                              Admits nor
                                                                         (PSP) without a Personnel Risk Assessment (PRA) ever being performed.                                                 power system because it involved only one employee and one contractor                             NPCC201000184,                            implemented an automatic email notice (zero-day notice) for terminations; 3) it                                       Denies
                                                                         The individual began working for NPCC_URE3 as a contractor prior to                                                   who had established employment histories with NPCC_URE3. Further,                                 NPCC201000185, and                        updated training records by identifying each individual with NERC CIP training
                                                                         July 1, 2009. On July 21, 2010, his unescorted access to CCAs within the                                              it was determined through NPCC_URE3 records that both individuals                                 NPCC201000186)                            requirements and background check requirements; 4) it provided training for all
                                                                         PSP was revoked, and records showed he never attempted access.                                                        without a completed PRA did not make any attempt at PSP access                                                                              managers on their overall responsibility in the CIP access process, and requested all
                                                                                                                                                                                               within the violation timeframe. The two employees involved were in                                                                          managers to institute a records check of all access data to ensure accuracy; 5) it
                                                                          2. An employee had unescorted physical access rights at various                                                      good standing with NPCC_URE3.                                                                                                               completed an internal audit of the physical access electronic control system; 6) it
                                                                         substations to CCAs within the PSP without a PRA ever having been                                                                                                                                                                                                 audited (internally) and updated all PSP access lists; 7) it implemented a process to
                                                                         performed. NPCC_URE3 records show that the employee never attempted                                                                                                                                                                                               communicate temporary suspensions; 8) it created a Master PSP Access list; 9) A
                                                                         to access any substations unescorted after July 1, 2009. The background                                                                                                                                                                                           monthly audit was instituted by NERC Compliance Dept. of all access logs and
                                                                         check was completed on June 22, 2010.                                                                                                                                                                                                                             authorized electronic badge users list; 10) it required all contractor/vendors to provide
                                                                                                                                                                                                                                                                                                                                           actual dates of background check and training completion as part of their annual
                                                                                                                                                                                                                                                                                                                                           attestations; 11) it reviewed employees within the organization with any possible CIP
                                                                                                                                                                                                                                                                                                                                           exposure by polling all management to ensure list accuracy; and 12) it created an
                                                                                                                                                                                                                                                                                                                                           Employee Transfer Email Process.



NPCC     NPCC_URE3       NCRXXXXX   NPCC201000185         Settlement     For seven employees and seven contractors, the access list updates to the  CIP-004-1     4.1   Medium     Moderate    NPCC Enforcement determined that the violations involving access list 7/1/2009        8/4/2010    $7,500 (Settlement of       Self-Report   NPCC_URE3 completed the following actions: 1) All requests for access to Critical 12/6/2010         2/16/2011         Neither
                                                          Agreement      Physical Security Perimeter (PSP) and the Electronic Security Perimeter                  4.2                          maintenance and PSP/ESP access revocation posed a minimal risk and                                NPCC201000183,                            Cyber Assets (CCAs) are now accepted only by use of an updated on-line badge                                          Admits nor
                                                                         (ESP) did not occur within seven calendar days. One of the names was a                                                did not pose a serious or substantial risk to the reliability of the bulk                         NPCC201000184,                            request form; 2) it implemented an automatic email notice (zero-day notice) for                                       Denies
                                                                         contractor who had PSP access but was not on the PSP access list as of the                                            power system because it was determined through NPCC_URE3 records                                  NPCC201000185, and                        terminations; 3) it updated training records by identifying each individual with NERC
                                                                         7/1/09 CIP Table 2 Implementation Date. For an additional two employees                                               that there was no access attempted by those personnel whose unescorted                            NPCC201000186)                            CIP training requirements and background check requirements; 4) it provided training
                                                                         and nine contractors, the access list updates (PSP and ESP) and revocation                                            PSP access or ESP access was not revoked as per R4.2. All 25 affected                                                                       for all managers on their overall responsibility in the CIP access process, and
                                                                         of access (PSP and ESP) did not occur within seven calendar days.                                                     individuals were in good standing with NPCC_URE3 or the respective                                                                          requested all managers to institute a records check of all access data to ensure
                                                                                                                                                                                               contractor.                                                                                                                                 accuracy; 5) it completed an internal audit of the physical access electronic control
                                                                                                                                                                                                                                                                                                                                           system; 6) it audited (internally) and updated all PSP access lists; 7) it implemented a
