Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Abidance Cip Presentation

1,194 views

Published on

  • Be the first to comment

  • Be the first to like this

Abidance Cip Presentation

  1. 1. Abidance Consulting Compliance Presentation NERC Compliance Program (CIP Compliance)
  2. 2. Executive Summary <ul><li>The Abidance Consulting CIP Compliance Program coordinates and manages the monitoring of enterprise wide compliance to NERC and other regional reliability standards for the electric utility industry. As such, the program acts as a centralized coordinator between the various organizations within a NERC registered entity. </li></ul><ul><li>The Abidance Consulting Compliance Program will create, maintain, and monitor easy to use and repeatable task assignments, communications and reporting processes. The program leverages our internal energy trading and risk management, internal audit, IT security, and project management experience. </li></ul><ul><li>The end result of the program is a more efficient and sustainable compliance effort, reduced costs (internal and external), and collapsed timelines for compliance. </li></ul><ul><li>The Abidance Consulting program uses an integrated project approach for NERC Compliance (CIP, IT Security, Business Continuity Planning): </li></ul><ul><li>Program Management Office </li></ul><ul><li>CIP Compliance </li></ul><ul><li>Integrated Security </li></ul><ul><li>Business Continuity Planning </li></ul>©Copyright 2008-2009 Abidance Consulting All Rights Reserved.
  3. 3. ©Copyright 2008 -2009 Abidance Consulting All Rights Reserved. CIP Program - Framework Prioritize Protective Effectiveness Metrics State Federal Local Program Management Office Feedback for continuous improvement Design Monitoring Audit Assessment FERC Order NERC CIP Compliance Integrated Security Business Continuity Planning Abidance Consulting – NERC CIP Program
  4. 4. ©Copyright 2008 Abidance Consulting All Rights Reserved. Design Monitoring Assessment CIP Program - Process <ul><li>Identify </li></ul><ul><li>Develop List </li></ul><ul><li>Gap Analysis </li></ul><ul><li>Decision tree </li></ul><ul><li>Industry research </li></ul><ul><li>Define </li></ul><ul><li>Audit Items </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Critical Assets </li></ul><ul><li>Educate </li></ul><ul><li>Communication </li></ul><ul><li>Requirements </li></ul><ul><li>Detail Designs </li></ul><ul><li>Cost Estimates </li></ul><ul><li>Plan </li></ul><ul><li>Information </li></ul><ul><li>Classification </li></ul><ul><li>Guidelines </li></ul><ul><li>Interdependence </li></ul><ul><li>Implement </li></ul><ul><li>Policy </li></ul><ul><li>Procedures </li></ul><ul><li>Training </li></ul><ul><li>Documentation </li></ul>Audit Feedback for continuous improvement Abidance Consulting - NERC CIP Program
  5. 5. Program Management - Summary <ul><li>Abidance Consulting NERC CIP Management Approach </li></ul>©Copyright 2008 Abidance Consulting All Rights Reserved. Understand Compliance Requirements Execute Compliance Monitor Compliance Report & Communicate Results - Identify all requirements and reporting obligations Identify gaps & risks - Develop plans to close gaps and risks - Identify measurable metrics - Identify emerging requirements - Assign internal owner - Evaluate NERC CIP Program potential impacts of emerging requirements - Develop and implement plans to influence emerging requirements - Coordinate internal representation with external resources & Regulatory agencies - Establish mechanisms to monitor performance & schedule - Develop mechanism to self-report violations (as required) - Incorporate compliance into goals & performance reviews - Conduct periodic assessments of risks & improvement Opportunities - Set tone at the top - Define specific roles & responsibilities - Establish written Procedures & guidelines - Execute plans to meet requirements, close gaps, & risk - Identify training needs and develop programs to meet those needs Document Compliance - Compliance procedures - Quality assurance process - Compliance calendar - Performance management system - Training programs - Issue management plans - Department management
  6. 6. Program Management - Goals & Responsibilities ©Copyright 2008 Abidance Consulting All Rights Reserved. <ul><li>Develop a compliance program focused on continuous performance improvement. </li></ul><ul><li>Meet all compliance requirements through well documented, auditable processes. </li></ul><ul><li>Ensure proper documentation and communication of information needed for compliance. </li></ul>Executive Level Oversight Level Program Managers <ul><li>Oversee Compliance Program. </li></ul><ul><li>Sign off on compliance. </li></ul><ul><li>Oversee the process to ensure compliance with the standards. </li></ul><ul><li>Prioritize remediation efforts and resolve escalated issues. </li></ul><ul><li>Sign off on compliance. </li></ul><ul><li>Work with Sponsors and Owners to prepare a detailed compliance plan. </li></ul><ul><li>Create controls to manage scope, costs, schedule, risk and resources. </li></ul><ul><li>Monitor and report performance of the plan to the Oversight Committee. </li></ul>Sponsor <ul><li>Director Level. </li></ul><ul><li>Oversees the work </li></ul><ul><li>of compliance owner. </li></ul>Owner <ul><li>Assess the impact of the cyber security standard. </li></ul><ul><li>Identify compliance gaps. </li></ul><ul><li>Develop plans to close the gaps (training, hardware, software, or procedures). </li></ul><ul><li>Identify testing needs, execution, and documentation of the test results. </li></ul><ul><li>Identify actions required to fully comply with the standard. </li></ul>
  7. 7. <ul><ul><li>Documentation </li></ul></ul><ul><ul><ul><li>Create CIP Compliance Program </li></ul></ul></ul><ul><ul><ul><li>Establish written procedures for documenting and tracking reliability requirements </li></ul></ul></ul><ul><ul><ul><li>Compliance schedule matrix </li></ul></ul></ul><ul><ul><ul><li>Compliance procedure requirements </li></ul></ul></ul><ul><ul><ul><li>New compliance requirements </li></ul></ul></ul><ul><ul><ul><li>Gap analysis </li></ul></ul></ul><ul><ul><ul><li>Self-Certification, Self-Reporting & Investigation </li></ul></ul></ul><ul><ul><li>Educating and training departments on regulatory requirements </li></ul></ul><ul><ul><li>Compliance Schedule and Survey Preparation </li></ul></ul><ul><ul><ul><li>Completion of surveys </li></ul></ul></ul><ul><ul><ul><li>Compliance schedule matrix </li></ul></ul></ul><ul><ul><ul><li>Quality assurance </li></ul></ul></ul><ul><ul><li>Create Repeatable and Sustainable Process </li></ul></ul><ul><ul><ul><li>Evidence collection </li></ul></ul></ul><ul><ul><ul><li>Audit test plans </li></ul></ul></ul><ul><ul><li>Coordinating efforts with corporate and other departments </li></ul></ul><ul><ul><li>Developing and executing a compliance implementation plan </li></ul></ul><ul><ul><li>Leverage existing IT SOX Audit efforts </li></ul></ul><ul><ul><ul><li>Centralized document repository </li></ul></ul></ul><ul><ul><ul><li>Documentation of current policies and procedures </li></ul></ul></ul><ul><ul><li>Identifying opportunities for improvement </li></ul></ul><ul><ul><li>Corrective action plan recommendation </li></ul></ul>©Copyright 2008 Abidance Consulting All Rights Reserved. NERC 693 Project – Scope of Work
