abidance cip presentation
TRANSCRIPT
Abidance Consulting Compliance Presentation
NERC Compliance Program (CIP Compliance)
2
NERCNERCComplianceComplianceProgramProgram
©Copyright 2008-2009 Abidance Consulting All Rights Reserved.
Executive Summary
The Abidance Consulting CIP Compliance Program coordinates and manages the monitoring of enterprise wide compliance to NERC and other regional reliability standards for the electric utility industry. As such, the program acts as a centralized coordinator between the various organizations within a NERC registered entity.
The Abidance Consulting Compliance Program will create, maintain, and monitor easy to use and repeatable task assignments, communications and reporting processes. The program leverages our internal energy trading and risk management, internal audit, IT security, and project management experience.
The end result of the program is a more efficient and sustainable compliance effort, reduced costs (internal and external), and collapsed timelines for compliance.
The Abidance Consulting program uses an integrated project approach for NERC Compliance (CIP, IT Security, Business Continuity Planning):
- Program Management Office- CIP Compliance - Integrated Security- Business Continuity Planning
3
NERCNERCComplianceComplianceProgramProgram
©Copyright 2008 -2009 Abidance Consulting All Rights Reserved.
CIP Program - Framework
Prioritize
Protective
Effectiveness
Metrics
State
Federal
Local ProgramManagement
Office
Feedback for continuous improvement
Design
Monitoring
Audit
Assessment FERC Order NERC CIPCompliance
IntegratedSecurity
BusinessContinuity Planning
Abidance Consulting – NERC CIP Program
4
NERCNERCComplianceComplianceProgramProgram
©Copyright 2008 Abidance Consulting All Rights Reserved.
Design
Monitoring
Assessment
CIP Program - Process
Identify • Develop List
• Gap Analysis
• Decision tree
• Industry research
Define• Audit Items
• Risk Assessment
• Critical Assets
Educate • Communication
• Requirements
• Detail Designs
• Cost Estimates
Plan • Information
• Classification
• Guidelines
• Interdependence
Implement • Policy
• Procedures
• Training
• Documentation Audit
Feedback for continuous improvement
Abidance Consulting - NERC CIP Program
5
NERCNERCComplianceComplianceProgramProgram
©Copyright 2008 Abidance Consulting All Rights Reserved.
Program Management - Summary
Abidance Consulting NERC CIP Management Approach
Understand Compliance Requirements
Understand Compliance Requirements
ExecuteCompliance
ExecuteCompliance
MonitorCompliance
MonitorCompliance
Report & CommunicateResults
Report & CommunicateResults
- Identify all requirements and reporting obligations
Identify gaps & risks
- Develop plans to close gaps and risks
- Identify measurable metrics
- Identify all requirements and reporting obligations
Identify gaps & risks
- Develop plans to close gaps and risks
- Identify measurable metrics
- Identify emerging requirements
- Assign internal owner
- Evaluate NERC CIP Program potential impacts of emerging requirements
- Develop and implement plans to influence emerging requirements
- Coordinate internal representation with external resources &Regulatory agencies
- Identify emerging requirements
- Assign internal owner
- Evaluate NERC CIP Program potential impacts of emerging requirements
- Develop and implement plans to influence emerging requirements
- Coordinate internal representation with external resources &Regulatory agencies
- Establish mechanismsto monitor performance & schedule
- Develop mechanism to self-report violations (as required)
- Incorporate compliance into goals & performance reviews
- Conduct periodic assessments of risks & improvement Opportunities
- Establish mechanismsto monitor performance & schedule
- Develop mechanism to self-report violations (as required)
- Incorporate compliance into goals & performance reviews
- Conduct periodic assessments of risks & improvement Opportunities
- Set tone at the top
- Define specific roles & responsibilities
- Establish written Procedures & guidelines
- Execute plans to meet requirements, close gaps, & risk
- Identify training needs and develop programs to meet those needs
- Set tone at the top
- Define specific roles & responsibilities
- Establish written Procedures & guidelines
- Execute plans to meet requirements, close gaps, & risk
- Identify training needs and develop programs to meet those needs
DocumentComplianceDocument
Compliance
- Compliance procedures
- Quality assurance process
- Compliance calendar
- Performance management system
- Training programs
- Issue management plans
- Department management
- Compliance procedures
- Quality assurance process
- Compliance calendar
- Performance management system
- Training programs
- Issue management plans
- Department management
6
NERCNERCComplianceComplianceProgramProgram
©Copyright 2008 Abidance Consulting All Rights Reserved.
