This document describes the recommended security policies for each of these roles. The policies cover:
• Substation engineers configuring the equipment in the substation, including setting up the internal security measures
• Other employees working at substations, but not configuring equipment
• WAN network administrators configuring the perimeter firewalls
• Team managers that need to enable the administrators and engineers to do their job securely
• Security operations analysts responsible for coordinating vulnerability management and incident response
• Procurement staff for buying new equipment with the right security capabilities
A concrete example policy is given aimed at each group. This policy is linked to the controls in ISO 27002. Guidance is given on implementing the example policy at a particular grid operator. The policies apply both to employees and contractors or service providers in the same role.