Presentation is loading. Please wait.

Presentation is loading. Please wait.

Keshav Sarin Manager, Compliance Risk Analysis

Similar presentations

Presentation on theme: "Keshav Sarin Manager, Compliance Risk Analysis"— Presentation transcript:

1 Keshav Sarin Manager, Compliance Risk Analysis
Update on WECC’s Internal Controls Evaluation June 3, 2014 Salt Lake City, UT

2 Agenda Overview of the Risk-Based Strategy
Overview of WECC’s Internal Controls Evaluation Process Update on WECC’s Internal Controls Pilots Update on Inter-regional Activities

3 Compliance Risk Analysis – Roles and Responsibilities
Technical Analysis Self Reports/Self Certifications Mitigation Plans/Extensions Completion of Mitigation Plans Risk Analysis - New Identify risks to reliability and compliance Controls that address these risks Make recommendations to strengthen controls

4 What could the risk based compliance strategy look like?
Identify areas of interest Electrical Cyber Security Compliance Other Areas Entity Risk Assessment Electrical Footprint Compliance History Other Factors Internal Controls Evaluation Controls that prevent non-compliance Controls that detect non-compliance Customize Compliance Oversight Compliance Monitoring Strategy Compliance Enforcement Strategy

5 Internal Controls Evaluation Process
Determine Scope Determine areas that might cause risk to compliance and reliability Create a list of questions related to preventative, detective, and corrective controls related to the standards in scope Issue Survey to Entity Spreadsheet-based format Entity describes design and implementation of the controls related to the standards in scope On site visit WECC reviews entity response Determine a list of controls that need further discussion Meeting with Entity’s senior leadership and Subject Matter Experts Complete Evaluation Determine entity best practices Highlight areas of improvement Determine list of standards where entity has stronger controls Share results with entity Determine compliance oversight strategy

6 Internal Controls Evaluation – Sample Questions
Are the controls a result of a careful approach? What is the likelihood the control will reduce the likelihood of non-compliance? What is the likelihood the control will timely detect non-compliance? How well is the control implemented?

7 Example of Controls for Managing Ports and Services
(CIP R2) List of software installed on the cyber assets established Verify only ports and services with a valid business need are running Apply host based firewalls with a default-deny rule Perform automated port scans on a regular basis and alert any variances Compare results of port scans with a verified baseline Keep all services up to date and remove and unnecessary components from the system Operate critical services on separate host machines Place application firewalls to validate the traffic & alert any unauthorized traffic

8 Example of Controls for Communications and Coordination (COM-002-2 R2)
3 part communication process is clearly established Operators trained regularly on 3 part communication Operators use 3 part communication for all information exchange and not just directives Operator consoles have a visual reminder to use 3 part communication All directives recorded on tapes Shift supervisor regularly listens to the tapes to verify 3 part communication Feedback to operators on improving 3 part communication Example of Controls for Communications and Coordination (COM R2)

9 Application of Internal Controls Results
Application of Internal Controls Evaluation The scope, frequency, and depth of audits may be altered Self Certification requirements may be reduced or focused Mitigation Plan requirements may be reduced or focused Violation processing may be streamlined Could be considered during settlement Other?

10 Internal Controls Evaluation Pilots
Completed second pilot evaluation last month Provided best practices and recommendations to entity Entity provided helpful and positive feedback to WECC WECC audit team used the results of the controls evaluation to exclude certain requirements from audit scope Entity selected for Compliance Exception Pilot

11 Internal Controls Next Pilot
Internal controls evaluation in progress Identified risk areas related to CIP standards Issued a controls questionnaire to entity Reviewing entity’s response Will draft recommendations and data requests to substantiate the findings Received suggestions from the entity to improve the process

12 Internal Control Evaluation – Summary
WECC has conducted 3 evaluations to date WECC plans to conduct 5-6 total evaluations during 2014 Process is evolving, but also built flexibly to adapt to final NERC/Regional RAI process

13 Update on Inter-regional Activities
Shared pilot results and process ideas with all Regions and NERC throughout 2013 and 2014 Participated in inter-regional project teams to draft a single RAI approach Next Steps Finalize risk, scoping, and control evaluation processes Train and deploy the new processes in 2015

14 Next steps for registered entities?
What controls do you have to ensure reliability and compliance? Are these controls preventative and detective? Is there an assigned owner for the control? Do you have evidence to show controls are implemented? Flowcharts Narrative Control Matrix

15 Standard Control Description Type Owner Evidence PRC-005-1b R2, PRC R1 XYZ Generation Station utilizes the functionality of PDQ Database which contains all Protection System devices, tracks, records and stores all protection system device maintenance and testing records in addition to all maintenance and testing procedures for all devices. XYZ utilizes all microprocessor based relays and the maximum interval identified for maintenance and testing is once every 8 years, this includes DC control circuitry, CTs and PTs. PDQ generates a work order the first day of each quarter for the quarterly inspection. If battery records have not been recorded by the end of month 2 during a given quarter a reminder is sent out weekly until PDQ has been updated. Preventative Sr. Plant Engineer Protection System Device test procedures Screen shots of programmed testing intervals PDQ screen shot of reminder notices CIP R3 The IT security department utilizes AAA software to track availability of all security patches for its Cyber Assets within ESP(s). The software checks vendor websites each week and automatically send patch availability notifications to a group of individuals and their supervisor. The software also has a built-in list of tasks that need to be completed when a patch is made available. These tasks serve as a check list that must be completed for each patch. On a monthly basis, a member of the IT security department conducts a random verification of all patches that were available during that month and verifies that patch assessment was completed per the established process. Detective IT Security Analyst AAA screenshot Sample notification List of tasks on the checklist Random verification report Supervisor approval

16 Internal Control Evaluation – Summary
This is a new and evolving process The goal is to implement a risk-based approach to compliance oversight Allows WECC to use ICE results to customize compliance monitoring and enforcement processes Provides entities an assessment of strengths and weaknesses that could improve overall reliability

17 Questions? Keshav Sarin Manager, Compliance Risk Analysis

Download ppt "Keshav Sarin Manager, Compliance Risk Analysis"

Similar presentations

Ads by Google