SlideShare a Scribd company logo

EUCI Mapping Cybersecurity to CIP

Download as PPT, PDF
S
Scott Baron
1 of 45
Mapping Cybersecurity Programs to CIP Compliance Scott M. Baron Director – Digital Risk & Security Governance National Grid
Agenda • Introductions • Section 1: What is… • Section 2: IT GRC Convergence Stages • Section 3: Tools, Automation and Metrics • Section 4: Building the Program – Establish Governance Body for IT – Supported Policies, Standards and Controls – Consistent Risk Analysis and Management – Single Empowered Compliance Team
INTRODUCTIONS Mapping Cybersecurity Programs to CIP Compliance
Introductions An Overview of National Grid • National Grid is an international electricity and gas company and one of the largest investor-owned utilities in the world. We are the largest utility in the UK and the second-largest utility in the US. , focused on delivering energy safely, reliably and efficiently. • In the northeastern US we have electricity transmission systems and distribution networks that deliver electricity to 3.3 million customers. • We own and operate generation stations with a total capacity of 6,650MW and provide services to the 1.1 million electricity customers of the Long Island Power Authority. • We own gas storage facilities and provide natural gas to approximately 3.4 million customers.
Objectives Mapping Cybersecurity Programs to CIP Compliance This session will demonstrate how you can integrate the NERC CIP standards into an effective cybersecurity program. Key points include: •Principles of an aligned and effective governance, risk and compliance program •Evaluation of a risk-based vs. rules-based security program •Effective use of a rules-based framework to support your cybersecurity program
IS Risk & Compliance Framework Consolidated Controls Set Consolidated Controls Set IS Risk ProfileIS Risk Profile Assurance
SECTION 1: WHAT IS…? Mapping Cybersecurity Programs to CIP Compliance
What is… IT GRC Source: Wikipedia
What is IT GRC
What is… IT Governance • “… consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives” Governance Benefits of a well executed Governance Program •IT investments that support business objectives •Alignment of policy with business objectives •Effective use of resources •Consistency in decisions and enforcement •Collaboration breeds support
What is… IT Risk • Risk Management is the process by which an organization sets the risk appetite, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization. Risk Benefits of a well executed Risk Program •Clearly demonstrate the corporations current risk profile •Transparency allows management to make informed business decisions •Establishes a risk tolerance / appetite for the business •Clear definition of roles and responsibilities related to IT risks •Aligns with enterprise risk management (ERM)
What is… IT Compliance •Compliance is the process that records and monitors the policies, procedures and controls needed to enable compliance with legislative or industry mandates as well as internal policies •Risk •Risk Management is the process by which an organization sets the risk appetite, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization. Compliance Benefits of a well executed Compliance Program •Provide assurance to stakeholders that policies are enforced and standards are in place •Develop a clear understanding internal processes •Efficient response to regulatory requirements •Focused effort on identifying and resolving policy deficiencies •Provide validation for the risk profile
Section Recap • Key take aways: – Governance, Risk and Compliance programs are interrelated – Roles and Responsibilities for GRC tasks must be defined
SECTION 2: IT GRC CONVERGENCE STAGES Mapping Cybersecurity Programs to CIP Compliance
Stage 1: Silo Compliance • Access and Identity Management •Threat and Vulnerability Management •Policy / Standard Creation •Compliance Enforcement •Perimeter Security •Incident Response •Policy / Standard Creation •Compliance Enforcement •Project Methodology •Project Risk •Policy / Standard Creation •Compliance Enforcement
Stage 1: Silo Compliance
Stage 2: Regulatory Compliance Regulatory Compliance Team •Sarbanes-Oxley •PCI-DSS •HIPAA •GLBA •NERC
Stage 2: Regulatory Compliance
Stage 3: Converged IT GRC •Common Policy / Controls •IT Compliance Enforcement •Risk Management