                                                                                                                                                                                                                                                                                                                                           process to communicate temporary suspensions; 8) it created a Master PSP Access
                                                                                                                                                                                                                                                                                                                                           list; 9) A monthly audit was instituted by NERC compliance dept. of all access logs
                                                                                                                                                                                                                                                                                                                                           and authorized electronic badge users list; 10) it required all contractor/vendors to
                                                                                                                                                                                                                                                                                                                                           provide actual dates of background check and training completion as part of their
                                                                                                                                                                                                                                                                                                                                           annual attestations; 11) it reviewed employees within the organization with any
                                                                                                                                                                                                                                                                                                                                           possible CIP exposure by polling all management to ensure list accuracy; and 12) it
                                                                                                                                                                                                                                                                                                                                           created an Employee Transfer Email Process.




NPCC     NPCC_URE3       NCRXXXXX   NPCC201000186         Settlement     A contractor had unescorted physical access rights at various substations to CIP-004-1   2.1   Medium     Lower       NPCC Enforcement determined that the alleged violation posed a           7/1/2009     7/21/2010   $7,500 (Settlement of       Self-Report   NPCC_URE3 completed the following actions: 1) All requests for access to CCAs are 12/6/2010         2/16/2011         Neither
                                                          Agreement      Critical Cyber Assets (CCAs) within the Physical Security Perimeter (PSP)                                             minimal risk and did not pose a serious or substantial risk to the                                NPCC201000183,                            now accepted only by use of an updated on-line badge request form; 2) it                                              Admits nor
                                                                         without having completed cyber security training as required by R2.1. The                                             reliability of the bulk power system because it only involved one                                 NPCC201000184,                            implemented an automatic email notice (zero-day notice) for terminations; 3) it                                       Denies
                                                                         individual began working for NPCC_URE3 as a contractor prior to July 1,                                               contractor. Further, it was determined through NPCC_URE3 records                                  NPCC201000185, and                        updated training records by identifying each individual with NERC CIP training
                                                                         2009. On July 21, 2010, his unescorted access to CCAs within the PSP was                                              that the individual without the completed cyber training did not make                             NPCC201000186)                            requirements and background check requirements; 4) it provided training for all
                                                                         revoked.                                                                                                              any attempt at unescorted PSP access within the violation timeframe.                                                                        managers on their overall responsibility in the CIP access process, and requested all
                                                                                                                                                                                               The contractor was in good standing with his employer.                                                                                      managers to institute a records check of all access data to ensure accuracy; 5) it
                                                                                                                                                                                                                                                                                                                                           completed an internal audit of the physical access electronic control system; 6) it
                                                                                                                                                                                                                                                                                                                                           audited (internally) and updated all PSP access lists; 7) it implemented a process to
                                                                                                                                                                                                                                                                                                                                           communicate temporary suspensions; 8) it created a Master PSP Access list; 9) A
                                                                                                                                                                                                                                                                                                                                           monthly audit was instituted by NERC compliance dept. of all access logs and
                                                                                                                                                                                                                                                                                                                                           authorized electronic badge users list; 10) it required all contractor/vendors to provide
                                                                                                                                                                                                                                                                                                                                           actual dates of background check and training completion as part of their annual
                                                                                                                                                                                                                                                                                                                                           attestations; 11) it reviewed employees within the organization with any possible CIP
                                                                                                                                                                                                                                                                                                                                           exposure by polling all management to ensure list accuracy; and 12) it created an
                                                                                                                                                                                                                                                                                                                                           Employee Transfer Email Process.