Program Management - Goals & Responsibilities
Develop a compliance program focused on continuous performance improvement. Meet all compliance requirements through well documented, auditable processes. Ensure proper documentation and communication of information needed for compliance.
Executive Level
Oversight Level
Program Managers
• Oversee Compliance Program.• Sign off on compliance.
• Oversee the process to ensure compliance with the standards.• Prioritize remediation efforts and resolve escalated issues.• Sign off on compliance.
• Work with Sponsors and Owners to prepare a detailed compliance plan.• Create controls to manage scope, costs, schedule, risk and resources.• Monitor and report performance of the plan to the Oversight Committee.
Sponsor
• Director Level.• Oversees the work of compliance owner.
Owner
• Assess the impact of the cyber security standard.• Identify compliance gaps. • Develop plans to close the gaps (training, hardware, software, or
procedures).• Identify testing needs, execution, and documentation of the test results. • Identify actions required to fully comply with the standard.
7
NERCNERCComplianceComplianceProgramProgram
©Copyright 2008 Abidance Consulting All Rights Reserved.
• Documentation− Create CIP Compliance Program− Establish written procedures for documenting and tracking reliability requirements− Compliance schedule matrix− Compliance procedure requirements− New compliance requirements− Gap analysis − Self-Certification, Self-Reporting & Investigation
• Educating and training departments on regulatory requirements• Compliance Schedule and Survey Preparation
− Completion of surveys− Compliance schedule matrix− Quality assurance
• Create Repeatable and Sustainable Process− Evidence collection− Audit test plans
• Coordinating efforts with corporate and other departments• Developing and executing a compliance implementation plan• Leverage existing IT SOX Audit efforts
− Centralized document repository− Documentation of current policies and procedures
• Identifying opportunities for improvement• Corrective action plan recommendation
NERC 693 Project – Scope of Work
8
NERCNERCComplianceComplianceProgramProgram
©Copyright 2008 Abidance Consulting All Rights Reserved.
Summary - Compliance Success
The Abidance Consulting CIP Program will deliver to NERC Compliance Team:
A strong corporate commitment to a NERC CIP Compliance Program. An aggressive but achievable timeline and tracking. Development of a strong governance model with decision making approvals. Detailed assessments and gap analysis. Management sign – off at each step / milestone. Development of action plans aligned with CIP requirements. Starting the compliance process early and with the right approach. A process to leverage SOX compliance – both from a project standpoint and corporate
oversight. A process for cross functional teams to create compliance ‘buy-in’. A program management office to prioritize and set achievable goals and objectives to
management with measurable metrics. The creation of standardized, sustainable, and repeatable processes.
9
NERCNERCComplianceComplianceProgramProgram
©Copyright 2008 Abidance Consulting All Rights Reserved.
The intent of the proposed Cyber Security Standards is to ensure that all entities responsible for the reliability of the Bulk Electric Systems in North America identify and protect Critical Cyber Assets that control or could impact the reliability of the Bulk Electric Systems.
This implementation plan is based on the following assumptions:
Standard CIP-002 requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. These Critical Assets are to be identified through the application of a risk-based assessment.