  8. 8. Summary - Compliance Success <ul><li>The Abidance Consulting CIP Program will deliver to NERC Compliance Team: </li></ul>©Copyright 2008 Abidance Consulting All Rights Reserved. <ul><li>A strong corporate commitment to a NERC CIP Compliance Program. </li></ul><ul><li>An aggressive but achievable timeline and tracking. </li></ul><ul><li>Development of a strong governance model with decision making approvals. </li></ul><ul><li>Detailed assessments and gap analysis. </li></ul><ul><li>Management sign – off at each step / milestone. </li></ul><ul><li>Development of action plans aligned with CIP requirements. </li></ul><ul><li>Starting the compliance process early and with the right approach. </li></ul><ul><li>A process to leverage SOX compliance – both from a project standpoint and corporate oversight. </li></ul><ul><li>A process for cross functional teams to create compliance ‘buy-in’. </li></ul><ul><li>A program management office to prioritize and set achievable goals and objectives to management with measurable metrics. </li></ul><ul><li>The creation of standardized, sustainable, and repeatable processes. </li></ul>
  9. 9. <ul><li>The intent of the proposed Cyber Security Standards is to ensure that all entities responsible for the reliability of the Bulk Electric Systems in North America identify and protect Critical Cyber Assets that control or could impact the reliability of the Bulk Electric Systems. </li></ul><ul><li>This implementation plan is based on the following assumptions: </li></ul><ul><li>Standard CIP-002 requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. These Critical Assets are to be identified through the application of a risk-based assessment. </li></ul><ul><li>Cyber Security Standards: </li></ul><ul><ul><li>CIP-002-1 </li></ul></ul><ul><ul><li>CIP-003-1 </li></ul></ul><ul><ul><li>CIP-004-1 </li></ul></ul><ul><ul><li>CIP-005-1 </li></ul></ul><ul><ul><li>CIP-006-1 </li></ul></ul><ul><ul><li>CIP-007-1 </li></ul></ul><ul><ul><li>CIP-008-1 </li></ul></ul><ul><ul><li>CIP-009-1 </li></ul></ul><ul><li>Cyber Security Standards CIP-002-1 through CIP-009-1 became effective June 1, 2006. </li></ul>©Copyright 2008 Abidance Consulting All Rights Reserved. NERC CIP Security Standards
  10. 10. ©Copyright 2008 Abidance Consulting All Rights Reserved. Begin Work (BW), Substantially Compliant (SC), Compliant (C), and Auditably Compliant (AC) NERC Implementation Timeline - CIP Requirement Dec 31, 2007 Dec 31, 2008 Dec 31, 2009 Dec 31, 2010 CIP-002-1 Critical Cyber Assets BW SC C AC CIP-003-1 Security Management Controls BW SC C AC CIP-004-1 Personnel & Training BW SC C AC CIP-005-1 Electronic Security BW SC C AC CIP-006-1 Physical Security BW SC C AC CIP-007-1 Systems Security Management BW SC C AC CIP-008-1 Incident Reporting and Response Planning BW SC C AC CIP-009-1 Recovery Plans BW SC C AC
