2. Agenda
• Introductions
• Section 1: What is…
• Section 2: IT GRC Convergence Stages
• Section 3: Tools, Automation and Metrics
• Section 4: Building the Program
– Establish Governance Body for IT
– Supported Policies, Standards and Controls
– Consistent Risk Analysis and Management
– Single Empowered Compliance Team
4. Introductions
An Overview of National Grid
• National Grid is an international electricity and gas company and one of the
largest investor-owned utilities in the world. We are the largest utility in the
UK and the second-largest utility in the US. , focused on delivering energy
safely, reliably and efficiently.
• In the northeastern US we have electricity transmission systems and
distribution networks that deliver electricity to 3.3 million customers.
• We own and operate generation stations with a total capacity of 6,650MW
and provide services to the 1.1 million electricity customers of the Long
Island Power Authority.
• We own gas storage facilities and provide natural gas to approximately 3.4
million customers.
5. Objectives
Mapping Cybersecurity Programs to CIP Compliance
This session will demonstrate how you can integrate the NERC
CIP standards into an effective cybersecurity program. Key
points include:
•Principles of an aligned and effective governance, risk and
compliance program
•Evaluation of a risk-based vs. rules-based security program
•Effective use of a rules-based framework to support your
cybersecurity program
6. IS Risk & Compliance Framework
Consolidated
Controls Set
Consolidated
Controls Set
IS Risk ProfileIS Risk Profile
Assurance
7. SECTION 1: WHAT IS…?
Mapping Cybersecurity Programs to CIP Compliance
10. What is… IT Governance
• “… consists of the leadership and organizational structures
and processes that ensure that the organization's IT
sustains and extends the organization's strategies and
objectives”
Governance
Benefits of a well executed Governance Program
•IT investments that support business objectives
•Alignment of policy with business objectives
•Effective use of resources
•Consistency in decisions and enforcement
•Collaboration breeds support
11. What is… IT Risk
• Risk Management is the process by which an organization
sets the risk appetite, identifies potential risks and prioritizes
the tolerance for risk based on the organization’s business
objectives. Risk Management leverages internal controls to
manage and mitigate risk throughout the organization.
Risk
Benefits of a well executed Risk Program
•Clearly demonstrate the corporations current risk profile
•Transparency allows management to make informed
business decisions
•Establishes a risk tolerance / appetite for the business
•Clear definition of roles and responsibilities related to IT
risks
•Aligns with enterprise risk management (ERM)
12. What is… IT Compliance
•Compliance is the process that records and monitors the policies, procedures and controls needed to
enable compliance with legislative or industry mandates as well as internal policies
•Risk
•Risk Management is the process by which an organization sets the risk appetite, identifies potential
risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk
Management leverages internal controls to manage and mitigate risk throughout the organization.
Compliance
Benefits of a well executed Compliance Program
•Provide assurance to stakeholders that policies are
enforced and standards are in place
•Develop a clear understanding internal processes
•Efficient response to regulatory requirements
•Focused effort on identifying and resolving policy
deficiencies
•Provide validation for the risk profile
13. Section Recap
• Key take aways:
– Governance, Risk and
Compliance programs are
interrelated
– Roles and Responsibilities for
GRC tasks must be defined
14. SECTION 2: IT GRC CONVERGENCE
STAGES
Mapping Cybersecurity Programs to CIP Compliance
15. Stage 1: Silo Compliance
• Access and Identity Management
•Threat and Vulnerability Management
•Policy / Standard Creation
•Compliance Enforcement
•Perimeter Security
•Incident Response
•Policy / Standard Creation
•Compliance Enforcement
•Project Methodology
•Project Risk
•Policy / Standard Creation
•Compliance Enforcement
22. Section Recap
• Key take aways:
– Three stages of IT GRC
– Nearly all organizations have a
GRC program in varying stages…
but may not realize it
– Work within your own company
processes
27. Section Recap
• Key take aways:
– No single tool will fill all GRC
requirements, it is important to
focus on interoperability
– Other useful resources available
free or nearly free on the Internet
28. SECTION 4: BUILDING THE
PROGRAM
Mapping Cybersecurity Programs to CIP Compliance
32. Resources
• ITGI Documents
– IT Governance Domain Practices and Competencies
Series
• Information Risks: Whose Business Are They?
• Optimising Value Creation From IT Investments
• Measuring and Demonstrating the Value of IT
• Governance of Outsourcing
• IT Alignment—IT Strategy Committees
– Board Briefing on IT Governance
– Information Security Governance: Guidance for Boards
and Executive Management
– IT Governance Global Status Report
• ISACA
– Implementing and Continually Improving IT Governance
– Val IT Framework
42. Single Empowered IT Compliance
Team
• More than just regulatory compliance, this team must be
able to partner with Governance and Risk to build a
corporate risk profile
– Identifying compliance-related risks and threats
– Performing compliance-based risk assessments
– Working with end users and enterprise legal and compliance
departments to identify IT-specific risks, end-user risks and
enterprise risks that IT can assist in mitigating
– Designing compliance-friendly systems and applications
– Monitoring changes in legislation, regulations, rulings and court
orders that may impact the way risks are addressed by the
enterprise and by IT security.
– Considering the regulatory compliance issues inherent in the
introduction of new technology, processes or applications
43. Resources
• IT Standards, Guidelines, and Tools and
Techniques for Audit and Assurance and Control
Professionals
• ITAF: A Professional Practices Framework for IT
Assurance
44. Objectives
Learning Objectives for this presentation:
• Discuss the function and interrelation of governance, risk
and compliance
• Utilize ISACA and other resources to create policies,
standards and controls
• Show mapping between industry regulations and policies,
standards and controls
• Demonstrate how GRC can be implemented in a company
45. Thank you
Scott M. Baron
Director – Digital Risk & Security Governance
National Grid
Email: Scott.Baron@nationalgrid.com