Stage 3: Converged IT GRC
Stage 3: Converged IT GRC
Section Recap • Key take aways: – Three stages of IT GRC – Nearly all organizations have a GRC program in varying stages… but may not realize it – Work within your own company processes
SECTION 3: TOOLS, AUTOMATION AND METRICS Mapping Cybersecurity Programs to CIP Compliance
Tools, Automation and Metrics GRC Suite •SharePoint •WebSphere •Workflow tools •SharePoint •WebSphere •Workflow tools •Tripwire (Open Source or Commercial) •SNORT •Tripwire (Open Source or Commercial) •SNORT •SharePoint •WebSphere •Workflow tools •SharePoint •WebSphere •Workflow tools •MS Excel •CIS Audit Tools •NESSUS / Microsoft •MS Excel •CIS Audit Tools •NESSUS / Microsoft
Tools, Automation and Metrics
Tools, Automation and Metrics
Section Recap • Key take aways: – No single tool will fill all GRC requirements, it is important to focus on interoperability – Other useful resources available free or nearly free on the Internet
SECTION 4: BUILDING THE PROGRAM Mapping Cybersecurity Programs to CIP Compliance
Building the Program
ESTABLISH A GOVERNANCE BODY FOR IT GRC in a Bag: Building a Complete GRC Program Utilizing ISACA Resources
Establish a Governance Body for IT
Resources • ITGI Documents – IT Governance Domain Practices and Competencies Series • Information Risks: Whose Business Are They? • Optimising Value Creation From IT Investments • Measuring and Demonstrating the Value of IT • Governance of Outsourcing • IT Alignment—IT Strategy Committees – Board Briefing on IT Governance – Information Security Governance: Guidance for Boards and Executive Management – IT Governance Global Status Report • ISACA – Implementing and Continually Improving IT Governance – Val IT Framework
SUPPORTED POLICIES, STANDARDS AND CONTROLS Mapping Cybersecurity Programs to CIP Compliance
Policy Consolidation / Mapping
Policy Creation / Mapping
Standards, Controls, Risks and Tests
Resources • CobiT – CobiT Mapping Series – Cobit Quickstart, 2nd Edition – Cobit Security Basline, 2nd Edition – IT Assurance Guide: Using CobiT • Compliance / Regulatory Frameworks – PCI DSS – NIST 800-53 – ISO 27001 / 27002 • Unified Compliance Framework
CONSISTENT RISK ANALYSIS & MANAGEMENT GRC in a Bag: Building a Complete GRC Program Utilizing ISACA Resources
Consistent Risk Analysis & Management • Risk Governance (RG) – Establish and Maintain a Common Risk View – Integrate with Enterprise Risk Management (ERM) – Make Risk-aware Business Decisions • Risk Evaluation (RE) – Collect Data – Analyze Risk – Maintain Risk Profile • Risk Response (RR) – Articulate Risk – Manage Risk – React to Events
Resources • Risk IT – Risk IT Framework – Risk IT Practitioners Guide (and toolkit) • COSO – COSO Enterprise Risk Management Framework • ISO – ISO 31000 – Risk Management – Principles and Guidelines
SINGLE EMPOWERED IT COMPLIANCE TEAM GRC in a Bag: Building a Complete GRC Program Utilizing ISACA Resources
Single Empowered IT Compliance Team • More than just regulatory compliance, this team must be able to partner with Governance and Risk to build a corporate risk profile – Identifying compliance-related risks and threats – Performing compliance-based risk assessments – Working with end users and enterprise legal and compliance departments to identify IT-specific risks, end-user risks and enterprise risks that IT can assist in mitigating – Designing compliance-friendly systems and applications – Monitoring changes in legislation, regulations, rulings and court orders that may impact the way risks are addressed by the enterprise and by IT security. – Considering the regulatory compliance issues inherent in the introduction of new technology, processes or applications
Resources • IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals • ITAF: A Professional Practices Framework for IT Assurance
Objectives Learning Objectives for this presentation: • Discuss the function and interrelation of governance, risk and compliance • Utilize ISACA and other resources to create policies, standards and controls • Show mapping between industry regulations and policies, standards and controls • Demonstrate how GRC can be implemented in a company
Thank you Scott M. Baron Director – Digital Risk & Security Governance National Grid Email: Scott.Baron@nationalgrid.com