  11. 11. ©Copyright 2008 Abidance Consulting All Rights Reserved. CRITICAL CYBER ASSETS SECURITY MANAGEMENT CONTROLS PERSONNEL & TRAINING ELECTRONIC SECURITY PHYSICAL SECURITY SYSTEMS SECURITY MANAGEMENT INCIDENT REPORTING & RESPONSE PLANNING RECOVERY PLANS CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 - PLAN - PHYSICAL ACCESS CONTROLS - MONITORING PHYSICAL ACCESS - LOGGING PHYSICAL ACCESS - ACCESS LOG RETENTION - MAINTENANCE & TESTING - TEST PROCEDURES - PORTS & SERVICES - SECURITY PATCH MANAGEMENT - MALICIOUS SOFTWARE PREVENTION - ACCOUNT MANAGEMENT - SECURITY STATUS MONITORING - DISPOSAL OR REDEPLOYMENT - CYBER ASSESS - DOCUMENTATION - CYBER SECURITY INCIDENT RESPONSE PLAN DOCUMENTATION <ul><li>- RECOVERY PLANS </li></ul><ul><li>- EXERCISES </li></ul><ul><li>CHANGE </li></ul><ul><li>CONTROL </li></ul><ul><li>- BACKUP </li></ul><ul><li>& RESTORE </li></ul><ul><li>- TESTING </li></ul><ul><li>BACKUP </li></ul><ul><li>SRATEGIES </li></ul>- CRITICAL ASSETS - CRITICAL CYBER ASSETS - ANNUAL REVIEW - ANNUAL APPROVAL -ELECTRONIC SECURITY PERIMETER -ELECTRONIC ACCESS CONTROLS -MONITORING ELECTRONIC ACCESS -CYBER VULNERABILITY ASSESSMENT DOCUMENTATION - AWARENESS TRAINING - PERSONNEL - RISK ASSESSMENT - ACCESS <ul><li>CYBER </li></ul><ul><li>SECURITY </li></ul><ul><li>POLICY </li></ul><ul><li>SENIOR </li></ul><ul><li>LEADERSHIP </li></ul><ul><li>- EXCEPTIONS </li></ul><ul><li>- INFORMATION </li></ul><ul><li>PROTECTION </li></ul><ul><li>- ACCESS </li></ul><ul><li>CONTROL </li></ul><ul><li>- CHANGE </li></ul><ul><li>CONTROL </li></ul>Eight Standards / 41 Requirements NERC CIP Standards Overview
  12. 12. ©Copyright 2008 Abidance Consulting All Rights Reserved. <ul><li>Phase 5 </li></ul><ul><li>Execute Plan </li></ul><ul><li>Phase 0 </li></ul><ul><li>Define the Scope </li></ul><ul><li>Phase 1 </li></ul><ul><li>Initiate Project </li></ul><ul><li>Phase 2 </li></ul><ul><li>Risk Impact Assessment </li></ul><ul><li>Phase 3 </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><li>Phase 4 </li></ul><ul><li>Remediation Plan </li></ul>- CREATE SECURITY POLICY (PHYSICAL & CYBER) - PLAN PHYSICAL & CYBER MONITORING - DEVELOP TEST PROCEDURES - DEVELOP INCIDENT RESPONSE TEAM & DOCUMENTATION - DEVELOP RECOVERY PLAN <ul><li>- IMPLEMENT POLICY </li></ul><ul><li>- EMPLOYEE TRAINING </li></ul><ul><li>& AWARENES </li></ul><ul><li>TEST & VALIDATE </li></ul><ul><li>PLANS </li></ul>- DRAFT REPORTING STRUCTURE - SELF ASSESSMENT (CURRENT STATE) - MANAGEMENT SPONSORSHIP - VUNERABILITY ASSESSMENT - IT SECUIRTY ASSESSMENT - PHYSICAL PLANT INSPECTIONS - SUPPLY CHAIN IMPACT - IDENTIFY CRITICAL INTER-DEPENDENCIES - GAP ANALYSIS <ul><li>INVENTORY CRITICAL </li></ul><ul><li>PHYSICAL ASSETS </li></ul><ul><li>DETERMINE CRITICAL </li></ul><ul><li>CYBER ASSETS </li></ul><ul><li>CREATE RISK BASED </li></ul><ul><li>METHOLDOLOGY </li></ul><ul><li>FOR IDENTIFICATION </li></ul><ul><li>INVENTORY IT </li></ul><ul><li>INFRASTRUCTURE </li></ul>- IDENTIFY CROSS FUNCTIONAL TEAMS - EDUCATE TEAMS - DETERMINE ROLE & RESPONSIBILITES - REVIEW EXISTING DOCUMENTATION & PROCEDURES - ESTABLISH PROJECT FRAMEWORK & REPORTING STRUCTURE Abidance Consulting - Process for CIP Compliance
  13. 13. Abidance Consulting - High Level Overview / To-Do’s Per CIP <ul><li>CIP-002 Entire Scope of work yet to be determined until Risk Based Assessment is performed </li></ul><ul><ul><li>Critical Assets as defined by NERC </li></ul></ul><ul><ul><li>Critical Assets as defined by Internal Audit risk based assessments </li></ul></ul><ul><ul><li>Critical Cyber Assets located at identified Critical Physical Assets </li></ul></ul><ul><ul><li>Who is going to perform / lead risk assessment? Compliance and Operations group best situated due to expertise in this area. </li></ul></ul><ul><li>CIP-003 Creation of Cyber Security Policy </li></ul><ul><ul><li>Create Access Control policy </li></ul></ul><ul><ul><li>Create Change Control policy </li></ul></ul><ul><ul><li>Create a plan for business continuity and disaster recovery </li></ul></ul><ul><li>CIP-004 – Personnel