Abidance Consulting Compliance Presentation NERC Compliance Program (CIP Compliance)
Executive Summary <ul><li>The Abidance Consulting CIP Compliance Program coordinates and manages the monitoring of enterpr...
©Copyright 2008 -2009 Abidance Consulting  All Rights Reserved.  CIP Program - Framework Prioritize Protective  Effectiven...
©Copyright 2008 Abidance Consulting  All Rights Reserved.  Design Monitoring Assessment CIP Program - Process <ul><li>Iden...
Program Management - Summary <ul><li>Abidance Consulting NERC CIP Management Approach </li></ul>©Copyright 2008 Abidance C...
Program Management - Goals & Responsibilities ©Copyright 2008 Abidance Consulting  All Rights Reserved.  <ul><li>Develop a...
<ul><ul><li>Documentation </li></ul></ul><ul><ul><ul><li>Create CIP Compliance Program </li></ul></ul></ul><ul><ul><ul><li...
Summary - Compliance Success <ul><li>The Abidance Consulting CIP Program will deliver to NERC Compliance Team: </li></ul>©...
<ul><li>The intent of the proposed Cyber Security Standards is to ensure that all entities responsible for the reliability...
©Copyright 2008 Abidance Consulting  All Rights Reserved.  Begin Work (BW), Substantially Compliant (SC), Compliant (C), a...
©Copyright 2008 Abidance Consulting  All Rights Reserved.  CRITICAL  CYBER  ASSETS SECURITY  MANAGEMENT  CONTROLS PERSONNE...
©Copyright 2008 Abidance Consulting  All Rights Reserved.  <ul><li>Phase 5 </li></ul><ul><li>Execute Plan </li></ul><ul><l...
Abidance Consulting - High Level Overview / To-Do’s Per CIP <ul><li>CIP-002 Entire Scope of work yet to be determined unti...
Abidance Consulting - Functional Framework for CIP Access  Control Document Control Information Classification & Handling ...
Abidance Consulting - Functional Responsibility by Team  Corporate IS PMO IT Compliance CIP Compliance Framework <ul><ul><...
Upcoming SlideShare
Loading in...5
×

Abidance Cip Presentation

922

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
922
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Critical (Physical) Assets: Electric generation, transmission and local distribution facilities; Natural gas wells, collection systems, gas processing plants, inter- and intra-state pipelines and storage; and Petroleum production, refining, inter- and intra-state pipelines plus over-the-road delivery systems and storage. Threat environment: Deliberate attacks caused by people (e.g. terrorists, criminals, hackers, delinquents, employees). 2. Natural attacks caused by nature (e.g., hurricanes, tornadoes, floods, wildfires, earthquake). 3. Accidental attacks caused by technological failure (e.g., pipeline rupture, chemical spills, nuclear, or biological contamination). Systemic threats caused by physical inability of energy delivery system to meet demand. 3. Policies and Procedures: Refining policies, understanding and practicing procedures are all traditional components of comprehensive energy preparedness planning. All viable energy emergency plans should be updated regularly to assure that contemporary policies are included and that all responders are acquainted with how response and mitigation systems are designed to work. 4. Physical security: Government has existing natural gas pipeline safety rules. Continuing to work with the industry to assure that these rules are followed increases energy assurance. Government has extensive rules pertaining to the reliable delivery of electricity. Energy emergency planning can include general descriptions of existing physical security measures as well as illustrative descriptions of the steps energy companies take to restore power or supply. This information will help planners respond to a disruption efficiently and assist officials with their explanation to the public. The infrastructure of the unregulated petroleum market is often understood in general terms only. However, the more a state knows about the location of pipelines, storage, loading terminals, preferred highway delivery routes and the nature and location of retail outlets, the more it can do to assist in a shortage. Knowledge of regional refining facilities and competing finished product markets are other pieces of the physical structure with potential security issues affecting vulnerability. 