External Electronic Communications FAQ
|
|
By Tyreke Griffin
|
As a part of the Inherent Risk Assessments (IRAs), two questionnaires—the Risk Factor Questionnaire (RFQ) and the Entity Risk Profile Questionnaire (ERPQ)—are sent to the entity’s Primary Compliance Contact (PCC). One section of the RFQ regards an entity’s external electronic communication.
External electronic communication is the exchange of information between an organization and external entities using electronic media (such as computers, phones, email, and video) and also includes sharing telemetry data with other entities.
The related question on the RFQ states, "Select which of the following applies to your registered entity's use of external electronic communication relative to your BES Cyber Systems or Cyber Assets.”
The available choices are:
- Entity has no external electronic communication
- Entity has external electronic communication within the entity's own registration
- Electronic or cyber communication is allowed within our registered entity and to other NERC registered entities
- Electronic or cyber communication is allowed within our registered entity and third-parties, suppliers, vendors, or networks not overseen by NERC or the ERO Enterprise
The question seems straightforward; however, some respondents have failed to consider the overall context of the BPS as their entity exists within it. Most registered entities will have some external communication with another entity due to the structural design of the Bulk Power System (BPS). If a registered entity shares any information with a third-party that is not NERC-registered, the entity should choose option four. If you have communication with a qualified scheduling entity (QSE) that isn’t NERC-registered, your entity should also choose option four. If all of your registered entity’s external communication is with other entities registered with NERC, then your entity should choose option three.
Risk Assessment staff monitors and assesses registered entity compliance with NERC and Regional Reliability Standards through risk-based processes that identify potential threats to the reliable operation of the BPS.
For additional information regarding risk factors, please review the Texas RE Compliance page.
