Electronic Control Plan

When an entity is under FOCI mitigation (Voting Trust, Proxy Agreement, Special Security Agreement and Security Control Agreement) the NISPOM requires an electronic control plan (ECP) to be developed and implemented within 45 days of the FOCI mitigation.

ECPs must include a detailed network description and configuration diagrams delineating which networks will be shared and which will be protected from foreign access, while also addressing firewalls, remote administration, monitoring, and separate e-mail servers, as applicable. DSS is responsible for determining the needed for an ECP and approval of the plan.

Effective September 1, 2010, companies under existing FOCI mitigation agreements that require an ECP are required to be compliant with the new ECP rules by the date of their next annual DSS security inspection. The DTM 09-019, September 2, 2009, (incorporating change 1, June 8, 2010) provides additional guidance regarding the content of the Electronic Communication Plans (ECP) that companies are required to adopt.