NPCC     NPCC_URE3       NCRXXXXX   NPCC201000184         Settlement     On May 14, 2009, a contractor’s access badge that granted unescorted PSP CIP-006-1       1.4   Medium     Severe      NPCC Enforcement determined that the violation related to the lost         7/1/2009   6/21/2010   $7,500 (Settlement of       Self-Report   NPCC_URE3 completed the following actions: 1) it implemented a Standard                7/10/2010    2/16/2011         Neither
                                                          Agreement      access to the substation control house was reported lost. NPCC_URE3 has                                               badge posed a minimal risk and did not pose a serious or substantial risk                         NPCC201000183,                            Operating Procedure (SOP) for security for the guards to                                                              Admits nor
                                                                         defined the substation as a Critical Asset. The contractor was issued a new                                           to the reliability of the bulk power system because any individual with an                        NPCC201000184,                            follow for lost badges/keys/access devices; and 2) A monthly audit was instituted by                                  Denies
                                                                         badge granting the same PSP access to the control house while the lost                                                activated control house access badge would not have had the key that                              NPCC201000185, and                        the NERC compliance department of all access logs and authorized electronic badge
                                                                         badge was not de-activated to revoke access capabilities until June 21,                                               was required to pass through the gate of the substation. NPCC_URE3                                NPCC201000186)                            user lists.
                                                                         2010. In June 2010, during the investigation of the lost badge incident,                                              determined through its records that there was no attempt to use the lost
                                                                         NPCC_URE3 determined that there was not a procedure or documents for                                                  badge to enter the control house in the violation timeframe.
                                                                         “visitor pass management, response to loss, and prohibition of inappropriate
                                                                         use of physical access controls” as required in R1.4.




                                                                                                                                                                                                                            Page 3
                                                                                                                                                                                     Attachment A-2 - April 29, 2011 Public Spreadsheet -
                                                                                                                                                                                        PRIVILEGED AND CONFIDENTIAL INFORMATION
                                                                                                                                                                                      HAS BEEN REMOVED FROM THIS PUBLIC VERSION
Region   Registered Entity NCR_ID   NERC Violation ID #   Notice of      Description of the Violation                                                Reliability   Req. Violation   Violation   Risk Assessment                                                        Violation    Violation   Total Penalty or Sanction   Method of     Description of Mitigation Activity                                                      Mitigation    Date Regional     "Admits,"
                                                          Confirmed                                                                                  Standard           Risk Factor Severity                                                                           Start Date   End Date    ($)                         Discovery                                                                                             Completion    Entity Verified   "Neither
                                                          Violation or                                                                                                              Level                                                                                                                                                                                                                                         Date          Completion of     Admits nor
                                                          Settlement                                                                                                                                                                                                                                                                                                                                                                            Mitigation        Denies" or
                                                          Agreement                                                                                                                                                                                                                                                                                                                                                                                               "Does Not
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Contest"
NPCC     NPCC_URE4       NCRXXXXX   NPCC201000187         Settlement     There are six instances where unescorted physical access to the Physical      CIP-004-1   4.1   Medium     Moderate    NPCC Enforcement determined that the violations involving access list 10/8/2009     8/4/2010    $2,500 (Settlement of       Self-Report   NPCC_URE4 completed the following actions: 1) All requests for access to Cyber            12/6/2010   2/16/2011         Neither
                                                          Agreement      Security Perimeter (PSP) and authorized cyber access to the Electronic                    4.2                          maintenance and PSP/ESP access revocation posed a minimal risk and                              NPCC201000187,                            Assets/CCAs are now accepted only by use of an updated on-line badge request form;                                      Admits nor
