This document summarizes a presentation about mapping cybersecurity programs to CIP compliance. The presentation discusses:
1) The stages organizations go through to converge IT governance, risk management, and compliance programs from separate silos to an integrated approach.
2) How to establish governance bodies, policies, standards, controls, and consistent risk analysis and management processes to build an integrated program.
3) The role of automation, tools, and metrics and how a single empowered compliance team can partner with governance and risk.
While C2M2 is not the love child of C3PO and R2D2 (sorry), the Cybersecurity Capability Maturity Model (C2M2) program under the U.S. Department of Energy's (DOE) Office of Electricity Delivery and Energy Reliability (OE) is helping to enhance the security and resilience of the United States’ critical infrastructure.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
With all of the acronyms and numbers, it is challenging to determine what is what in the world of cyber security and compliance.
In the government space, the National Institute of Standards (NIST) has been the key body for identifying and determining standards related to protecting critical infrastructure and government data.
Participants will walk away more conversant in the alphabet soup of NIST requirements and how they apply to these various programs.
This presentation:
• Provides a deep dive in the the similarities and differences between standards such as NIST 800-53, 800-171, and frameworks such as the cybersecurity framework
• How these standards and frameworks apply to FedRAMP, CJIS, and very specific programs covering data like the Death Master File (DMF)
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
The International Association of Risk and Compliance Professionals (IARCP) today announced a major revision of the Certified Information Systems Risk and Compliance Professional (CISRCP) certification program.
Oil and Gas iQ’s Cyber Security for Oil and Gas event will bring together relevant stakeholders to discuss the most pressing cyber security issues facing the oil and gas sector. Presentations will examine threat trends, identify immediate and long-term needs, and reveal up-and-coming technologies for use in evolving threat environments. Security managers, IT strategy implementers, and industry partners will gather in Houston, TX to network, share best practices and explore potential paths to mitigate the threat of energy-focused attacks from cyber adversaries. For more information visit http://bit.ly/1cwasCO
While C2M2 is not the love child of C3PO and R2D2 (sorry), the Cybersecurity Capability Maturity Model (C2M2) program under the U.S. Department of Energy's (DOE) Office of Electricity Delivery and Energy Reliability (OE) is helping to enhance the security and resilience of the United States’ critical infrastructure.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
With all of the acronyms and numbers, it is challenging to determine what is what in the world of cyber security and compliance.
In the government space, the National Institute of Standards (NIST) has been the key body for identifying and determining standards related to protecting critical infrastructure and government data.
Participants will walk away more conversant in the alphabet soup of NIST requirements and how they apply to these various programs.
This presentation:
• Provides a deep dive in the the similarities and differences between standards such as NIST 800-53, 800-171, and frameworks such as the cybersecurity framework
• How these standards and frameworks apply to FedRAMP, CJIS, and very specific programs covering data like the Death Master File (DMF)
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
The International Association of Risk and Compliance Professionals (IARCP) today announced a major revision of the Certified Information Systems Risk and Compliance Professional (CISRCP) certification program.
Oil and Gas iQ’s Cyber Security for Oil and Gas event will bring together relevant stakeholders to discuss the most pressing cyber security issues facing the oil and gas sector. Presentations will examine threat trends, identify immediate and long-term needs, and reveal up-and-coming technologies for use in evolving threat environments. Security managers, IT strategy implementers, and industry partners will gather in Houston, TX to network, share best practices and explore potential paths to mitigate the threat of energy-focused attacks from cyber adversaries. For more information visit http://bit.ly/1cwasCO
At the EDIST 2017 the OEB outlined the upcoming Cyber Security Framework for all LDCs in Ontario. The official announcement is to be published sometime early March this year.
Cyber Security IT GRC Management Model and Methodology.360factors
A discussion and presentation on cyber security trends in oil and gas, the benefits of an IT GRC Management System, and IT GRC Management Model and Methodology.
The CSA STAR Programs will provide your organization an additional assessment to showcase your overall compliance program.
Cloud security providers are in an ever changing world. Traditionally the CCM was pointed to as an authoritative guidance. Now organizations have the opportunity to undergo third party assessments, through the STAR Programs to validate maturity level or control activities.
This slideshow will cover:
• A background and overview of the programs.
• A deep-dive of the CSA Attestation/Certification methodology and testing.
• A side by side comparison.
• The benefits and challenges.
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
New data protection regulations have significantly impacted the way that businesses collect, store, and handle clients’ personal information.
Considering the continuously increasing importance of data protection and privacy in today’s world, businesses should be up to speed with their data privacy policies and procedures.