and Training </li></ul><ul><ul><li>Creation of corporate NERC training program </li></ul></ul><ul><ul><li>Identify resources to perform the plant training </li></ul></ul><ul><li>CIP-005 – Electronic Security Perimeters </li></ul><ul><ul><li>Ensure that an electronic security perimeter has been created and that all critical cyber assets reside within </li></ul></ul><ul><ul><li>Creation of procedures to document standards of access and how to monitor the electronic security perimeter </li></ul></ul><ul><ul><li>Creation of a cyber vulnerability assessment of the electronic access points </li></ul></ul><ul><li>CIP-006 – Physical Security of Critical Cyber Assets (operational data center) </li></ul><ul><ul><li>Create and maintain a physical security plan for operations </li></ul></ul><ul><li>CIP-007 – System Security Management </li></ul><ul><ul><li>Perform security assessment on plant operations network. </li></ul></ul><ul><ul><li>Convert existing corporate Patch management policy to NERC policy </li></ul></ul><ul><li>CIP-008 – Incident Reporting and Response Planning </li></ul><ul><ul><li>Create Cyber Security Incident and Response policy </li></ul></ul><ul><li>CIP-009 – Recovery plans for Critical Cyber Assets </li></ul><ul><ul><li>Create Backup Restore and Recovery policy </li></ul></ul>©Copyright 2008 Abidance Consulting All Rights Reserved.
  14. 14. Abidance Consulting - Functional Framework for CIP Access Control Document Control Information Classification & Handling Testing & QA Asset Inventory Incident Response Systems Management Recovery Operations Network Management Vulnerability Assessment Training Physical Security Governance Risk Management <ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Government & Regulatory Affairs </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Government & Regulatory Affairs </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Corporate IS </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul><ul><ul><li>Government & Regulatory Affairs </li></ul></ul><ul><ul><li>Commercial Operations </li></ul></ul>Change Control ©Copyright 2008 Abidance Consulting All Rights Reserved.
  15. 15. Abidance Consulting - Functional Responsibility by Team Corporate IS PMO IT Compliance CIP Compliance Framework <ul><ul><li>Asset Inventory </li></ul></ul><ul><ul><li>Risk Management </li></ul></ul><ul><ul><li>Systems Management </li></ul></ul><ul><ul><li>Recovery Operations </li></ul></ul><ul><ul><li>Training </li></ul></ul><ul><ul><li>Access and Change Control </li></ul></ul><ul><ul><li>Incident Response </li></ul></ul><ul><ul><li>Recovery Operations </li></ul></ul><ul><ul><li>Network Management </li></ul></ul><ul><ul><li>Systems Management </li></ul></ul><ul><ul><li>Vulnerability Assessment </li></ul></ul><ul><ul><li>Physical Security </li></ul></ul><ul><ul><li>Asset inventory </li></ul></ul><ul><ul><li>Information Classification & Handling </li></ul></ul><ul><ul><li>Governance </li></ul></ul><ul><ul><li>Document Control </li></ul></ul><ul><ul><li>Document Control </li></ul></ul><ul><ul><li>Testing & QA </li></ul></ul><ul><ul><li>Training </li></ul></ul><ul><ul><li>Information Classification & Handling </li></ul></ul><ul><ul><li>Asset Inventory </li></ul></ul><ul><ul><li>Access Control </li></ul></ul><ul><ul><li>Change Control </li></ul></ul><ul><ul><li>Budget Tracking </li></ul></ul><ul><ul><li>Budget Estimating </li></ul></ul><ul><ul><li>Risk & Issue Management </li></ul></ul>©Copyright 2008 Abidance Consulting All Rights Reserved. Commercial Operations Regulatory / Legal

×