Compliance Compliance Management ProgramManagement Program

September 2008By

Tobias Whitney, Burns & McDonnellBen Church, FPLE

Burns & McDonnell Overview

• 100% employee owned

• 109 years

• Design and EPC services

• Safety focused

• 2500 employees/owners

• 1200+ w/ electric utility experience

• 2007 revenues $820 million

• Zero debt - $1 billion in bonding capacity

• Focus on repeat clients

Compliance Clients

• FPL Energy• Brazos G&T• MISO• Alberta Electric System Operator • Department of Defense• TransCanada• NiSource• Westar• MidAmerican Energy• Kansas City Power & Light• Hoosier Energy• Muscatine Power • Northeast Utilities• Energy East

Agenda

• The Landscape of Compliance– What is the industry doing?– Early Violations

• Organizational Challenges• Compliance Documentation• Tools and Technologies

• Q & A Session

Landscape of Compliance

• Violations - http://www.nerc.com/%7Efilez/enforcement/index.html

Landscape of Compliance

• The TOP 10 Ways the Industry can improve their Compliance Programs.

TOP TEN…

# 10 “Not performing a comprehensive Gap Analysis on all at risk assets and functions”

Recommendation:

Create a current scorecard of Compliance, before your Compliance Auditor does.

TOP TEN…

# 9 “Delaying Self-Reports in effort to fix the problem before you are audited.”

Recommendation:

Create a current Scorecard of Compliance, before your Compliance Auditor does.

TOP TEN…

# 8 “Owning and Operating a multi-functional electric power organization without a dedicated Compliance Manager”

Recommendation:

If your utility has more than one function, hire or identify a Compliance Manager.

Organizational Challenges

Compliance Group

Executive Officer in Charge CIO / VP Technology/ VP

Operations

NERC CIPRepresentative

NERC CIP Representative

Reliability Standards

Representative

Reliability Standards

Representative

Generation Business Unit

Transmission Business Unit

Business & IT Services

CorporateSecurity

Plant Maintenance

Market / Trading

Switchyard

Operations

Line Maintenance

Substations

Planning

Steering CommitteeRegulatory Affairs

Policy & Governance

TOP TEN…

# 7 “Creating a separate set of compliance documents without updating standard operating procedures”

Recommendation:

Compliance is focused on on-going compliant operations and not audit preparation activities.

Documentation

• Control – Policy or Operating Procedure• Method – performance language of a procedure• Support – reference to related standard or

corporate policy• Output – test results ( Reactive Generator test

results)• Report – Standard Form (Disturbance Form)• Audit Trail – documented proof activity or

communication

Gap Assessment Document

• Example

Policy Structure

Impacted Divisions

Supporting Documentation

Policy Structure

Statement of Requirement as issued by NERC

Translated Requirement as applied to the Entity in relation to standard

Policy Structure

The Entity’s practices as relates to issued requirement in standard

Policy Structure

Statement of Requirement as issued by NERC

Translated Requirement as applied to the Entity in relation to standard

The Entity’s practices as relates to issued requirement in standard

Policy Structure

Records Retention

Reference Documents

Document Change History

TOP TEN…

# 6 “Purchasing a compliance management system before determining compliance workflow activities”

Recommendation:

Compliance management systems should be more than document management system.

Example Systematic Workflow

TOP TEN…

# 5 “Determining that market systems are not critical cyber assets”

Recommendation:

Any system (such as AGC) that can perform an aggregate ( at least 1000MW) electronic dispatching of generators is critical.

TOP TEN…

# 4 “Defining electronic security perimeter without security for each external interactive access session”

Recommendation:

Any remote read or read/write access to a CCA or systems inside the electronic security perimeter will require some form of two factor authentication.

TOP TEN…

# 3 Implementing a background check policy without determining what constitutes a failed background check

Recommendation:

Personnel risk assessment policies should clearly document what results should prohibit access to Critical Cyber Assets.

TOP TEN…

# 2 Sharing assets and facilities with other NERC entities without a joint registration or operating agreement in place.

Recommendation:

Determine shared functions and document compliance activities as part of joint agreement.

TOP TEN…

# 1 Allowing utilities to determine their own Risk-based methodology for determining critical assets.

Recommendation:

Each RRO should create the list of critical facilities and assets for their region.

Critical Cyber Methodology

Page 27

Critical Cyber Asset Methodology

Critical Cyber AssetDecision Tree

Continued Page 28

Organizational Challenges

Organizational Challenges

• Should Compliance be performed by current operational departments or should Compliance Activities be managed centrally.

• Each organization should have a dedicate Compliance Manager that manages all communication the NERC entities

• Compliance Manager should be high enough in the organization to stimulate a change in operational practices.

Developing Compliance Documentation

Compliance Management Systems

Things to Remember

1. The are many Vendors that make tools to help automate compliance

2. The most important ingredient is defining how you want to use the system. Determine the following…

• Business rules and workflow tools vs. document management

• Organizational structure of compliance…who will use the system

• Cost (system, on-going, updates, work-flow changes)

General Technical Requirements

• Web Interface• SQL Server 2003, SharePoint• Windows Exchange Server 2007• Interfaces:

– Maintenance & Testing Systems Database

– SCADA Operator Logs

– Vegetation Management

– Voice Logs

– Sequence of Event Recorder, DMEs,

– Work Order Management/Maintenance

– Intranet

• High System Availability / Performance• Concurrent Licenses

Compliance Management Vendors

• Archer• AssurX’s CATSWeb ER• AUS’s ComplianceWorks• Brabeion• Compliance 360• Compliance Spectrum’s

Spectra• ControlPath• Ember’s .Heatshield• Enviance• Eureka’s NERCTracker• HandySoft’s BizFlow• Intellibind’s Operations Mentor• HP• Meridio

• MetricStream• NetIQ’s Security Manager,

Secure Configuration Manager, VigilEnt Policy Center

• NetVision• OATI’s WebCompliance• OpenPages GRCM Suite• SAI Global’s (Previously 80-20

Software) Leaders4• Secure Elements• Symantec CCS• Syntex’s IMAPACT

Enterprise®• TDI’s ConsoleWorks• Zequel

Document Management Vendors

• ACS Software’s AutoEDMS• Bentley System’s

ProjectWise• Blue Cielo ECM Solutions,

Meridian Enterprise’s InnoCielo

• CEA Technolody’s Plant 4D, 4D Explorer

• ColumbiaSoft’s Document Locator

• Docuxplorer Software’s Docuxplorer

• EMC’s Documentum• File Hold System’s FileHold• FileNet

• Interwoven’s WorkSite• Inforouter• ITAZ’s doQuments• Laserfiche• LSSP’s eDrawer• MetricStream• OpenArchive’s Echive• OpenText’s LiveLink ECM• Oracle’s Stellent• Perceptive Software’s

ImageNow• PitneyBowes’s Group1• Vignette

Evaluation Matrix

High Level Selection Criteria

Q & A SESSION

Twhitney@burnsmcd.com