The webinar covers:
1. ISO/IEC 27001 – Information Security Framework Key requirements under CCPA, CPRA, GDPR
• ISO/IEC 27005 – Information Security Risk Management
• ISO/IEC 27035 – Information Security Incident Management
• ISO/IEC 22301 & 27031 - Business Continuity Management (BCM)
2. Alternative Frameworks
• CMMC - Cybersecurity Maturity Model Certification
• NIST CSF Cybersecurity Framework
• ISO/IEC 27032 – Guidelines for Cybersecurity
3. Supplier Management
Date: April 21, 2021
Recorded Webinar: https://youtu.be/bi3tvvhGV1s
Cloud security providers are in an ever changing world. Traditionally the CCM was pointed to as an authoritative guidance.
Now organizations have the opportunity to undergo third party assessments, through the STAR Programs, to validate maturity level or control activities.
This deck will provide:
• A background and overview of the programs
• The CSA Attestation/Certification methodology and testing
• A side by side comparison
• The benefits and challenges
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...Cohesive Networks
By COO & CFO Dwight Koop - Data breaches and cybersecurity costs have brought attention to the dire need for comprehensive, preventative IT security guidelines. Dwight Koop walks through the recent NIST Cybersecurity Framework updates and how it can help businesses in all industry sectors.
Second Draft Special Publication (SP) 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations is available for public comment.
To learn more about this draft SP – details are provided along with links to this draft and comment template can be found on the CSRC Draft publications page.
Learn more about the importance of ISO 27001 and its role on GRC, what the advantages of starting with ISO 27001 are and the importance of its structure.
Main points covered:
• Definition and goals of GRC (Governance, Risk and Compliance)
• How the structure of ISO/IEC 27001 implements GRC
• Advantages of starting with ISO/IEC 27001
Presenter:
This webinar was presented by Jorge Lozano. He is a senior manager at the Cybersecurity & Privacy practice of PwC Mexico. He has over 17 years of experience in information security and holds the CISSP, CISM, CEH, and ISO27001LI certifications. He is an instructor of PECB for the ISO27001 Introduction, Foundation and Lead Implementer courses.
Link of the recorded session published on YouTube: https://youtu.be/sLfAarQ8cf0
What is expected from an organization under NCA ECC Compliance?VISTA InfoSec
Cybersecurity initiatives are today essential in a digitally-driven business world. This is to ensure the safety of the organization’s systems and sensitive data from accidental or deliberate incidents of breach. The growing number of cyber crimes and their operational and financial impact on business in terms of legal liability, reputational damage, and
financial loss has pushed regulators to establish strong security measures and frameworks in place.
The urgent need to address cybersecurity threats has resulted in the adoption of industry best practices by regulators around the world. In 2018, Saudi Arabia’s National Cybersecurity Authority (NCA) issued Essential Cybersecurity Controls (ECC) which is a minimum cybersecurity requirement for Saudi government organizations. The NCA encourages organizations in Saudi Arabia to adopt the ECC framework to improve their cybersecurity resilience.
for more visit:
https://www.vistainfosec.com/service/nca-ecc-compliancce/
At the EDIST 2017 the OEB outlined the upcoming Cyber Security Framework for all LDCs in Ontario. The official announcement is to be published sometime early March this year.
Cyber Security IT GRC Management Model and Methodology.360factors
A discussion and presentation on cyber security trends in oil and gas, the benefits of an IT GRC Management System, and IT GRC Management Model and Methodology.
The CSA STAR Programs will provide your organization an additional assessment to showcase your overall compliance program.
Cloud security providers are in an ever changing world. Traditionally the CCM was pointed to as an authoritative guidance. Now organizations have the opportunity to undergo third party assessments, through the STAR Programs to validate maturity level or control activities.
This slideshow will cover:
• A background and overview of the programs.
• A deep-dive of the CSA Attestation/Certification methodology and testing.
• A side by side comparison.
• The benefits and challenges.
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
New data protection regulations have significantly impacted the way that businesses collect, store, and handle clients’ personal information.
Considering the continuously increasing importance of data protection and privacy in today’s world, businesses should be up to speed with their data privacy policies and procedures.
The webinar covers:
1. ISO/IEC 27001 – Information Security Framework Key requirements under CCPA, CPRA, GDPR
• ISO/IEC 27005 – Information Security Risk Management
• ISO/IEC 27035 – Information Security Incident Management
• ISO/IEC 22301 & 27031 - Business Continuity Management (BCM)
2. Alternative Frameworks
• CMMC - Cybersecurity Maturity Model Certification
• NIST CSF Cybersecurity Framework
• ISO/IEC 27032 – Guidelines for Cybersecurity
3. Supplier Management
Date: April 21, 2021
Recorded Webinar: https://youtu.be/bi3tvvhGV1s
Cloud security providers are in an ever changing world. Traditionally the CCM was pointed to as an authoritative guidance.
Now organizations have the opportunity to undergo third party assessments, through the STAR Programs, to validate maturity level or control activities.