                                                                         Security Perimeter (ESP) access was not revoked within the required                                                    did not pose a serious or substantial risk to the reliability of the bulk                       NPCC201000188, and                        2) it implemented an automatic email notice (zero-day notice) for terminations; 3) it                                   Denies
                                                                         timeframe (i.e., 7 calendar days or 24 hours, as in the case of Contractor A)                                          power system because it was determined through NPCC_URE4 records                                NPCC201000189)                            updated training records by identifying each individual with NERC CIP training
                                                                         and the specific lists were not properly maintained within seven calendar                                              that there was no access attempted within the violation timeframe by                                                                      requirements and background check requirements; 4) it provided training for all
                                                                         days as required.                                                                                                      those personnel whose unescorted PSP access or authorized ESP access                                                                      managers on their overall responsibility in the CIP access process, and requested all
                                                                         • Employee A: Transferred titles on April 9, 2010. PSP access was not                                                  was not revoked as per R4.2. All five individuals were in good standing                                                                   managers to institute a records check of all access data to ensure accuracy; 5) it
                                                                         revoked and the name was not removed from PSP access list until June 21,                                               with NPCC_URE4 or their respective contractors.                                                                                           completed an internal audit of the physical access electronic control system; 6) it
                                                                         2010.                                                                                                                                                                                                                                                            audited (internally) and updated all PSP access lists; 7) it implemented a process to
                                                                         • Employee B: Transferred titles from substations to control center on                                                                                                                                                                                           communicate temporary suspensions; 8) it created a Master PSP Access list; 9) A
                                                                         November 23, 2009. PSP access to substations was not revoked until June                                                                                                                                                                                          monthly audit was instituted by NERC compliance dept. of all access logs and
                                                                         24, 2010. Name removed from PSP access list on August 4, 2010.                                                                                                                                                                                                   authorized electronic badge users list; 10) it required all contractor/vendors to provide
                                                                         Individual was granted access to control center ESP and PSP on November                                                                                                                                                                                          actual dates of background check and training completion as part of their annual
                                                                         23, 2009 in new position, but the name was not added to the control center                                                                                                                                                                                       attestations; 11) it reviewed employees within the organization with any possible CIP
                                                                         ESP list until January 29, 2010.                                                                                                                                                                                                                                 exposure by polling all management to ensure list accuracy; and 12) it created an
                                                                         • Contractor A: Services no longer required on February 19, 2010 due to                                                                                                                                                                                          employee transfer email process.
                                                                         lay-off (considered terminated for cause). Name was not removed from
                                                                         ESP and PSP access lists until March 1, 2010. PSP access and ESP access
                                                                         was not revoked until March 4, 2010.
                                                                         • Contractors B and C: The vendor’s contract, which allowed ESP access
                                                                         for both, expired on October 1, 2009 without renewal. ESP access was not
                                                                         revoked and both names were not removed from the ESP list until February
                                                                         1, 2010.


