compliance management program september 2008 by tobias whitney, burns & mcdonnell ben church,...
TRANSCRIPT
Compliance Compliance Management ProgramManagement Program
September 2008By
Tobias Whitney, Burns & McDonnellBen Church, FPLE
Burns & McDonnell Overview
• 100% employee owned
• 109 years
• Design and EPC services
• Safety focused
• 2500 employees/owners
• 1200+ w/ electric utility experience
• 2007 revenues $820 million
• Zero debt - $1 billion in bonding capacity
• Focus on repeat clients
Compliance Clients
• FPL Energy• Brazos G&T• MISO• Alberta Electric System Operator • Department of Defense• TransCanada• NiSource• Westar• MidAmerican Energy• Kansas City Power & Light• Hoosier Energy• Muscatine Power • Northeast Utilities• Energy East
Agenda
• The Landscape of Compliance– What is the industry doing?– Early Violations
• Organizational Challenges• Compliance Documentation• Tools and Technologies
• Q & A Session
Landscape of Compliance
• Violations - http://www.nerc.com/%7Efilez/enforcement/index.html
Landscape of Compliance
• The TOP 10 Ways the Industry can improve their Compliance Programs.
TOP TEN…
# 10 “Not performing a comprehensive Gap Analysis on all at risk assets and functions”
Recommendation:
Create a current scorecard of Compliance, before your Compliance Auditor does.
TOP TEN…
# 9 “Delaying Self-Reports in effort to fix the problem before you are audited.”
Recommendation:
Create a current Scorecard of Compliance, before your Compliance Auditor does.
TOP TEN…
# 8 “Owning and Operating a multi-functional electric power organization without a dedicated Compliance Manager”
Recommendation:
If your utility has more than one function, hire or identify a Compliance Manager.
Organizational Challenges
Compliance Group
Executive Officer in Charge CIO / VP Technology/ VP
Operations
NERC CIPRepresentative
NERC CIP Representative
Reliability Standards
Representative
Reliability Standards
Representative
Generation Business Unit
Transmission Business Unit
Business & IT Services
CorporateSecurity
Plant Maintenance
Market / Trading
Switchyard
Operations
Line Maintenance
Substations
Planning
Steering CommitteeRegulatory Affairs
Policy & Governance
TOP TEN…
# 7 “Creating a separate set of compliance documents without updating standard operating procedures”
Recommendation:
Compliance is focused on on-going compliant operations and not audit preparation activities.
Documentation
• Control – Policy or Operating Procedure• Method – performance language of a procedure• Support – reference to related standard or
corporate policy• Output – test results ( Reactive Generator test
results)• Report – Standard Form (Disturbance Form)• Audit Trail – documented proof activity or
communication
Gap Assessment Document
• Example
Policy Structure
Impacted Divisions
Supporting Documentation
Policy Structure
Statement of Requirement as issued by NERC
Translated Requirement as applied to the Entity in relation to standard
Policy Structure
The Entity’s practices as relates to issued requirement in standard
Policy Structure
Statement of Requirement as issued by NERC
Translated Requirement as applied to the Entity in relation to standard
The Entity’s practices as relates to issued requirement in standard
Policy Structure
Records Retention
Reference Documents
Document Change History
TOP TEN…
# 6 “Purchasing a compliance management system before determining compliance workflow activities”
Recommendation:
Compliance management systems should be more than document management system.
Example Systematic Workflow
TOP TEN…
# 5 “Determining that market systems are not critical cyber assets”
Recommendation:
Any system (such as AGC) that can perform an aggregate ( at least 1000MW) electronic dispatching of generators is critical.
TOP TEN…
# 4 “Defining electronic security perimeter without security for each external interactive access session”
Recommendation:
Any remote read or read/write access to a CCA or systems inside the electronic security perimeter will require some form of two factor authentication.
TOP TEN…
# 3 Implementing a background check policy without determining what constitutes a failed background check
Recommendation:
Personnel risk assessment policies should clearly document what results should prohibit access to Critical Cyber Assets.
TOP TEN…
# 2 Sharing assets and facilities with other NERC entities without a joint registration or operating agreement in place.
Recommendation:
Determine shared functions and document compliance activities as part of joint agreement.
TOP TEN…
# 1 Allowing utilities to determine their own Risk-based methodology for determining critical assets.
Recommendation:
Each RRO should create the list of critical facilities and assets for their region.
Critical Cyber Methodology
Page 27
Critical Cyber Asset Methodology
Critical Cyber AssetDecision Tree
Continued Page 28
Organizational Challenges
Organizational Challenges
• Should Compliance be performed by current operational departments or should Compliance Activities be managed centrally.
• Each organization should have a dedicate Compliance Manager that manages all communication the NERC entities
• Compliance Manager should be high enough in the organization to stimulate a change in operational practices.
Developing Compliance Documentation
Compliance Management Systems
Things to Remember
1. The are many Vendors that make tools to help automate compliance
2. The most important ingredient is defining how you want to use the system. Determine the following…
• Business rules and workflow tools vs. document management
• Organizational structure of compliance…who will use the system
• Cost (system, on-going, updates, work-flow changes)
General Technical Requirements
• Web Interface• SQL Server 2003, SharePoint• Windows Exchange Server 2007• Interfaces:
– Maintenance & Testing Systems Database
– SCADA Operator Logs
– Vegetation Management
– Voice Logs
– Sequence of Event Recorder, DMEs,
– Work Order Management/Maintenance
– Intranet
• High System Availability / Performance• Concurrent Licenses
Compliance Management Vendors
• Archer• AssurX’s CATSWeb ER• AUS’s ComplianceWorks• Brabeion• Compliance 360• Compliance Spectrum’s
Spectra• ControlPath• Ember’s .Heatshield• Enviance• Eureka’s NERCTracker• HandySoft’s BizFlow• Intellibind’s Operations Mentor• HP• Meridio
• MetricStream• NetIQ’s Security Manager,
Secure Configuration Manager, VigilEnt Policy Center
• NetVision• OATI’s WebCompliance• OpenPages GRCM Suite• SAI Global’s (Previously 80-20
Software) Leaders4• Secure Elements• Symantec CCS• Syntex’s IMAPACT
Enterprise®• TDI’s ConsoleWorks• Zequel
Document Management Vendors
• ACS Software’s AutoEDMS• Bentley System’s
ProjectWise• Blue Cielo ECM Solutions,
Meridian Enterprise’s InnoCielo
• CEA Technolody’s Plant 4D, 4D Explorer
• ColumbiaSoft’s Document Locator
• Docuxplorer Software’s Docuxplorer
• EMC’s Documentum• File Hold System’s FileHold• FileNet
• Interwoven’s WorkSite• Inforouter• ITAZ’s doQuments• Laserfiche• LSSP’s eDrawer• MetricStream• OpenArchive’s Echive• OpenText’s LiveLink ECM• Oracle’s Stellent• Perceptive Software’s
ImageNow• PitneyBowes’s Group1• Vignette
Evaluation Matrix
High Level Selection Criteria
Q & A SESSION