Cyber Security Standards: • CIP-002-1• CIP-003-1• CIP-004-1• CIP-005-1• CIP-006-1• CIP-007-1• CIP-008-1• CIP-009-1
Cyber Security Standards CIP-002-1 through CIP-009-1 became effective June 1, 2006.
NERC CIP Security Standards
10
NERCNERCComplianceComplianceProgramProgram
©Copyright 2008 Abidance Consulting All Rights Reserved.
Requirement Dec 31, 2007 Dec 31, 2008 Dec 31, 2009 Dec 31, 2010
CIP-002-1Critical Cyber Assets
BW SC C AC
CIP-003-1 Security Management Controls
BW SC C AC
CIP-004-1Personnel & Training
BW SC C AC
CIP-005-1Electronic Security
BW SC C AC
CIP-006-1Physical Security
BW SC C AC
CIP-007-1Systems Security Management
BW SC C AC
CIP-008-1Incident Reporting and Response Planning
BW SC C AC
CIP-009-1Recovery Plans
BW SC C AC
Begin Work (BW), Substantially Compliant (SC), Compliant (C), and Auditably Compliant (AC)
NERC Implementation Timeline - CIP
11
NERCNERCComplianceComplianceProgramProgram
©Copyright 2008 Abidance Consulting All Rights Reserved.
CRITICAL CYBER ASSETS
CRITICAL CYBER ASSETS
SECURITY MANAGEMENT
CONTROLS
SECURITY MANAGEMENT
CONTROLS
PERSONNEL & TRAINING
PERSONNEL & TRAINING
ELECTRONIC SECURITY
ELECTRONIC SECURITY
PHYSICAL SECURITYPHYSICAL SECURITY
SYSTEMS SECURITY
MANAGEMENT
SYSTEMS SECURITY
MANAGEMENT
INCIDENT REPORTING &RESPONSE PLANNING
INCIDENT REPORTING &RESPONSE PLANNING
RECOVERY PLANS
RECOVERY PLANS
CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009
- PLAN
- PHYSICAL ACCESS CONTROLS
- MONITORING PHYSICAL ACCESS
- LOGGING PHYSICAL ACCESS
- ACCESS LOG RETENTION
- MAINTENANCE & TESTING
- PLAN
- PHYSICAL ACCESS CONTROLS
- MONITORING PHYSICAL ACCESS
- LOGGING PHYSICAL ACCESS
- ACCESS LOG RETENTION
- MAINTENANCE & TESTING
- TEST PROCEDURES
- PORTS & SERVICES
- SECURITY PATCH MANAGEMENT
- MALICIOUS SOFTWARE PREVENTION
- ACCOUNT MANAGEMENT
- SECURITY STATUS MONITORING
- DISPOSAL OR REDEPLOYMENT
- CYBER ASSESS
- DOCUMENTATION
- TEST PROCEDURES
- PORTS & SERVICES
- SECURITY PATCH MANAGEMENT
- MALICIOUS SOFTWARE PREVENTION
- ACCOUNT MANAGEMENT
- SECURITY STATUS MONITORING
- DISPOSAL OR REDEPLOYMENT
- CYBER ASSESS
- DOCUMENTATION
- CYBER SECURITY INCIDENT RESPONSE PLAN
DOCUMENTATION
- CYBER SECURITY INCIDENT RESPONSE PLAN
DOCUMENTATION
- RECOVERY PLANS
- EXERCISES
-CHANGE CONTROL
- BACKUP & RESTORE
- TESTING BACKUPSRATEGIES
- RECOVERY PLANS
- EXERCISES
-CHANGE CONTROL
- BACKUP & RESTORE
- TESTING BACKUPSRATEGIES
- CRITICAL ASSETS
- CRITICAL CYBER ASSETS
- ANNUAL REVIEW
- ANNUAL APPROVAL
- CRITICAL ASSETS
- CRITICAL CYBER ASSETS
- ANNUAL REVIEW
- ANNUAL APPROVAL
-ELECTRONIC SECURITY PERIMETER
-ELECTRONIC ACCESS CONTROLS
-MONITORING ELECTRONIC ACCESS
-CYBER VULNERABILITY ASSESSMENTDOCUMENTATION
-ELECTRONIC SECURITY PERIMETER
-ELECTRONIC ACCESS CONTROLS
-MONITORING ELECTRONIC ACCESS
-CYBER VULNERABILITY ASSESSMENTDOCUMENTATION
- AWARENESSTRAINING
- PERSONNEL
- RISK ASSESSMENT