NPCC     NPCC_URE4       NCRXXXXX   NPCC201000188         Settlement     A contractor had unescorted physical access rights at various substations to CIP-004-1    2.1   Medium     Lower       NPCC Enforcement determined that the violation posed a minimal risk 7/1/2009        7/21/2010   $2,500 (Settlement of       Self-Report   NPCC_URE4 completed the following actions: 1) All requests for access to Cyber            12/6/2010   2/16/2011         Neither
                                                          Agreement      Critical Cyber Assets (CCAs) within the Physical Security Perimeter (PSP)                                              and did not pose a serious or substantial risk to the reliability of the bulk                   NPCC201000187,                            Assets/CCAs are now accepted only by use of an updated on-line badge request form;                                      Admits nor
                                                                         without having completed cyber security training as required by R2.1. The                                              power system because it only involved one contractor. Further, it was                           NPCC201000188, and                        2) it implemented an automatic email notice (zero-day notice) for terminations; 3) it                                   Denies
                                                                         individual began working for NPCC_URE4 as a contractor prior to July 1,                                                determined through NPCC_URE4 records that the individual without                                NPCC201000189)                            updated training records by identifying each individual with NERC CIP training
                                                                         2009. On July 21, 2010, his unescorted access to CCAs within the PSP was                                               the completed cyber training did not make any attempt at unescorted                                                                       requirements and background check requirements; 4) it provided training for all
                                                                         revoked.                                                                                                               PSP access within the violation timeframe. The contractor was in good                                                                     managers on their overall responsibility in the CIP access process, and requested all
                                                                                                                                                                                                standing with his employer.                                                                                                               managers to institute a records check of all access data to ensure accuracy; 5) it
                                                                                                                                                                                                                                                                                                                                          completed an internal audit of the physical access electronic control system; 6) it
                                                                                                                                                                                                                                                                                                                                          audited (internally) and updated all PSP access lists; 7) it implemented a process to
                                                                                                                                                                                                                                                                                                                                          communicate temporary suspensions; 8) it created a Master PSP Access list; 9) A
                                                                                                                                                                                                                                                                                                                                          monthly audit was instituted by NERC compliance dept. of all access logs and
                                                                                                                                                                                                                                                                                                                                          authorized electronic badge users list; 10) it required all contractor/vendors to provide
                                                                                                                                                                                                                                                                                                                                          actual dates of background check and training completion as part of their annual
                                                                                                                                                                                                                                                                                                                                          attestations; 11) it reviewed employees within the organization with any possible CIP
                                                                                                                                                                                                                                                                                                                                          exposure by polling all management to ensure list accuracy; and 12) it created an
                                                                                                                                                                                                                                                                                                                                          employee transfer email process.



NPCC     NPCC_URE4       NCRXXXXX   NPCC201000189         Settlement     1. A contractor had unescorted physical access rights at various substations CIP-004-1    3     Medium     High        NPCC Enforcement determined that the violation posed a minimal risk 7/1/2009        7/21/2010   $2,500 (Settlement of       Self-Report   NPCC_URE4 completed the following actions: 1) All requests for access to Cyber            12/6/2010   2/16/2011         Neither
                                                          Agreement      to Critical Cyber Assets (CCAs) within the Physical Security Perimeter                                                 and did not pose a serious or substantial risk to the reliability of the bulk                   NPCC201000187,                            Assets/CCAs are now accepted only by use of an updated on-line badge request form;                                      Admits nor
                                                                         (PSP) without a Personnel Risk Assessment (PRA) ever being performed.                                                  power system because it involved only two individuals. Further, it was                          NPCC201000188, and                        2) it implemented an automatic email notice (zero-day notice) for terminations; 3) it                                   Denies
                                                                         The individual began working for NPCC_URE4 as a contractor prior to                                                    determined through NPCC_URE4 records that both individuals without                              NPCC201000189)                            updated training records by identifying each individual with NERC CIP training
                                                                         July 1, 2009. On July 21, 2010, his unescorted access to CCAs within the                                               a completed PRA did not make any attempt at PSP access within the                                                                         requirements and background check requirements; 4) it provided training for all
                                                                         PSP was revoked.                                                                                                       violation timeframe. The employee and the contractor were in good                                                                         managers on their overall responsibility in the CIP access process, and requested all
                                                                                                                                                                                                standing with NPCC_URE4 and the contractor, respectively.                                                                                 managers to institute a records check of all access data to ensure accuracy; 5) it
                                                                          2. An employee had unescorted physical access rights at various                                                                                                                                                                                                 completed an internal audit of the physical access electronic control system; 6) it
                                                                         substations to CCAs within the PSP without a PRA ever having been                                                                                                                                                                                                audited (internally) and updated all PSP access lists; 7) it implemented a process to
                                                                         performed. After July 1, 2009, NPCC_URE4 records show that the                                                                                                                                                                                                   communicate temporary suspensions; 8) it created a Master PSP Access list; 9) A
                                                                         employee never attempted to access any substations unescorted. The                                                                                                                                                                                               monthly audit was instituted by NERC compliance dept. of all access logs and
                                                                         background check was completed on June 22, 2010.                                                                                                                                                                                                                 authorized electronic badge users list; 10) it required all contractor/vendors to provide
                                                                                                                                                                                                                                                                                                                                          actual dates of background check and training completion as part of their annual
                                                                                                                                                                                                                                                                                                                                          attestations; 11) it reviewed employees within the organization with any possible CIP
                                                                                                                                                                                                                                                                                                                                          exposure by polling all management to ensure list accuracy; and 12) it created an
                                                                                                                                                                                                                                                                                                                                          employee transfer email process.