This deck will provide:
• A background and overview of the programs
• The CSA Attestation/Certification methodology and testing
• A side by side comparison
• The benefits and challenges
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...Cohesive Networks
By COO & CFO Dwight Koop - Data breaches and cybersecurity costs have brought attention to the dire need for comprehensive, preventative IT security guidelines. Dwight Koop walks through the recent NIST Cybersecurity Framework updates and how it can help businesses in all industry sectors.
Second Draft Special Publication (SP) 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations is available for public comment.
To learn more about this draft SP – details are provided along with links to this draft and comment template can be found on the CSRC Draft publications page.
Learn more about the importance of ISO 27001 and its role on GRC, what the advantages of starting with ISO 27001 are and the importance of its structure.
Main points covered:
• Definition and goals of GRC (Governance, Risk and Compliance)
• How the structure of ISO/IEC 27001 implements GRC
• Advantages of starting with ISO/IEC 27001
Presenter:
This webinar was presented by Jorge Lozano. He is a senior manager at the Cybersecurity & Privacy practice of PwC Mexico. He has over 17 years of experience in information security and holds the CISSP, CISM, CEH, and ISO27001LI certifications. He is an instructor of PECB for the ISO27001 Introduction, Foundation and Lead Implementer courses.
Link of the recorded session published on YouTube: https://youtu.be/sLfAarQ8cf0
What is expected from an organization under NCA ECC Compliance?VISTA InfoSec
Cybersecurity initiatives are today essential in a digitally-driven business world. This is to ensure the safety of the organization’s systems and sensitive data from accidental or deliberate incidents of breach. The growing number of cyber crimes and their operational and financial impact on business in terms of legal liability, reputational damage, and
financial loss has pushed regulators to establish strong security measures and frameworks in place.
The urgent need to address cybersecurity threats has resulted in the adoption of industry best practices by regulators around the world. In 2018, Saudi Arabia’s National Cybersecurity Authority (NCA) issued Essential Cybersecurity Controls (ECC) which is a minimum cybersecurity requirement for Saudi government organizations. The NCA encourages organizations in Saudi Arabia to adopt the ECC framework to improve their cybersecurity resilience.
for more visit:
https://www.vistainfosec.com/service/nca-ecc-compliancce/
Yahoo Mobile Developer Conference NYC - Mobile Revolution: Seven Years OnFlurry, Inc.
Yahoo SVP of Publishing Products Simon Khalaf's keynote presentation from the NYC Yahoo Mobile Developer Conference on Aug 26, 2015. Mobile app industry insights and trends delivered from Flurry Analytics and the 720,000 apps we track.
An introduction to Solus - learn how Solus is combatting Cyber Crime and online security breaches with it's secure, easy-to-use, authentication platform. It's multifactor application uses biometric identification and scrambled pinpad technology and can be integrated with enterprise apps.
NIST Cybersecurity Framework is voluntary framework to support the emerging needs for having robust and effective cyber security practices across an enterprise. This presentation recaps the Framework 6 months into implementation and along with changes. Also, discusses the capabilities of TrustedAgent GRC to accelerate and strengthen the implementation of an effective cybersecurity program by automating or addressing many of the practices required by the framework.
We help small and medium size organization to solve business challenges of Risk, Compliance and Cyber Security areas at right price tag.
We are NOT large consulting firm; but we are large in niche area i.e. Risk, Compliance and Cyber Security.
Contact - Richard Marti - richard@grcalert.com
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
Maclear specializes in enterprise governance, risk and compliance (eGRC) solutions. The IT GRC Solution integrates various business functions such as IT governance, policy management, risk management, compliance management, audit management, and incident management. Enables an automated and workflow driven approach to managing, communicating and implementing IT policies and procedures across the enterprise
Read More at: http://www.maclear-grc.com/
2. Agenda
• Introductions
• Section 1: What is…
• Section 2: IT GRC Convergence Stages
• Section 3: Tools, Automation and Metrics
• Section 4: Building the Program
– Establish Governance Body for IT
– Supported Policies, Standards and Controls
– Consistent Risk Analysis and Management
– Single Empowered Compliance Team
4. Introductions
An Overview of National Grid
• National Grid is an international electricity and gas company and one of the
largest investor-owned utilities in the world. We are the largest utility in the
UK and the second-largest utility in the US. , focused on delivering energy
safely, reliably and efficiently.
• In the northeastern US we have electricity transmission systems and
distribution networks that deliver electricity to 3.3 million customers.
• We own and operate generation stations with a total capacity of 6,650MW
and provide services to the 1.1 million electricity customers of the Long
Island Power Authority.
• We own gas storage facilities and provide natural gas to approximately 3.4
million customers.
