§ 101.3. Plan requirements.
(a) A jurisdictional utility shall develop and maintain written physical and cyber security, emergency response and business continuity plans.
(1) A physical security plan must, at a minimum, include specific features of a mission critical equipment or facility protection program and company procedures to follow based upon changing threat conditions or situations.
(2) A cyber security plan must, at a minimum, include:
(i) Critical functions requiring automated processing.
(ii) Appropriate backup for application software and data. Appropriate backup may include having a separate distinct storage media for data or a different physical location for application software.
(iii) Alternative methods for meeting critical functional responsibilities in the absence of information technology capabilities.
(iv) A recognition of the critical time period for each information system before the utility could no longer continue to operate.
(3) A business continuity plan must, at a minimum, include:
(i) Guidance on the system restoration for emergencies, disasters and mobilization.
(ii) Establishment of a comprehensive process addressing business recovery, business resumption and contingency planning.
(4) An emergency response plan must, at a minimum, include:
(i) Identification and assessment of the problem.
(ii) Mitigation of the problem in a coordinated, timely and effective manner.
(iii) Notification of the appropriate emergency services and emergency preparedness support agencies and organizations.
(b) A jurisdictional utility shall review and update these plans annually.
(c) A jurisdictional utility shall maintain and implement an annual testing schedule of these plans.
(d) A jurisdictional utility shall demonstrate compliance with subsections (a)(c), through submittal of a Self Certification Form which is available at the Secretarys Bureau and on the Commissions website.
(e) A plan shall define roles and responsibilities by individual or job function.
(f) The responsible entity shall maintain a document defining the action plans and procedures used in subsection (a).
This section cited in 52 Pa. Code § 61.45 (relating to security planning and emergency contact list); and 52 Pa. Code § 101.6 (relating to compliance).
No part of the information on this site may be reproduced for profit or sold for profit.
This material has been drawn directly from the official Pennsylvania Code full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.