5. Operations Security: State program developers are unlikely to need extensive knowledge of energy company operations security. It is good to know that this security is in place and that energy companies train personnel in its implementation. The role of government regarding operational security might best be to ask questions and insist on site specific security measures. Public Utility Commissions (PUC) may include operational security requirements in a Certificate of Convenience and Necessity, or other rules, for energy entities regulated by the state. Industry can assist state emergency responders by explaining their operations security process and practice. This will help public officials to plan and respond accordingly during a shortage. States may wish to have their own information technology specialists work with the energy industry and the Federal Government to improve such systems, thus increasing energy assurance. 7. Consequence analysis means understanding downstream effects of an energy disruption. Some consequences are impacts on related energy systems; others are societal impacts such as people displaced from their homes, costs to state and local government and loss of business income. 8. Up-to-date energy emergency plans often contain a vulnerability analysis associating state energy infrastructure with demographics. Risk is also associated with operating any type of energy power or delivery system and better understanding of this will allow planners to pre-determine the magnitude of possible damage for any given geographical area of impact. Most states already prioritize energy user risk through utility outage and restoration rules or through a critical user list contained in a state petroleum set-aside. It is suggested that planners re-examine existing priorities and make them current. 9. Since a major purpose of such a plan is to organize these items in a meaningful way for efficient response, it may be prudent to keep some response information general rather than specific. It may be better to keep secure information stored outside of the plan for use by authorized individuals only. 10. Some potential positive effects of efficiency and alternatives are: Providing time for responders to repair or backup energy. Protecting critical systems that no longer have primary energy. Reducing the impact of consequential system effects.
  • Abidance Cip Presentation

    1. 1. Abidance Consulting Compliance Presentation NERC Compliance Program (CIP Compliance)
    2. 2. Executive Summary <ul><li>The Abidance Consulting CIP Compliance Program coordinates and manages the monitoring of enterprise wide compliance to NERC and other regional reliability standards for the electric utility industry. As such, the program acts as a centralized coordinator between the various organizations within a NERC registered entity. </li></ul><ul><li>The Abidance Consulting Compliance Program will create, maintain, and monitor easy to use and repeatable task assignments, communications and reporting processes. The program leverages our internal energy trading and risk management, internal audit, IT security, and project management experience. </li></ul><ul><li>The end result of the program is a more efficient and sustainable compliance effort, reduced costs (internal and external), and collapsed timelines for compliance. </li></ul><ul><li>The Abidance Consulting program uses an integrated project approach for NERC Compliance (CIP, IT Security, Business Continuity Planning): </li></ul><ul><li>Program Management Office </li></ul><ul><li>CIP Compliance </li></ul><ul><li>Integrated Security </li></ul><ul><li>Business Continuity Planning </li></ul>©Copyright 2008-2009 Abidance Consulting All Rights Reserved.
