IESO Reliability Compliance Program Certification Form
NERC Reliability Standards: CIP-004-2 and CIP-004-3
Personnel and Training
Submit this form by mail, fax or email to the following:
Attention:
IESO Reliability Compliance Program
Resource Integration
Station A, Box 4474 Toronto ON M5W 4E5
E-mail: [email protected]
Fax No.: (905) 855-6372
All information submitted in this process will be used by the IESO solely in support of its obligations
under the “Electricity Act, 1998”, the “Ontario Energy Board Act, 1998”, the “Market Rules” and
associated policies, standards and procedures and its licence. All submitted information will be assigned
the appropriate confidentiality level upon receipt.
Terms and acronyms used in this Form that are italicized have the meanings ascribed thereto in Chapter
11 of the “Market Rules”.
PART 1 – GENERAL INFORMATION
Market Participant Name:
Market Participant ID:
Reliability Compliance Contact:
Name:
Telephone No.:
Fax No.:
E-mail Address:
Reporting Periods:
CIP-004-2
From (MM/DD/YYYY): 01/01/2010
To (MM/DD/YYYY): 06/30/2010
CIP-004-3
From (MM/DD/YYYY): 07/01/2010
IESO-FORM-1696 v.2.0
REV-11-10
To (MM/DD/YYYY): 12/31/2010
Confidential
Page 1 of 5
PART 2A – STANDARD CIP-004-2
Responsible Entities: Transmitters and generators identified and notified by the IESO.
Requirements:
R1. Each Responsible Entity shall establish, document, implement and maintain a security awareness
program, as specified in Requirement R1 of NERC Standard CIP-004-2.
R2. Each Responsible Entity shall establish, document, implement and maintain an annual cyber
security training program, as specified in Requirement R2 of NERC Standard CIP-004-2.
R3. Each Responsible Entity shall have a documented personnel risk assessment program and shall
conduct personnel risk assessments, as specified in Requirement R3 of NERC Standard CIP-004-2.
R4. Each Responsible Entity shall document and maintain list(s) of personnel with authorized cyber
access or authorized unescorted physical access to Critical Cyber Assets, as specified in Requirement
R4 of NERC Standard CIP-004-2.
Measurement:
M1. The Entity has available, documentation of its security awareness and reinforcement program as
specified in Requirement R1 of NERC Standard CIP-004-2.
M2. The Entity has available, documentation of its cyber security training program, review, and
records as specified in Requirement R2 of NERC Standard CIP-004-2.
M3. The Entity has available, documentation of its personnel risk assessment program and that
personnel risk assessments have been applied as specified in Requirement R3 of NERC Standard CIP004-2.
M4. The Entity has available, documentation of the list(s), list reviews and updates, and access
revocations as specified in Requirement R4 of NERC Standard CIP-004-2.
Reference Documents:
NERC Reliability Standards
CIP-002-2, CIP-003-2, CIP-004-2, CIP-005-2a, CIP-006-2, CIP-007-2a, CIP-008-2, CIP-009-2
Page 2 of 5
Confidential
IESO-FORM-1696 v.2.0
REV-11-10
PART 2B – STANDARD CIP-004-3
Responsible Entities: Transmitters and generators identified and notified by the IESO.
Requirements:
R1. Each Responsible Entity shall establish, document, implement and maintain a security awareness
program, as specified in Requirement R1 of NERC Standard CIP-004-3.
R2. Each Responsible Entity shall establish, document, implement and maintain an annual cyber
security training program, as specified in Requirement R2 of NERC Standard CIP-004-3.
R3. Each Responsible Entity shall have a documented personnel risk assessment program and shall
conduct personnel risk assessments, as specified in Requirement R3 of NERC Standard CIP-004-3.
R4. Each Responsible Entity shall document and maintain list(s) of personnel with authorized cyber
access or authorized unescorted physical access to Critical Cyber Assets, as specified in Requirement
R4 of NERC Standard CIP-004-3.
Measurement:
M1. The Entity has available, documentation of its security awareness and reinforcement program as
specified in Requirement R1 of NERC Standard CIP-004-3.
M2. The Entity has available, documentation of its cyber security training program, review, and
records as specified in Requirement R2 of NERC Standard CIP-004-3.
M3. The Entity has available, documentation of its personnel risk assessment program and that
personnel risk assessments have been applied as specified in Requirement R3 of NERC Standard CIP004-3.
M4. The Entity has available, documentation of the list(s), list reviews and updates, and access
revocations as specified in Requirement R4 of NERC Standard CIP-004-3.
Reference Documents:
NERC Reliability Standards
CIP-002-3, CIP-003-3, CIP-004-3, CIP-005-3, CIP-006-3c, CIP-007-3, CIP-008-3, CIP-009-3
PART 3 – CERTIFICATION OF COMPLIANCE
THE REPORTING MARKET PARTICIPANT CERTIFIES THAT IT IS IN:
Full 100% Compliance:
(For full compliance you must check both.)
CIP-004-2
CIP-004-3
IESO-FORM-1696 v.2.0
REV-11-10
Confidential
Page 3 of 5
Non-Compliance: (The market participant is to indicate its level of non compliance and provide its mitigation
plan to become compliant).
Level 1 (least severe):