Recommended

Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2
Smart Grid Interoperability Panel
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015
Health IT Conference – iHT2
 
Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTs
Schellman & Company
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk Management
Sam Bowne
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
GoogleNewsSubmit
 
Cyber Security for Oil and Gas
Cyber Security for Oil and Gas Cyber Security for Oil and Gas
Cyber Security for Oil and Gas
mariaidga
 

Recommended

Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2
Smart Grid Interoperability Panel
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015
Health IT Conference – iHT2
 
Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTs
Schellman & Company
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk Management
Sam Bowne
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
GoogleNewsSubmit
 
Cyber Security for Oil and Gas
Cyber Security for Oil and Gas Cyber Security for Oil and Gas
Cyber Security for Oil and Gas
mariaidga
 
RISE's Training Catalog
RISE's Training CatalogRISE's Training Catalog
RISE's Training Catalog
RISE for Information Technology Services
 
Energy sector cybersecurity framework implementation guidance final 01-05-15
Energy sector cybersecurity framework implementation guidance final 01-05-15Energy sector cybersecurity framework implementation guidance final 01-05-15
Energy sector cybersecurity framework implementation guidance final 01-05-15
Dr Dev Kambhampati
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Nanda Mohan Shenoy
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
Tammy Clark
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security Framework
Norbi Hegedus
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
360factors
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Phil Agcaoili
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
Schellman & Company
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR Program
Schellman & Company
 
21. Government, technologies' audit and information systems
21. Government, technologies' audit and information systems 21. Government, technologies' audit and information systems
21. Government, technologies' audit and information systems
Angie Cruz
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
Cohesive Networks
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?
Jim Meyer
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161
David Sweigert
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
PECB
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?
VISTA InfoSec
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
John Gilligan
 
Learning lessons from regulation changes in the mortgage market
Learning lessons from regulation changes in the mortgage marketLearning lessons from regulation changes in the mortgage market
Learning lessons from regulation changes in the mortgage market
Tony Moroney
 
Sharon bort gcc 2016
Sharon bort gcc 2016Sharon bort gcc 2016
Sharon bort gcc 2016
GWT
 
hubspot certified
hubspot certifiedhubspot certified
hubspot certified
Barbara Lee
 

More Related Content

What's hot

Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
Tammy Clark
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
PECB
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?
VISTA InfoSec
 

What's hot (19)

RISE's Training Catalog
RISE's Training CatalogRISE's Training Catalog
RISE's Training Catalog
 
Energy sector cybersecurity framework implementation guidance final 01-05-15
Energy sector cybersecurity framework implementation guidance final 01-05-15Energy sector cybersecurity framework implementation guidance final 01-05-15
Energy sector cybersecurity framework implementation guidance final 01-05-15
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security Framework
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR Program
 
21. Government, technologies' audit and information systems
21. Government, technologies' audit and information systems 21. Government, technologies' audit and information systems
21. Government, technologies' audit and information systems
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
 

Viewers also liked

Learning lessons from regulation changes in the mortgage market
Learning lessons from regulation changes in the mortgage marketLearning lessons from regulation changes in the mortgage market
Learning lessons from regulation changes in the mortgage market
Tony Moroney
 
hubspot certified
hubspot certifiedhubspot certified
hubspot certified
Barbara Lee
 
Encinasola. Sus Fuentes
Encinasola. Sus FuentesEncinasola. Sus Fuentes
Encinasola. Sus Fuentes
JOSE DOMINGUEZ
 
PDF PROPOSAL UJI KINERJA MESIN PENCACAH BIJI JAGUNG DENGAN TENAGA PENGERAK MO...
PDF PROPOSAL UJI KINERJA MESIN PENCACAH BIJI JAGUNG DENGAN TENAGA PENGERAK MO...PDF PROPOSAL UJI KINERJA MESIN PENCACAH BIJI JAGUNG DENGAN TENAGA PENGERAK MO...
PDF PROPOSAL UJI KINERJA MESIN PENCACAH BIJI JAGUNG DENGAN TENAGA PENGERAK MO...
firmanahyuda
 
ModifiedVehiclesSample2015
ModifiedVehiclesSample2015ModifiedVehiclesSample2015
ModifiedVehiclesSample2015
Rafic Wehbeh
 
Dyplom całość Politechnika Warszawska1
Dyplom całość Politechnika Warszawska1Dyplom całość Politechnika Warszawska1
Dyplom całość Politechnika Warszawska1
Maciej Wolski
 