    3. 3. ©Copyright 2008 -2009 Abidance Consulting All Rights Reserved. CIP Program - Framework Prioritize Protective Effectiveness Metrics State Federal Local Program Management Office Feedback for continuous improvement Design Monitoring Audit Assessment FERC Order NERC CIP Compliance Integrated Security Business Continuity Planning Abidance Consulting – NERC CIP Program
    4. 4. ©Copyright 2008 Abidance Consulting All Rights Reserved. Design Monitoring Assessment CIP Program - Process <ul><li>Identify </li></ul><ul><li>Develop List </li></ul><ul><li>Gap Analysis </li></ul><ul><li>Decision tree </li></ul><ul><li>Industry research </li></ul><ul><li>Define </li></ul><ul><li>Audit Items </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Critical Assets </li></ul><ul><li>Educate </li></ul><ul><li>Communication </li></ul><ul><li>Requirements </li></ul><ul><li>Detail Designs </li></ul><ul><li>Cost Estimates </li></ul><ul><li>Plan </li></ul><ul><li>Information </li></ul><ul><li>Classification </li></ul><ul><li>Guidelines </li></ul><ul><li>Interdependence </li></ul><ul><li>Implement </li></ul><ul><li>Policy </li></ul><ul><li>Procedures </li></ul><ul><li>Training </li></ul><ul><li>Documentation </li></ul>Audit Feedback for continuous improvement Abidance Consulting - NERC CIP Program
    5. 5. Program Management - Summary <ul><li>Abidance Consulting NERC CIP Management Approach </li></ul>©Copyright 2008 Abidance Consulting All Rights Reserved. Understand Compliance Requirements Execute Compliance Monitor Compliance Report & Communicate Results - Identify all requirements and reporting obligations Identify gaps & risks - Develop plans to close gaps and risks - Identify measurable metrics - Identify emerging requirements - Assign internal owner - Evaluate NERC CIP Program potential impacts of emerging requirements - Develop and implement plans to influence emerging requirements - Coordinate internal representation with external resources & Regulatory agencies - Establish mechanisms to monitor performance & schedule - Develop mechanism to self-report violations (as required) - Incorporate compliance into goals & performance reviews - Conduct periodic assessments of risks & improvement Opportunities - Set tone at the top - Define specific roles & responsibilities - Establish written Procedures & guidelines - Execute plans to meet requirements, close gaps, & risk - Identify training needs and develop programs to meet those needs Document Compliance - Compliance procedures - Quality assurance process - Compliance calendar - Performance management system - Training programs - Issue management plans - Department management
    6. 6. Program Management - Goals & Responsibilities ©Copyright 2008 Abidance Consulting All Rights Reserved. <ul><li>Develop a compliance program focused on continuous performance improvement. </li></ul><ul><li>Meet all compliance requirements through well documented, auditable processes. </li></ul><ul><li>Ensure proper documentation and communication of information needed for compliance. </li></ul>Executive Level Oversight Level Program Managers <ul><li>Oversee Compliance Program. </li></ul><ul><li>Sign off on compliance. </li></ul><ul><li>Oversee the process to ensure compliance with the standards. </li></ul><ul><li>Prioritize remediation efforts and resolve escalated issues. </li></ul><ul><li>Sign off on compliance. </li></ul><ul><li>Work with Sponsors and Owners to prepare a detailed compliance plan. </li></ul><ul><li>Create controls to manage scope, costs, schedule, risk and resources. </li></ul><ul><li>Monitor and report performance of the plan to the Oversight Committee. </li></ul>Sponsor <ul><li>Director Level. </li></ul><ul><li>Oversees the work </li></ul><ul><li>of compliance owner. </li></ul>Owner <ul><li>Assess the impact of the cyber security standard. </li></ul><ul><li>Identify compliance gaps. </li></ul><ul><li>Develop plans to close the gaps (training, hardware, software, or procedures). </li></ul><ul><li>Identify testing needs, execution, and documentation of the test results. </li></ul><ul><li>Identify actions required to fully comply with the standard. </li></ul>