- ACCESS
- AWARENESSTRAINING
- PERSONNEL
- RISK ASSESSMENT
- ACCESS
-CYBER SECURITYPOLICY
-SENIORLEADERSHIP
- EXCEPTIONS
- INFORMATION PROTECTION
- ACCESS CONTROL
- CHANGE CONTROL
-CYBER SECURITYPOLICY
-SENIORLEADERSHIP
- EXCEPTIONS
- INFORMATION PROTECTION
- ACCESS CONTROL
- CHANGE CONTROL
Eight Standards / 41 Requirements
NERC CIP Standards Overview
12
NERCNERCComplianceComplianceProgramProgram
©Copyright 2008 Abidance Consulting All Rights Reserved.
Phase 5• Execute Plan
Phase 0• Define the Scope
Phase 1• Initiate Project
Phase 2• Risk Impact Assessment
Phase 3• Vulnerability Analysis
Phase 4•Remediation Plan
- CREATE SECURITY POLICY (PHYSICAL & CYBER)
- PLAN PHYSICAL & CYBER MONITORING
- DEVELOP TEST PROCEDURES
- DEVELOP INCIDENT RESPONSE TEAM & DOCUMENTATION
- DEVELOP RECOVERY PLAN
- CREATE SECURITY POLICY (PHYSICAL & CYBER)
- PLAN PHYSICAL & CYBER MONITORING
- DEVELOP TEST PROCEDURES
- DEVELOP INCIDENT RESPONSE TEAM & DOCUMENTATION
- DEVELOP RECOVERY PLAN
- IMPLEMENT POLICY
- EMPLOYEE TRAINING & AWARENES
-TEST & VALIDATE PLANS
- IMPLEMENT POLICY
- EMPLOYEE TRAINING & AWARENES
-TEST & VALIDATE PLANS
- DRAFT REPORTING STRUCTURE
- SELF ASSESSMENT (CURRENT STATE)
- MANAGEMENT SPONSORSHIP
- DRAFT REPORTING STRUCTURE
- SELF ASSESSMENT (CURRENT STATE)
- MANAGEMENT SPONSORSHIP
- VUNERABILITY ASSESSMENT
- IT SECUIRTY ASSESSMENT
- PHYSICAL PLANT INSPECTIONS
- SUPPLY CHAIN IMPACT
- IDENTIFY CRITICAL INTER-DEPENDENCIES
- GAP ANALYSIS
- VUNERABILITY ASSESSMENT
- IT SECUIRTY ASSESSMENT
- PHYSICAL PLANT INSPECTIONS
- SUPPLY CHAIN IMPACT
- IDENTIFY CRITICAL INTER-DEPENDENCIES
- GAP ANALYSIS
-INVENTORY CRITICALPHYSICAL ASSETS
-DETERMINE CRITICALCYBER ASSETS
-CREATE RISK BASEDMETHOLDOLOGY FOR IDENTIFICATION
-INVENTORY IT INFRASTRUCTURE
-INVENTORY CRITICALPHYSICAL ASSETS
-DETERMINE CRITICALCYBER ASSETS
-CREATE RISK BASEDMETHOLDOLOGY FOR IDENTIFICATION
-INVENTORY IT INFRASTRUCTURE
- IDENTIFY CROSS FUNCTIONAL TEAMS
- EDUCATE TEAMS
- DETERMINE ROLE & RESPONSIBILITES
- REVIEW EXISTING DOCUMENTATION & PROCEDURES
- ESTABLISH PROJECT FRAMEWORK & REPORTING STRUCTURE
- IDENTIFY CROSS FUNCTIONAL TEAMS
- EDUCATE TEAMS
- DETERMINE ROLE & RESPONSIBILITES
- REVIEW EXISTING DOCUMENTATION & PROCEDURES
- ESTABLISH PROJECT FRAMEWORK & REPORTING STRUCTURE
Abidance Consulting - Process for CIP Compliance
13
NERCNERCComplianceComplianceProgramProgram
Abidance Consulting - High Level Overview / To-Do’s Per CIP
CIP-002 Entire Scope of work yet to be determined until Risk Based Assessment is performed• Critical Assets as defined by NERC• Critical Assets as defined by Internal Audit risk based assessments • Critical Cyber Assets located at identified Critical Physical Assets• Who is going to perform / lead risk assessment? Compliance and Operations group best situated due to expertise in
this area. CIP-003 Creation of Cyber Security Policy
