Keshav Sarin Manager, Compliance Risk Analysis

Slides:



Advertisements
Similar presentations
NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
1 WECC/AESO Membership and Coordinating Operating Agreement WECC Board of Directors Meeting December 2007 Diana Pommen Director Interjurisdictional Affairs.
Standards Development and Approval Process Steve Rueckert Director of Standards Joint Guidance Committee WECC Leadership Annual Training Session Salt Lake.
NERC Orientation Joint Guidance Committee WECC Leadership
The Managing Authority –Keystone of the Control System
1 Managing Authority Conducting a self assessment 10 June 2008 A. Badrichani – DG Regional Policy – Audit Unit J3.
European Union Cohesion Policy
NERC Reliability Readiness The Next Steps Mitch Needham NERC Readiness Evaluator September 24, 2007.
(Individuals with Disabilities Education Improvement Act) and
Condition Monitoring Roles in Asset Reliability and Regulatory Compliance Dave Haerle, Los Angeles Department of Water and Power Scott Kunze, DataSplice.
NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.
Effective Contract Management Planning
Brent Castagnetto, CBRM, CBRA, MABR Manager, Cyber Security Audits
Phil O’Donnell Manager Operations and Planning Audits
Marv Landauer Report to TSS on Annual Study Program Report Review Task Force April 2012 TSS Meeting Salt Lake City.
CUG Meeting June 3 – 5 Salt Lake City, UT
CIP Version 5 Transition Guidance September 2013 Open-Webinar
School Board Audit Committee Training Module 7 Evaluation of the Audit Committee 1.
Internal Control–Integrated Framework
CIP Cyber Security – Security Management Controls
Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.
More CMM Part Two : Details.
1 Component Design Basis Inspection (CDBI) Graydon Strong 6/17/14.
Brent Castagnetto Manager, Cyber Security Audits & Investigations Team CIP v5 Implementation Guidance CIP v5 Roadshow Salt Lake City, UT May 14-15, 2014.
Chapter 2 The Analyst As Project Manager In Managing Information Systems 2.3.
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification [LOCATION] – [DATES OF ON-SITE VISIT] [Presenter Name,
▪ ▪ CLARITY ▪ ASSURANCE ▪ RESULTS MIDWEST RELIABILITY ORGANIZATION Improving RELIABILITY and mitigating RISKS to the Bulk Power System Thomas P. Tierney.
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
CIP 43 ReliabilityFirst Audit Observations ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance.
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
Commissioning of Fire Protection and Life Safety Systems Presented by: Charles Kilfoil Bechtel National Waste Treatment Plant Richland WA.
Federal Energy Regulatory Commission June Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification Review for [RELATED ENTITIES] [LOCATION] – [DATES OF ON-SITE.
Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.
Data management in the field Ari Haukijärvi 2nd EHES training seminar.
Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.
Procedures and Forms 2008 FRCC Compliance Workshop April 8-9, 2008.
Actions Affecting ERCOT Resulting From The Northeast Blackout ERCOT Board Of Directors Meeting April 20, 2004 Sam Jones, COO.
Team Assignment 15 Team 04 Class K15T2. Agenda 1. Introduction 2. Measurement process 3. GQM 4. Strength Weakness of metrics.
1 Texas Regional Entity 2008 Budget Update May 16, 2007.
Overview of WECC and Regulatory Structure
SacProNet An Overview of Project Management Techniques.
Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,
Glen Fields - Final Project Presentation. What Sets CSI Apart... GBA 573 Consultants Company Background Located in San Diego, CA 5 Engineering Consultants.
Reliability Assurance Initiative (RAI) 101 Ben Christensen Senior Compliance Risk Analyst, Cyber Security.
Problem Areas Updates Penalties FRCC Compliance Workshop September / October
Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure.
By: Texas RE Enforcement April 25, 2013 Guidance on Requirements for PRC-005 Mitigation Plans Talk with Texas RE April 25, 2013.
Page 1 of 13 Texas Regional Entity ROS Presentation April 16, 2009 T EXAS RE ROS P RESENTATION A PRIL 2009.
2011 ReliabilityFirst 693 Compliance Audit Process for 6 Year Audit Cycle Entities Glenn Kaht Senior Consultant - Compliance ReliabilityFirst Corporation.
Monitoring Afghanistan, 2015 Food Security and Agriculture Working Group – 9 December 2015.
Compliance Program Update Lisa Milanes Manager of Compliance Administration.
Enforcement 101 Rachael Ferrin Associate Process Analyst.
Software Quality Control and Quality Assurance: Introduction
Software and Systems Integration
MAC Board Effectiveness Survey
NRC Cyber Security Regulatory Overview
Background (history, process to date) Status of CANs
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO]
NERC Critical Infrastructure Protection Advisory Group (CIP AG)
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO]
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005
Reliability Assurance Initiative (RAI) 101
Support Systems and Tools
MAC Board Effectiveness Survey
Presentation transcript:

Keshav Sarin Manager, Compliance Risk Analysis Update on WECC’s Internal Controls Evaluation June 3, 2014 Salt Lake City, UT

Agenda Overview of the Risk-Based Strategy Overview of WECC’s Internal Controls Evaluation Process Update on WECC’s Internal Controls Pilots Update on Inter-regional Activities