    7. 7. <ul><ul><li>Documentation </li></ul></ul><ul><ul><ul><li>Create CIP Compliance Program </li></ul></ul></ul><ul><ul><ul><li>Establish written procedures for documenting and tracking reliability requirements </li></ul></ul></ul><ul><ul><ul><li>Compliance schedule matrix </li></ul></ul></ul><ul><ul><ul><li>Compliance procedure requirements </li></ul></ul></ul><ul><ul><ul><li>New compliance requirements </li></ul></ul></ul><ul><ul><ul><li>Gap analysis </li></ul></ul></ul><ul><ul><ul><li>Self-Certification, Self-Reporting & Investigation </li></ul></ul></ul><ul><ul><li>Educating and training departments on regulatory requirements </li></ul></ul><ul><ul><li>Compliance Schedule and Survey Preparation </li></ul></ul><ul><ul><ul><li>Completion of surveys </li></ul></ul></ul><ul><ul><ul><li>Compliance schedule matrix </li></ul></ul></ul><ul><ul><ul><li>Quality assurance </li></ul></ul></ul><ul><ul><li>Create Repeatable and Sustainable Process </li></ul></ul><ul><ul><ul><li>Evidence collection </li></ul></ul></ul><ul><ul><ul><li>Audit test plans </li></ul></ul></ul><ul><ul><li>Coordinating efforts with corporate and other departments </li></ul></ul><ul><ul><li>Developing and executing a compliance implementation plan </li></ul></ul><ul><ul><li>Leverage existing IT SOX Audit efforts </li></ul></ul><ul><ul><ul><li>Centralized document repository </li></ul></ul></ul><ul><ul><ul><li>Documentation of current policies and procedures </li></ul></ul></ul><ul><ul><li>Identifying opportunities for improvement </li></ul></ul><ul><ul><li>Corrective action plan recommendation </li></ul></ul>©Copyright 2008 Abidance Consulting All Rights Reserved. NERC 693 Project – Scope of Work
    8. 8. Summary - Compliance Success <ul><li>The Abidance Consulting CIP Program will deliver to NERC Compliance Team: </li></ul>©Copyright 2008 Abidance Consulting All Rights Reserved. <ul><li>A strong corporate commitment to a NERC CIP Compliance Program. </li></ul><ul><li>An aggressive but achievable timeline and tracking. </li></ul><ul><li>Development of a strong governance model with decision making approvals. </li></ul><ul><li>Detailed assessments and gap analysis. </li></ul><ul><li>Management sign – off at each step / milestone. </li></ul><ul><li>Development of action plans aligned with CIP requirements. </li></ul><ul><li>Starting the compliance process early and with the right approach. </li></ul><ul><li>A process to leverage SOX compliance – both from a project standpoint and corporate oversight. </li></ul><ul><li>A process for cross functional teams to create compliance ‘buy-in’. </li></ul><ul><li>A program management office to prioritize and set achievable goals and objectives to management with measurable metrics. </li></ul><ul><li>The creation of standardized, sustainable, and repeatable processes. </li></ul>
    9. 9. <ul><li>The intent of the proposed Cyber Security Standards is to ensure that all entities responsible for the reliability of the Bulk Electric Systems in North America identify and protect Critical Cyber Assets that control or could impact the reliability of the Bulk Electric Systems. </li></ul><ul><li>This implementation plan is based on the following assumptions: </li></ul><ul><li>Standard CIP-002 requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. These Critical Assets are to be identified through the application of a risk-based assessment. </li></ul><ul><li>Cyber Security Standards: </li></ul><ul><ul><li>CIP-002-1 </li></ul></ul><ul><ul><li>CIP-003-1 </li></ul></ul><ul><ul><li>CIP-004-1 </li></ul></ul><ul><ul><li>CIP-005-1 </li></ul></ul><ul><ul><li>CIP-006-1 </li></ul></ul><ul><ul><li>CIP-007-1 </li></ul></ul><ul><ul><li>CIP-008-1 </li></ul></ul><ul><ul><li>CIP-009-1 </li></ul></ul><ul><li>Cyber Security Standards CIP-002-1 through CIP-009-1 became effective June 1, 2006. </li></ul>©Copyright 2008 Abidance Consulting All Rights Reserved. NERC CIP Security Standards