OBA EOL PRE RUN In JUNE06a
OBA EOL PRE RUN In JUNE06aOBA EOL PRE RUN In JUNE06a
OBA EOL PRE RUN In JUNE06a
Paul Rouse
 
4 th 209-美國迪士尼報告
4 th 209-美國迪士尼報告4 th 209-美國迪士尼報告
4 th 209-美國迪士尼報告
geography_backup
 

Viewers also liked (20)

Learning lessons from regulation changes in the mortgage market
Learning lessons from regulation changes in the mortgage marketLearning lessons from regulation changes in the mortgage market
Learning lessons from regulation changes in the mortgage market
 
Sharon bort gcc 2016
Sharon bort gcc 2016Sharon bort gcc 2016
Sharon bort gcc 2016
 
hubspot certified
hubspot certifiedhubspot certified
hubspot certified
 
Sollewitt eefg
Sollewitt eefgSollewitt eefg
Sollewitt eefg
 
Leiston skip hire @collinsskiphire
Leiston skip hire @collinsskiphireLeiston skip hire @collinsskiphire
Leiston skip hire @collinsskiphire
 
Encinasola. Sus Fuentes
Encinasola. Sus FuentesEncinasola. Sus Fuentes
Encinasola. Sus Fuentes
 
Case Study : Beechwood Spout
Case Study : Beechwood SpoutCase Study : Beechwood Spout
Case Study : Beechwood Spout
 
Yahoo Mobile Developer Conference NYC - Mobile Revolution: Seven Years On
Yahoo Mobile Developer Conference NYC - Mobile Revolution: Seven Years OnYahoo Mobile Developer Conference NYC - Mobile Revolution: Seven Years On
Yahoo Mobile Developer Conference NYC - Mobile Revolution: Seven Years On
 
Miami powerpoint
Miami powerpointMiami powerpoint
Miami powerpoint
 
PDF PROPOSAL UJI KINERJA MESIN PENCACAH BIJI JAGUNG DENGAN TENAGA PENGERAK MO...
PDF PROPOSAL UJI KINERJA MESIN PENCACAH BIJI JAGUNG DENGAN TENAGA PENGERAK MO...PDF PROPOSAL UJI KINERJA MESIN PENCACAH BIJI JAGUNG DENGAN TENAGA PENGERAK MO...
PDF PROPOSAL UJI KINERJA MESIN PENCACAH BIJI JAGUNG DENGAN TENAGA PENGERAK MO...
 
Интеллектуальная игра "Синтез наук"
Интеллектуальная игра "Синтез наук"Интеллектуальная игра "Синтез наук"
Интеллектуальная игра "Синтез наук"
 
ModifiedVehiclesSample2015
ModifiedVehiclesSample2015ModifiedVehiclesSample2015
ModifiedVehiclesSample2015
 
The medical industry
The medical industryThe medical industry
The medical industry
 
Introduction to Solus
Introduction to SolusIntroduction to Solus
Introduction to Solus
 
Dyplom całość Politechnika Warszawska1
Dyplom całość Politechnika Warszawska1Dyplom całość Politechnika Warszawska1
Dyplom całość Politechnika Warszawska1
 
Md Merchem - Athlete
Md Merchem - AthleteMd Merchem - Athlete
Md Merchem - Athlete
 
S ni p 3-02-03-84
S ni p 3-02-03-84S ni p 3-02-03-84
S ni p 3-02-03-84
 
OBA EOL PRE RUN In JUNE06a
OBA EOL PRE RUN In JUNE06aOBA EOL PRE RUN In JUNE06a
OBA EOL PRE RUN In JUNE06a
 
4 th 209-美國迪士尼報告
4 th 209-美國迪士尼報告4 th 209-美國迪士尼報告
4 th 209-美國迪士尼報告
 
Mark cv updated
Mark cv updatedMark cv updated
Mark cv updated
 

Similar to EUCI Mapping Cybersecurity to CIP

GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014
Paul Simidi
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
Prashant Singh
 
framework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxframework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptx
AshishRanjan546644
 

Similar to EUCI Mapping Cybersecurity to CIP (20)

Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014
 
GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyIntegration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyIntegration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptx
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 
CompTIA Security+.pptx
CompTIA Security+.pptxCompTIA Security+.pptx
CompTIA Security+.pptx
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
framework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxframework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptx
 
UMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptxUMASS-NISTCSF-October-2016-Presentation-rev2.pptx
UMASS-NISTCSF-October-2016-Presentation-rev2.pptx
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 

EUCI Mapping Cybersecurity to CIP

  • 1. Mapping Cybersecurity Programs to CIP Compliance Scott M. Baron Director – Digital Risk & Security Governance National Grid
  • 2. Agenda • Introductions • Section 1: What is… • Section 2: IT GRC Convergence Stages • Section 3: Tools, Automation and Metrics • Section 4: Building the Program – Establish Governance Body for IT – Supported Policies, Standards and Controls – Consistent Risk Analysis and Management – Single Empowered Compliance Team
  • 4. Introductions An Overview of National Grid • National Grid is an international electricity and gas company and one of the largest investor-owned utilities in the world. We are the largest utility in the UK and the second-largest utility in the US. , focused on delivering energy safely, reliably and efficiently. • In the northeastern US we have electricity transmission systems and distribution networks that deliver electricity to 3.3 million customers. • We own and operate generation stations with a total capacity of 6,650MW and provide services to the 1.1 million electricity customers of the Long Island Power Authority. • We own gas storage facilities and provide natural gas to approximately 3.4 million customers.
  • 5. Objectives Mapping Cybersecurity Programs to CIP Compliance This session will demonstrate how you can integrate the NERC CIP standards into an effective cybersecurity program. Key points include: •Principles of an aligned and effective governance, risk and compliance program •Evaluation of a risk-based vs. rules-based security program •Effective use of a rules-based framework to support your cybersecurity program
  • 6. IS Risk & Compliance Framework Consolidated Controls Set Consolidated Controls Set IS Risk ProfileIS Risk Profile Assurance
  • 7. SECTION 1: WHAT IS…? Mapping Cybersecurity Programs to CIP Compliance
  • 8. What is… IT GRC Source: Wikipedia
  • 10. What is… IT Governance • “… consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives” Governance Benefits of a well executed Governance Program •IT investments that support business objectives •Alignment of policy with business objectives •Effective use of resources •Consistency in decisions and enforcement •Collaboration breeds support
  • 11. What is… IT Risk • Risk Management is the process by which an organization sets the risk appetite, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization. Risk Benefits of a well executed Risk Program •Clearly demonstrate the corporations current risk profile •Transparency allows management to make informed business decisions •Establishes a risk tolerance / appetite for the business •Clear definition of roles and responsibilities related to IT risks •Aligns with enterprise risk management (ERM)
  • 12. What is… IT Compliance •Compliance is the process that records and monitors the policies, procedures and controls needed to enable compliance with legislative or industry mandates as well as internal policies •Risk •Risk Management is the process by which an organization sets the risk appetite, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization. Compliance Benefits of a well executed Compliance Program •Provide assurance to stakeholders that policies are enforced and standards are in place •Develop a clear understanding internal processes •Efficient response to regulatory requirements •Focused effort on identifying and resolving policy deficiencies •Provide validation for the risk profile
  • 13. Section Recap • Key take aways: – Governance, Risk and Compliance programs are interrelated – Roles and Responsibilities for GRC tasks must be defined
  • 14. SECTION 2: IT GRC CONVERGENCE STAGES Mapping Cybersecurity Programs to CIP Compliance
  • 15. Stage 1: Silo Compliance • Access and Identity Management •Threat and Vulnerability Management •Policy / Standard Creation •Compliance Enforcement •Perimeter Security •Incident Response •Policy / Standard Creation •Compliance Enforcement •Project Methodology •Project Risk •Policy / Standard Creation •Compliance Enforcement
  • 16. Stage 1: Silo Compliance
  • 17. Stage 2: Regulatory Compliance Regulatory Compliance Team •Sarbanes-Oxley •PCI-DSS •HIPAA •GLBA •NERC