A security awareness program exists, but security awareness reinforcement was not
conducted on at least a quarterly basis; or
A cyber security training program exists, but records of training either do not exist or
reveal that personnel who have access to Critical Cyber Assets were not trained as
required; or,
A personnel risk assessment program exists, but documentation of that program does not
exist; or,
List(s) of personnel with their access rights is available, but has not been reviewed and
updated as required; or,
One personnel risk assessment is not updated at least every seven years, or for cause; or,
One instance of personnel (employee, contractor or service provider) change other than for
cause in which access to Critical Cyber Assets was no longer needed was not revoked
within seven calendar days.
(Check either one or both.)
CIP-004-2
CIP-004-3
Level 2:




A security awareness program does not exist or is not implemented; or,
A cyber security training program exists, but does not address the requirements identified
in Standard CIP-004-2 or CIP-004-3 Requirement R2 as appropriate; or,
A personnel risk assessment program exists, but assessments are not conducted as required;
or,
One instance of personnel termination for cause (employee, contractor or service provider)
in which access to Critical Cyber Assets was not revoked within 24 hours.
(Check either one or both.)
CIP-004-2
CIP-004-3
Level 3:



A cyber security training program exists, but has not been reviewed and updated at least
annually; or,
A personnel risk assessment program exists, but records reveal program does not meet the
requirements of Standard CIP-004-2 or CIP-004-3; or,
List(s) of personnel with their access control rights exists, but does not include service
vendors and contractors.
(Check either one or both.)
CIP-004-2
CIP-004-3
Page 4 of 5
Confidential
IESO-FORM-1696 v.2.0
REV-11-10
Level 4 (most severe):



No documented cyber security training program exists; or,
No documented personnel risk assessment program exists; or,
No required documentation created pursuant to cyber security training or personnel risk
assessment programs exists.
(Check either one or both.)
CIP-004-2
CIP-004-3
Mitigation plan: (Defines the corrective steps that will be taken and the timeframe, in which the market
participant will meet 100% compliance.)
Mitigation plan attached.
Comments/Explanations:
Comments/explanations attached.
I have authority to bind the market participant named above. I certify that all information set out or
referred to above is true and complete as at the date of this certification. I further understand that the
foregoing information is being provided in accordance with the requirements of the IESO reliability
compliance program (IRCP). I understand that this certification is submitted in lieu of a detailed review
or “audit” by the IESO that may occur in the future. I acknowledge that such a review will require all
information set out or referred to on this form be verified by appropriate documentation.
Certified by:
Signature of Authority
Title:
Date of Certification:
IESO-FORM-1696 v.2.0
REV-11-10
Confidential
Page 5 of 5