| NERC CIP Standards (Critical Infrastructure Protection) may require the establishment of an Electrical Transmission Cyber Incident Response Team. The Electrical Transmission company should define the roles and responsibilities of each member of the Cyber Incident Response Team. The team should identify the taxonomy of reasonably expected cyber exposures and/or threats to Critical Cyber Assets at each Critical Asset site. The team should also identify and document triage response techniques for each of the cyber threats and/or exposures. Likewise, the team must identify, acquire, install basic computer forensics tools for cyber incident clean up and investigation using integrated forensics tool interfaces to operate using core inventory database from the master control operations room. The team will create operation, care and feeding documentation for maintaining the assembled critical cyber system. The Cyber Incident Response Team will create standard data collection and reporting protocol for different types of cyber incident and create accounts at ES-ISAC portal for reporting to Indications, Analysis & Warning Program for each cyber security incident and/or attack. A schedule for review and update of exposure and/or threat taxonomy and the production of Cyber Incident Response Team forensics for reporting information systems defining Cyber Incident Response Team triage responses to different contingencies. The Cyber Incident Response section in each Critical Asset site security manual should have links for data collection, retention and reporting protocol for different types of cyber security incidents. In reporting these requirements to ES-ISAC, DOE, etc., different contingencies governing the retention of cyber incident related data apply. |