  • 18. Stage 2: Regulatory Compliance
  • 19. Stage 3: Converged IT GRC •Common Policy / Controls •IT Compliance Enforcement •Risk Management
  • 22. Section Recap • Key take aways: – Three stages of IT GRC – Nearly all organizations have a GRC program in varying stages… but may not realize it – Work within your own company processes
  • 23. SECTION 3: TOOLS, AUTOMATION AND METRICS Mapping Cybersecurity Programs to CIP Compliance
  • 24. Tools, Automation and Metrics GRC Suite •SharePoint •WebSphere •Workflow tools •SharePoint •WebSphere •Workflow tools •Tripwire (Open Source or Commercial) •SNORT •Tripwire (Open Source or Commercial) •SNORT •SharePoint •WebSphere •Workflow tools •SharePoint •WebSphere •Workflow tools •MS Excel •CIS Audit Tools •NESSUS / Microsoft •MS Excel •CIS Audit Tools •NESSUS / Microsoft
  • 27. Section Recap • Key take aways: – No single tool will fill all GRC requirements, it is important to focus on interoperability – Other useful resources available free or nearly free on the Internet
  • 28. SECTION 4: BUILDING THE PROGRAM Mapping Cybersecurity Programs to CIP Compliance
  • 30. ESTABLISH A GOVERNANCE BODY FOR IT GRC in a Bag: Building a Complete GRC Program Utilizing ISACA Resources
  • 31. Establish a Governance Body for IT
  • 32. Resources • ITGI Documents – IT Governance Domain Practices and Competencies Series • Information Risks: Whose Business Are They? • Optimising Value Creation From IT Investments • Measuring and Demonstrating the Value of IT • Governance of Outsourcing • IT Alignment—IT Strategy Committees – Board Briefing on IT Governance – Information Security Governance: Guidance for Boards and Executive Management – IT Governance Global Status Report • ISACA – Implementing and Continually Improving IT Governance – Val IT Framework
  • 33. SUPPORTED POLICIES, STANDARDS AND CONTROLS Mapping Cybersecurity Programs to CIP Compliance
  • 35. Policy Creation / Mapping
  • 37. Resources • CobiT – CobiT Mapping Series – Cobit Quickstart, 2nd Edition – Cobit Security Basline, 2nd Edition – IT Assurance Guide: Using CobiT • Compliance / Regulatory Frameworks – PCI DSS – NIST 800-53 – ISO 27001 / 27002 • Unified Compliance Framework
  • 38. CONSISTENT RISK ANALYSIS & MANAGEMENT GRC in a Bag: Building a Complete GRC Program Utilizing ISACA Resources
  • 39. Consistent Risk Analysis & Management • Risk Governance (RG) – Establish and Maintain a Common Risk View – Integrate with Enterprise Risk Management (ERM) – Make Risk-aware Business Decisions • Risk Evaluation (RE) – Collect Data – Analyze Risk – Maintain Risk Profile • Risk Response (RR) – Articulate Risk – Manage Risk – React to Events
  • 40. Resources • Risk IT – Risk IT Framework – Risk IT Practitioners Guide (and toolkit) • COSO – COSO Enterprise Risk Management Framework • ISO – ISO 31000 – Risk Management – Principles and Guidelines
  • 41. SINGLE EMPOWERED IT COMPLIANCE TEAM GRC in a Bag: Building a Complete GRC Program Utilizing ISACA Resources
  • 42. Single Empowered IT Compliance Team • More than just regulatory compliance, this team must be able to partner with Governance and Risk to build a corporate risk profile – Identifying compliance-related risks and threats – Performing compliance-based risk assessments – Working with end users and enterprise legal and compliance departments to identify IT-specific risks, end-user risks and enterprise risks that IT can assist in mitigating – Designing compliance-friendly systems and applications – Monitoring changes in legislation, regulations, rulings and court orders that may impact the way risks are addressed by the enterprise and by IT security. – Considering the regulatory compliance issues inherent in the introduction of new technology, processes or applications
  • 43. Resources • IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals • ITAF: A Professional Practices Framework for IT Assurance
  • 44. Objectives Learning Objectives for this presentation: • Discuss the function and interrelation of governance, risk and compliance • Utilize ISACA and other resources to create policies, standards and controls • Show mapping between industry regulations and policies, standards and controls • Demonstrate how GRC can be implemented in a company
  • 45. Thank you Scott M. Baron Director – Digital Risk & Security Governance National Grid Email: Scott.Baron@nationalgrid.com