• Create Access Control policy• Create Change Control policy• Create a plan for business continuity and disaster recovery
CIP-004 – Personnel and Training• Creation of corporate NERC training program• Identify resources to perform the plant training
CIP-005 – Electronic Security Perimeters• Ensure that an electronic security perimeter has been created and that all critical cyber assets reside within• Creation of procedures to document standards of access and how to monitor the electronic security perimeter• Creation of a cyber vulnerability assessment of the electronic access points
CIP-006 – Physical Security of Critical Cyber Assets (operational data center)• Create and maintain a physical security plan for operations
CIP-007 – System Security Management• Perform security assessment on plant operations network.• Convert existing corporate Patch management policy to NERC policy
CIP-008 – Incident Reporting and Response Planning• Create Cyber Security Incident and Response policy
CIP-009 – Recovery plans for Critical Cyber Assets• Create Backup Restore and Recovery policy
©Copyright 2008 Abidance Consulting All Rights Reserved.
14
NERCNERCComplianceComplianceProgramProgram
Abidance Consulting - Functional Framework for CIP
Access Control
DocumentControl
Information Classification &
HandlingTesting & QA
AssetInventory
IncidentResponse
SystemsManagement
RecoveryOperations
NetworkManagement
VulnerabilityAssessment
TrainingPhysicalSecurity
GovernanceRisk
Management
• Corporate IS
• IT Compliance
• Corporate IS
• IT Compliance
• IT Compliance
• Government & Regulatory Affairs
• IT Compliance
• Government & Regulatory Affairs
• IT Compliance
• Commercial Operations
• IT Compliance
• Corporate IS
• IT Compliance
• Corporate IS
• Commercial Operations
• Corporate IS
• Commercial Operations
• Corporate IS
• Commercial Operations
• Corporate IS • Commercial Operations
• IT Compliance
• Corporate IS
• Commercial Operations
• Government & Regulatory Affairs
• Commercial Operations
ChangeControl
©Copyright 2008 Abidance Consulting All Rights Reserved.
15
NERCNERCComplianceComplianceProgramProgram
Abidance Consulting - Functional Responsibility by Team
Corporate IS
PMO
IT Compliance
CIP Compliance Framework
• Asset Inventory
• Risk Management
• Systems Management
• Recovery Operations
• Training
• Access and Change Control
• Incident Response
• Recovery Operations
• Network Management
• Systems Management
• Vulnerability Assessment
• Physical Security
• Asset inventory
• Information Classification & Handling
• Governance
• Document Control
• Document Control
• Testing & QA
• Training
• Information Classification & Handling
• Asset Inventory
• Access Control
• Change Control
• Budget Tracking
• Budget Estimating
• Risk & Issue Management
©Copyright 2008 Abidance Consulting All Rights Reserved.
Commercial Operations
Regulatory / Legal