Welcome to the SecAware blog

I spy with my beady eye ...

25 May 2010

Fined for not using the specific words "security awareness"

The Chelan County Public Utility Department has been fined $13,000 for three alleged violations of the NERC information security standards, but reading the news story at Wenatchee World reveals that one of those three was 'failure to use the specific words “security awareness” in documents showing that certain personnel have received ongoing training in “sound security practices.”' Failure to use the specific words "security awareness"?!?! If that's the truth of it, I might agree with PUD officials' claim that this amounts to a "difference of opinion with auditors over how to interpret federal standards". However, I wonder whether the true nature of the alleged non-compliance was perhaps a little more serious - like perhaps the PUD came up with some internal memos or whatever, claiming that they substantiated their security awareness program whereas in fact they were not really intended or used for that specific purpose. I'm only guessing here but I've seen situations very similar to this where auditor's findings have been challenged on the literal wording, without necessarily addressing the issue at stake. We're left uncertain whether the PUD actually had an effective security awareness program, but anyway I hope the fine was enough of a prompt to make them value security awareness.


No comments:

Post a Comment