Presentation is loading. Please wait.

Presentation is loading. Please wait.

Keshav Sarin Manager, Compliance Risk Analysis Update on WECC’s Internal Controls Evaluation June 3, 2014 Salt Lake City, UT.

Similar presentations


Presentation on theme: "Keshav Sarin Manager, Compliance Risk Analysis Update on WECC’s Internal Controls Evaluation June 3, 2014 Salt Lake City, UT."— Presentation transcript:

1 Keshav Sarin Manager, Compliance Risk Analysis Update on WECC’s Internal Controls Evaluation June 3, 2014 Salt Lake City, UT

2 2 Overview of the Risk-Based Strategy Overview of WECC’s Internal Controls Evaluation Process Update on WECC’s Internal Controls Pilots Update on Inter-regional Activities Agenda

3 3 Technical Analysis o Self Reports/Self Certifications o Mitigation Plans/Extensions o Completion of Mitigation Plans Risk Analysis - New o Identify risks to reliability and compliance o Controls that address these risks o Make recommendations to strengthen controls Compliance Risk Analysis – Roles and Responsibilities

4 4 What could the risk based compliance strategy look like? Identify areas of interest Electrical Cyber Security ComplianceOther Areas Entity Risk Assessment Electrical Footprint Compliance History Other Factors Internal Controls Evaluation Controls that prevent non- compliance Controls that detect non- compliance Customize Compliance Oversight Compliance Monitoring Strategy Compliance Enforcement Strategy

5 5 Internal Controls Evaluation Process Determine Scope Determine areas that might cause risk to compliance and reliability Create a list of questions related to preventative, detective, and corrective controls related to the standards in scope Issue Survey to Entity Spreadsheet-based format Entity describes design and implementation of the controls related to the standards in scope On site visit WECC reviews entity response Determine a list of controls that need further discussion Meeting with Entity’s senior leadership and Subject Matter Experts Complete Evaluation Determine entity best practices Highlight areas of improvement Determine list of standards where entity has stronger controls Share results with entity Determine compliance oversight strategy

6 6 Are the controls a result of a careful approach? What is the likelihood the control will reduce the likelihood of non-compliance? What is the likelihood the control will timely detect non-compliance? How well is the control implemented? Internal Controls Evaluation – Sample Questions

7 Example of Controls for Managing Ports and Services (CIP R2) List of software installed on the cyber assets established Verify only ports and services with a valid business need are running Apply host based firewalls with a default-deny rule Perform automated port scans on a regular basis and alert any variances Compare results of port scans with a verified baseline Keep all services up to date and remove and unnecessary components from the system Operate critical services on separate host machines Place application firewalls to validate the traffic & alert any unauthorized traffic

8 3 part communication process is clearly established Operators trained regularly on 3 part communication Operators use 3 part communication for all information exchange and not just directives Operator consoles have a visual reminder to use 3 part communication All directives recorded on tapes Shift supervisor regularly listens to the tapes to verify 3 part communication Feedback to operators on improving 3 part communication Example of Controls for Communications and Coordination (COM R2)

9 9 Application of Internal Controls Results Application of Internal Controls Evaluation The scope, frequency, and depth of audits may be altered Self Certification requirements may be reduced or focused Mitigation Plan requirements may be reduced or focused Violation processing may be streamlined Could be considered during settlement Other?

10 10 Completed second pilot evaluation last month Provided best practices and recommendations to entity Entity provided helpful and positive feedback to WECC WECC audit team used the results of the controls evaluation to exclude certain requirements from audit scope Entity selected for Compliance Exception Pilot Internal Controls Evaluation Pilots

11 11 Internal controls evaluation in progress o Identified risk areas related to CIP standards o Issued a controls questionnaire to entity o Reviewing entity’s response Will draft recommendations and data requests to substantiate the findings Received suggestions from the entity to improve the process Internal Controls Next Pilot

12 12 WECC has conducted 3 evaluations to date WECC plans to conduct 5-6 total evaluations during 2014 Process is evolving, but also built flexibly to adapt to final NERC/Regional RAI process Internal Control Evaluation – Summary

13 13 Shared pilot results and process ideas with all Regions and NERC throughout 2013 and 2014 Participated in inter-regional project teams to draft a single RAI approach Next Steps o Finalize risk, scoping, and control evaluation processes o Train and deploy the new processes in 2015 Update on Inter-regional Activities

14 14 What controls do you have to ensure reliability and compliance? Are these controls preventative and detective? Is there an assigned owner for the control? Do you have evidence to show controls are implemented? o Flowcharts o Narrative o Control Matrix Next steps for registered entities?

15 StandardControl DescriptionTypeOwnerEvidence PRC-005-1b R2, PRC R1 XYZ Generation Station utilizes the functionality of PDQ Database which contains all Protection System devices, tracks, records and stores all protection system device maintenance and testing records in addition to all maintenance and testing procedures for all devices. XYZ utilizes all microprocessor based relays and the maximum interval identified for maintenance and testing is once every 8 years, this includes DC control circuitry, CTs and PTs. PDQ generates a work order the first day of each quarter for the quarterly inspection. If battery records have not been recorded by the end of month 2 during a given quarter a reminder is sent out weekly until PDQ has been updated. PreventativeSr. Plant Engineer -Protection System Device test procedures -Screen shots of programmed testing intervals -PDQ screen shot of reminder notices CIP R3The IT security department utilizes AAA software to track availability of all security patches for its Cyber Assets within ESP(s). The software checks vendor websites each week and automatically send patch availability notifications to a group of individuals and their supervisor. The software also has a built-in list of tasks that need to be completed when a patch is made available. These tasks serve as a check list that must be completed for each patch. On a monthly basis, a member of the IT security department conducts a random verification of all patches that were available during that month and verifies that patch assessment was completed per the established process. Preventative Detective IT Security Analyst -AAA screenshot -Sample notification -List of tasks on the checklist -Random verification report -Supervisor approval

16 16 This is a new and evolving process The goal is to implement a risk-based approach to compliance oversight Allows WECC to use ICE results to customize compliance monitoring and enforcement processes Provides entities an assessment of strengths and weaknesses that could improve overall reliability Internal Control Evaluation – Summary

17 Keshav Sarin Manager, Compliance Risk Analysis Questions?


Download ppt "Keshav Sarin Manager, Compliance Risk Analysis Update on WECC’s Internal Controls Evaluation June 3, 2014 Salt Lake City, UT."

Similar presentations


Ads by Google