Compliance Risk Analysis – Roles and Responsibilities Technical Analysis Self Reports/Self Certifications Mitigation Plans/Extensions Completion of Mitigation Plans Risk Analysis - New Identify risks to reliability and compliance Controls that address these risks Make recommendations to strengthen controls

What could the risk based compliance strategy look like? Identify areas of interest Electrical Cyber Security Compliance Other Areas Entity Risk Assessment Electrical Footprint Compliance History Other Factors Internal Controls Evaluation Controls that prevent non-compliance Controls that detect non-compliance Customize Compliance Oversight Compliance Monitoring Strategy Compliance Enforcement Strategy

Internal Controls Evaluation Process Determine Scope Determine areas that might cause risk to compliance and reliability Create a list of questions related to preventative, detective, and corrective controls related to the standards in scope Issue Survey to Entity Spreadsheet-based format Entity describes design and implementation of the controls related to the standards in scope On site visit WECC reviews entity response Determine a list of controls that need further discussion Meeting with Entity’s senior leadership and Subject Matter Experts Complete Evaluation Determine entity best practices Highlight areas of improvement Determine list of standards where entity has stronger controls Share results with entity Determine compliance oversight strategy

Internal Controls Evaluation – Sample Questions Are the controls a result of a careful approach? What is the likelihood the control will reduce the likelihood of non-compliance? What is the likelihood the control will timely detect non-compliance? How well is the control implemented?

Example of Controls for Managing Ports and Services (CIP-007-3 R2) List of software installed on the cyber assets established Verify only ports and services with a valid business need are running Apply host based firewalls with a default-deny rule Perform automated port scans on a regular basis and alert any variances Compare results of port scans with a verified baseline Keep all services up to date and remove and unnecessary components from the system Operate critical services on separate host machines Place application firewalls to validate the traffic & alert any unauthorized traffic

Example of Controls for Communications and Coordination (COM-002-2 R2) 3 part communication process is clearly established Operators trained regularly on 3 part communication Operators use 3 part communication for all information exchange and not just directives Operator consoles have a visual reminder to use 3 part communication All directives recorded on tapes Shift supervisor regularly listens to the tapes to verify 3 part communication Feedback to operators on improving 3 part communication Example of Controls for Communications and Coordination (COM-002-2 R2)

Application of Internal Controls Results Application of Internal Controls Evaluation The scope, frequency, and depth of audits may be altered Self Certification requirements may be reduced or focused Mitigation Plan requirements may be reduced or focused Violation processing may be streamlined Could be considered during settlement Other?

Internal Controls Evaluation Pilots Completed second pilot evaluation last month Provided best practices and recommendations to entity Entity provided helpful and positive feedback to WECC WECC audit team used the results of the controls evaluation to exclude certain requirements from audit scope Entity selected for Compliance Exception Pilot

Internal Controls Next Pilot Internal controls evaluation in progress Identified risk areas related to CIP standards Issued a controls questionnaire to entity Reviewing entity’s response Will draft recommendations and data requests to substantiate the findings Received suggestions from the entity to improve the process

Internal Control Evaluation – Summary WECC has conducted 3 evaluations to date WECC plans to conduct 5-6 total evaluations during 2014 Process is evolving, but also built flexibly to adapt to final NERC/Regional RAI process

Update on Inter-regional Activities Shared pilot results and process ideas with all Regions and NERC throughout 2013 and 2014 Participated in inter-regional project teams to draft a single RAI approach Next Steps Finalize risk, scoping, and control evaluation processes Train and deploy the new processes in 2015

Next steps for registered entities? What controls do you have to ensure reliability and compliance? Are these controls preventative and detective? Is there an assigned owner for the control? Do you have evidence to show controls are implemented? Flowcharts Narrative Control Matrix

Standard Control Description Type Owner Evidence PRC-005-1b R2, PRC-017-0 R1 XYZ Generation Station utilizes the functionality of PDQ Database which contains all Protection System devices, tracks, records and stores all protection system device maintenance and testing records in addition to all maintenance and testing procedures for all devices. XYZ utilizes all microprocessor based relays and the maximum interval identified for maintenance and testing is once every 8 years, this includes DC control circuitry, CTs and PTs. PDQ generates a work order the first day of each quarter for the quarterly inspection. If battery records have not been recorded by the end of month 2 during a given quarter a reminder is sent out weekly until PDQ has been updated. Preventative Sr. Plant Engineer Protection System Device test procedures Screen shots of programmed testing intervals PDQ screen shot of reminder notices CIP-007-3 R3 The IT security department utilizes AAA software to track availability of all security patches for its Cyber Assets within ESP(s). The software checks vendor websites each week and automatically send patch availability notifications to a group of individuals and their supervisor. The software also has a built-in list of tasks that need to be completed when a patch is made available. These tasks serve as a check list that must be completed for each patch. On a monthly basis, a member of the IT security department conducts a random verification of all patches that were available during that month and verifies that patch assessment was completed per the established process. Detective IT Security Analyst AAA screenshot Sample notification List of tasks on the checklist Random verification report Supervisor approval

Internal Control Evaluation – Summary This is a new and evolving process The goal is to implement a risk-based approach to compliance oversight Allows WECC to use ICE results to customize compliance monitoring and enforcement processes Provides entities an assessment of strengths and weaknesses that could improve overall reliability

Questions? Keshav Sarin Manager, Compliance Risk Analysis ksarin@wecc.biz 801 819 7648

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.