    10. 10. ©Copyright 2008 Abidance Consulting All Rights Reserved. Begin Work (BW), Substantially Compliant (SC), Compliant (C), and Auditably Compliant (AC) NERC Implementation Timeline - CIP Requirement Dec 31, 2007 Dec 31, 2008 Dec 31, 2009 Dec 31, 2010 CIP-002-1 Critical Cyber Assets BW SC C AC CIP-003-1 Security Management Controls BW SC C AC CIP-004-1 Personnel & Training BW SC C AC CIP-005-1 Electronic Security BW SC C AC CIP-006-1 Physical Security BW SC C AC CIP-007-1 Systems Security Management BW SC C AC CIP-008-1 Incident Reporting and Response Planning BW SC C AC CIP-009-1 Recovery Plans BW SC C AC
    11. 11. ©Copyright 2008 Abidance Consulting All Rights Reserved. CRITICAL CYBER ASSETS SECURITY MANAGEMENT CONTROLS PERSONNEL & TRAINING ELECTRONIC SECURITY PHYSICAL SECURITY SYSTEMS SECURITY MANAGEMENT INCIDENT REPORTING & RESPONSE PLANNING RECOVERY PLANS CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 - PLAN - PHYSICAL ACCESS CONTROLS - MONITORING PHYSICAL ACCESS - LOGGING PHYSICAL ACCESS - ACCESS LOG RETENTION - MAINTENANCE & TESTING - TEST PROCEDURES - PORTS & SERVICES - SECURITY PATCH MANAGEMENT - MALICIOUS SOFTWARE PREVENTION - ACCOUNT MANAGEMENT - SECURITY STATUS MONITORING - DISPOSAL OR REDEPLOYMENT - CYBER ASSESS - DOCUMENTATION - CYBER SECURITY INCIDENT RESPONSE PLAN DOCUMENTATION <ul><li>- RECOVERY PLANS </li></ul><ul><li>- EXERCISES </li></ul><ul><li>CHANGE </li></ul><ul><li>CONTROL </li></ul><ul><li>- BACKUP </li></ul><ul><li>& RESTORE </li></ul><ul><li>- TESTING </li></ul><ul><li>BACKUP </li></ul><ul><li>SRATEGIES </li></ul>- CRITICAL ASSETS - CRITICAL CYBER ASSETS - ANNUAL REVIEW - ANNUAL APPROVAL -ELECTRONIC SECURITY PERIMETER -ELECTRONIC ACCESS CONTROLS -MONITORING ELECTRONIC ACCESS -CYBER VULNERABILITY ASSESSMENT DOCUMENTATION - AWARENESS TRAINING - PERSONNEL - RISK ASSESSMENT - ACCESS <ul><li>CYBER </li></ul><ul><li>SECURITY </li></ul><ul><li>POLICY </li></ul><ul><li>SENIOR </li></ul><ul><li>LEADERSHIP </li></ul><ul><li>- EXCEPTIONS </li></ul><ul><li>- INFORMATION </li></ul><ul><li>PROTECTION </li></ul><ul><li>- ACCESS </li></ul><ul><li>CONTROL </li></ul><ul><li>- CHANGE </li></ul><ul><li>CONTROL </li></ul>Eight Standards / 41 Requirements NERC CIP Standards Overview
    12. 12. ©Copyright 2008 Abidance Consulting All Rights Reserved. <ul><li>Phase 5 </li></ul><ul><li>Execute Plan </li></ul><ul><li>Phase 0 </li></ul><ul><li>Define the Scope </li></ul><ul><li>Phase 1 </li></ul><ul><li>Initiate Project </li></ul><ul><li>Phase 2 </li></ul><ul><li>Risk Impact Assessment </li></ul><ul><li>Phase 3 </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><li>Phase 4 </li></ul><ul><li>Remediation Plan </li></ul>- CREATE SECURITY POLICY (PHYSICAL & CYBER) - PLAN PHYSICAL & CYBER MONITORING - DEVELOP TEST PROCEDURES - DEVELOP INCIDENT RESPONSE TEAM & DOCUMENTATION - DEVELOP RECOVERY PLAN <ul><li>- IMPLEMENT POLICY </li></ul><ul><li>- EMPLOYEE TRAINING </li></ul><ul><li>& AWARENES </li></ul><ul><li>TEST & VALIDATE </li></ul><ul><li>PLANS </li></ul>- DRAFT REPORTING STRUCTURE - SELF ASSESSMENT (CURRENT STATE) - MANAGEMENT SPONSORSHIP - VUNERABILITY ASSESSMENT - IT SECUIRTY ASSESSMENT - PHYSICAL PLANT INSPECTIONS - SUPPLY CHAIN IMPACT - IDENTIFY CRITICAL INTER-DEPENDENCIES - GAP ANALYSIS <ul><li>INVENTORY CRITICAL </li></ul><ul><li>PHYSICAL ASSETS </li></ul><ul><li>DETERMINE CRITICAL </li></ul><ul><li>CYBER ASSETS </li></ul><ul><li>CREATE RISK BASED </li></ul><ul><li>METHOLDOLOGY </li></ul><ul><li>FOR IDENTIFICATION </li></ul><ul><li>INVENTORY IT </li></ul><ul><li>INFRASTRUCTURE </li></ul>- IDENTIFY CROSS FUNCTIONAL TEAMS - EDUCATE TEAMS - DETERMINE ROLE & RESPONSIBILITES - REVIEW EXISTING DOCUMENTATION & PROCEDURES - ESTABLISH PROJECT FRAMEWORK & REPORTING STRUCTURE Abidance Consulting - Process for CIP Compliance