NPCC     NPCC_URE5       NCRXXXXX   NPCC201000158         Settlement     NPCC_URE5 did not fully implement or document cyber security test           CIP-007-1     1     Medium     Severe      This violation posed a minimal risk and did not pose a serious or       7/9/2009    4/21/2010   $2,500.00                   Self-Report   NPCC_URE5 has confirmed that all 23 CIP system application changes fulfill the         7/30/2010      3/11/2011         Does Not
                                                          Agreement      procedures for 23 significant changes between 7/9/2009 and 4/21/2010.                                                  substantial risk to the reliability of the bulk power system for the                                                                      newly developed CIP security specific test plan template. Computer Information                                          Contest
                                                                         NPCC_URE5 did not have security testing plans and associated evidence                                                  following reasons: 1) The changes were related to systems located                                                                         Systems (CIS) and other approvers have been informed: 1) of the 23 CIP system
                                                                         for 23 system application and configuration changes related to Cyber Assets                                            behind the firewall which is monitored and alarmed; accordingly, access                                                                   application changes identified on the CRT tickets; 2) that under no circumstances can
                                                                         within the Electronic Security Perimeter (ESP). Although documented                                                    in and out of the ESP is controlled; 2) All changes were related to                                                                       any CIP change request be processed and approved without documented and archived
                                                                         procedures required security testing be performed, 23 significant CIP                                                  systems that are protected by anti-virus software 3) Functional testing                                                                   security specific test plans and their respective test results; 3) of CIS’ role in the
                                                                         system application changes were implemented through the use of the CIP                                                 was conducted as required and revealed no conflicting system                                                                              process; and 4) that these are requirements of NERC CIP-007, and any omission is a
                                                                         change request tracking database and migrated into the production                                                      operations; 4) Where new systems were involved, standard hardened PC                                                                      violation of the Standard. A detailed (3000-level) “how to” procedure for the
                                                                         environment without documented security test plans and results.                                                        and server builds were used; 5) The systems where the 23 changes were                                                                     development, performance, and documentation of CIP-007 required security testing
                                                                                                                                                                                                implemented exhibited no post-implementation issues; and 6) The                                                                           has been implemented using a “read & acknowledge” process. This procedure
                                                                                                                                                                                                majority of the changes ran successfully in a secure development                                                                          incorporates a recently-developed CIP security testing template. For each CIP
                                                                                                                                                                                                environment prior to being migrated into the production environment;                                                                      procedure with roles and responsibilities for CIS and other appropriate IT personnel,
                                                                                                                                                                                                the development environment mimics the production environment.                                                                            the applicable CIP procedures have been disseminated to specific individuals using a
                                                                                                                                                                                                                                                                                                                                          “read &acknowledge” process to ensure that they confirm knowledge of their roles
                                                                                                                                                                                                                                                                                                                                          and responsibilities.