5. Objectives
Mapping Cybersecurity Programs to CIP Compliance
This session will demonstrate how you can integrate the NERC
CIP standards into an effective cybersecurity program. Key
points include:
•Principles of an aligned and effective governance, risk and
compliance program
•Evaluation of a risk-based vs. rules-based security program
•Effective use of a rules-based framework to support your
cybersecurity program
6. IS Risk & Compliance Framework
Consolidated
Controls Set
Consolidated
Controls Set
IS Risk ProfileIS Risk Profile
Assurance
7. SECTION 1: WHAT IS…?
Mapping Cybersecurity Programs to CIP Compliance
10. What is… IT Governance
• “… consists of the leadership and organizational structures
and processes that ensure that the organization's IT
sustains and extends the organization's strategies and
objectives”
Governance
Benefits of a well executed Governance Program
•IT investments that support business objectives
•Alignment of policy with business objectives
•Effective use of resources
•Consistency in decisions and enforcement
•Collaboration breeds support
11. What is… IT Risk
• Risk Management is the process by which an organization
sets the risk appetite, identifies potential risks and prioritizes
the tolerance for risk based on the organization’s business
objectives. Risk Management leverages internal controls to
manage and mitigate risk throughout the organization.
Risk
Benefits of a well executed Risk Program
•Clearly demonstrate the corporations current risk profile
•Transparency allows management to make informed
business decisions
•Establishes a risk tolerance / appetite for the business
•Clear definition of roles and responsibilities related to IT
risks
•Aligns with enterprise risk management (ERM)
12. What is… IT Compliance
•Compliance is the process that records and monitors the policies, procedures and controls needed to
enable compliance with legislative or industry mandates as well as internal policies
•Risk
•Risk Management is the process by which an organization sets the risk appetite, identifies potential
risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk
Management leverages internal controls to manage and mitigate risk throughout the organization.
Compliance
Benefits of a well executed Compliance Program
•Provide assurance to stakeholders that policies are
enforced and standards are in place
•Develop a clear understanding internal processes
•Efficient response to regulatory requirements
•Focused effort on identifying and resolving policy
deficiencies
•Provide validation for the risk profile
13. Section Recap
• Key take aways:
– Governance, Risk and
Compliance programs are
interrelated
– Roles and Responsibilities for
GRC tasks must be defined
14. SECTION 2: IT GRC CONVERGENCE
STAGES
Mapping Cybersecurity Programs to CIP Compliance
15. Stage 1: Silo Compliance
• Access and Identity Management
•Threat and Vulnerability Management
•Policy / Standard Creation
•Compliance Enforcement
•Perimeter Security
•Incident Response
•Policy / Standard Creation
•Compliance Enforcement
•Project Methodology
•Project Risk
•Policy / Standard Creation
•Compliance Enforcement
22. Section Recap
• Key take aways:
– Three stages of IT GRC
– Nearly all organizations have a
GRC program in varying stages…
but may not realize it
– Work within your own company
processes
27. Section Recap
• Key take aways:
– No single tool will fill all GRC
requirements, it is important to
focus on interoperability
– Other useful resources available
free or nearly free on the Internet
28. SECTION 4: BUILDING THE
PROGRAM
Mapping Cybersecurity Programs to CIP Compliance
32. Resources
• ITGI Documents
– IT Governance Domain Practices and Competencies
Series
• Information Risks: Whose Business Are They?
• Optimising Value Creation From IT Investments
• Measuring and Demonstrating the Value of IT
• Governance of Outsourcing
• IT Alignment—IT Strategy Committees
– Board Briefing on IT Governance
– Information Security Governance: Guidance for Boards
and Executive Management
– IT Governance Global Status Report
• ISACA
– Implementing and Continually Improving IT Governance
– Val IT Framework
42. Single Empowered IT Compliance
Team
• More than just regulatory compliance, this team must be
able to partner with Governance and Risk to build a
corporate risk profile
– Identifying compliance-related risks and threats
– Performing compliance-based risk assessments
– Working with end users and enterprise legal and compliance
departments to identify IT-specific risks, end-user risks and
enterprise risks that IT can assist in mitigating
– Designing compliance-friendly systems and applications
– Monitoring changes in legislation, regulations, rulings and court
orders that may impact the way risks are addressed by the
enterprise and by IT security.
– Considering the regulatory compliance issues inherent in the
introduction of new technology, processes or applications
43. Resources
• IT Standards, Guidelines, and Tools and
Techniques for Audit and Assurance and Control
Professionals
• ITAF: A Professional Practices Framework for IT
Assurance
44. Objectives
Learning Objectives for this presentation:
• Discuss the function and interrelation of governance, risk
and compliance
• Utilize ISACA and other resources to create policies,
standards and controls
• Show mapping between industry regulations and policies,
standards and controls
• Demonstrate how GRC can be implemented in a company
45. Thank you
Scott M. Baron
Director – Digital Risk & Security Governance
National Grid
Email: Scott.Baron@nationalgrid.com