    13. 13. Abidance Consulting - High Level Overview / To-Do’s Per CIP <ul><li>CIP-002 Entire Scope of work yet to be determined until Risk Based Assessment is performed </li></ul><ul><ul><li>Critical Assets as defined by NERC </li></ul></ul><ul><ul><li>Critical Assets as defined by Internal Audit risk based assessments </li></ul></ul><ul><ul><li>Critical Cyber Assets located at identified Critical Physical Assets </li></ul></ul><ul><ul><li>Who is going to perform / lead risk assessment? Compliance and Operations group best situated due to expertise in this area. </li></ul></ul><ul><li>CIP-003 Creation of Cyber Security Policy </li></ul><ul><ul><li>Create Access Control policy </li></ul></ul><ul><ul><li>Create Change Control policy </li></ul></ul><ul><ul><li>Create a plan for business continuity and disaster recovery </li></ul></ul><ul><li>CIP-004 – Personnel and Training </li></ul><ul><ul><li>Creation of corporate NERC training program </li></ul></ul><ul><ul><li>Identify resources to perform the plant training </li></ul></ul><ul><li>CIP-005 – Electronic Security Perimeters </li></ul><ul><ul><li>Ensure that an electronic security perimeter has been created and that all critical cyber assets reside within </li></ul></ul><ul><ul><li>Creation of procedures to document standards of access and how to monitor the electronic security perimeter </li></ul></ul><ul><ul><li>Creation of a cyber vulnerability assessment of the electronic access points </li></ul></ul><ul><li>CIP-006 – Physical Security of Critical Cyber Assets (operational data center) </li></ul><ul><ul><li>Create and maintain a physical security plan for operations </li></ul></ul><ul><li>CIP-007 – System Security Management </li></ul><ul><ul><li>Perform security assessment on plant operations network. </li></ul></ul><ul><ul><li>Convert existing corporate Patch management policy to NERC policy </li></ul></ul><ul><li>CIP-008 – Incident Reporting and Response Planning </li></ul><ul><ul><li>Create Cyber Security Incident and Response policy </li></ul></ul><ul><li>CIP-009 – Recovery plans for Critical Cyber Assets </li></ul><ul><ul><li>Create Backup Restore and Recovery policy </li></ul></ul>©Copyright 2008 Abidance Consulting All Rights Reserved.
    14. 14. Abidance Consulting - Functional Framework for CIP Access Control Document Control Information Classification & Handling Testing & QA Asset Inventory Incident Response Systems Management Recovery Operations Network Management Vulnerability Assessment Training Physical Security Governance Risk Management <ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Government & Regulatory Affairs </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Government & Regulatory Affairs </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>Government & Regulatory Affairs </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul>Change Control ©Copyright 2008 Abidance Consulting All Rights Reserved.
    15. 15. Abidance Consulting - Functional Responsibility by Team Corporate IS PMO IT Compliance CIP Compliance Framework <ul><ul><li>Asset Inventory </li></ul></ul><ul><ul><li>Risk Management </li></ul></ul><ul><ul><li>Systems Management </li></ul></ul><ul><ul><li>Recovery Operations </li></ul></ul><ul><ul><li>Training </li></ul></ul><ul><ul><li>Access and Change Control </li></ul></ul><ul><ul><li>Incident Response </li></ul></ul><ul><ul><li>Recovery Operations </li></ul></ul><ul><ul><li>Network Management </li></ul></ul><ul><ul><li>Systems Management </li></ul></ul><ul><ul><li>Vulnerability Assessment </li></ul></ul><ul><ul><li>Physical Security </li></ul></ul><ul><ul><li>Asset inventory </li></ul></ul><ul><ul><li>Information Classification & Handling </li></ul></ul><ul><ul><li>Governance </li></ul></ul><ul><ul><li>Document Control </li></ul></ul><ul><ul><li>Document Control </li></ul></ul><ul><ul><li>Testing & QA </li></ul></ul><ul><ul><li>Training </li></ul></ul><ul><ul><li>Information Classification & Handling </li></ul></ul><ul><ul><li>Asset Inventory </li></ul></ul><ul><ul><li>Access Control </li></ul></ul><ul><ul><li>Change Control </li></ul></ul><ul><ul><li>Budget Tracking </li></ul></ul><ul><ul><li>Budget Estimating </li></ul></ul><ul><ul><li>Risk & Issue Management </li></ul></ul>©Copyright 2008 Abidance Consulting All Rights Reserved. Commercial Operations Regulatory / Legal
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×