                                                                                                                                                                                                                            Page 4
                                                                                                                                                                                   Attachment A-2 - April 29, 2011 Public Spreadsheet -
                                                                                                                                                                                      PRIVILEGED AND CONFIDENTIAL INFORMATION
                                                                                                                                                                                    HAS BEEN REMOVED FROM THIS PUBLIC VERSION
Region   Registered Entity NCR_ID   NERC Violation ID #   Notice of      Description of the Violation                                              Reliability   Req. Violation   Violation   Risk Assessment                                                        Violation    Violation   Total Penalty or Sanction   Method of     Description of Mitigation Activity                                                   Mitigation    Date Regional     "Admits,"
                                                          Confirmed                                                                                Standard           Risk Factor Severity                                                                           Start Date   End Date    ($)                         Discovery                                                                                          Completion    Entity Verified   "Neither
                                                          Violation or                                                                                                            Level                                                                                                                                                                                                                                      Date          Completion of     Admits nor
                                                          Settlement                                                                                                                                                                                                                                                                                                                                                                       Mitigation        Denies" or
                                                          Agreement                                                                                                                                                                                                                                                                                                                                                                                          "Does Not
                                                                                                                                                                                                                                                                                                                                                                                                                                                             Contest"
NPCC     NPCC_URE6       NCRXXXXX   NPCC201000157         Settlement     NPCC_URE6 did not fully implement or document cyber security test           CIP-007-1   1    Medium      Severe      This violation posed a minimal risk and did not pose a serious or       7/9/2009    4/21/2010   $2,500.00                   Self-Report   NPCC_URE6 has confirmed that all 12 CIP system application changes fulfill the         7/30/2010   3/11/2011         Does Not
                                                          Agreement      procedures for 12 significant changes between 7/9/2009 and 4/21/2010.                                                substantial risk to the reliability of the bulk power system for the                                                                      newly developed CIP security specific test plan template. Computer Information                                       Contest
                                                                         NPCC_URE6 did not have security testing plans and associated evidence                                                following reasons: 1) The changes were related to systems located                                                                         Systems (CIS) and other approvers have been informed: 1) of the 12 CIP system
                                                                         for 12 system application and configuration changes related to Cyber Assets                                          behind the firewall which is monitored and alarmed; accordingly, access                                                                   application changes identified on the CRT tickets; 2) that under no circumstances can
                                                                         within the Electronic Security Perimeter (ESP). Although documented                                                  in and out of the Electronic Security Perimeter (ESP) is controlled; 2)                                                                   any CIP change request be processed and approved without documented and archived
                                                                         procedures required security testing be performed, 12 significant CIP                                                All changes were related to systems that are protected by anti-virus                                                                      security specific test plans and their respective test results; 3) of CIS’ role in the
                                                                         system application changes were implemented through the use of the CIP                                               software; 3) Functional testing was conducted as required and revealed                                                                    process; and 4) that these are requirements of NERC CIP-007, and any omission is a
                                                                         change request tracking database and migrated into the production                                                    no conflicting system operations; 4) Where new systems were involved,                                                                     violation of the Standard. A detailed (3000-level) “how to” procedure for the
                                                                         environment without documented security test plans and results.                                                      standard hardened PC and server builds were used; 5) The systems                                                                          development, performance, and documentation of CIP-007 required security testing
                                                                                                                                                                                              where the 12 changes were implemented exhibited no post-                                                                                  has been implemented using a “read & acknowledge” process. This procedure
                                                                                                                                                                                              implementation issues; and 6) The majority of the changes ran                                                                             incorporates a recently-developed CIP security testing template. For each CIP
                                                                                                                                                                                              successfully in a secure development environment prior to being                                                                           procedure with roles and responsibilities for CIS and other appropriate IT personnel,
                                                                                                                                                                                              migrated into the production environment; the development                                                                                 the applicable CIP procedures have been disseminated to specific individuals using a
                                                                                                                                                                                              environment mimics the production environment.                                                                                            “read &acknowledge” process to ensure that they confirm knowledge of their roles
                                                                                                                                                                                                                                                                                                                                        and responsibilities.




                                                                                                                                                                                                                          Page 5

				
DOCUMENT INFO
Description: Production Database Log Sheet Template document sample