MISO Change Management and the Journey of Maturity. Tricia Cawthon August 30, 2013

Transcription

1 MISO Change Management and the Journey of Maturity Tricia Cawthon August 30, 2013

2 tcawthon.misoenergy.org Tricia Cawthon, Sr. Manager IT Operations Support Employed by MISO for 6.75 years Several other roles Background Project Management PMO Oversight IT Sarbanes-Oxley Program Manager Quality Assurance IT Service Management Industries Manufacturing of Hot Dog Casings (Teepak, Inc.) Manufacturing of Micro Chips (Rockwell International) Student Loans (Sallie Mae) Timeshare Exchanges (RCI) Electric Grid Reliability and Market Operations (MISO) Who am I? 2

3 What do I do at MISO? 3

4 Business risks demand improvements and automation Ever growing, ever changing regulations NERC CIP: Critical Infrastructure Protection; Reliability and Cyber Security Focus *** Future state: CIP V5 R 10, prescriptive configuration management SSAE 16: Market Operations and Financial Focus Board of Directors and Stakeholders: require regulatory proof that work to critical infrastructure is properly planned, approved and managed (A.K.A. Change Management compliance). We always achieved but wanted to over-achieve. Change monitoring relied on highly manual processes, burdensome on employees Complete population of changes could not be adequately validated; auditors could only sample change tickets, not actual changes Reliance upon policies, procedures, training and noble intent of all IT workers; without sufficient closed loop validation of expected changes Staff concerns Why are we doing this? We really don t have time to fit anymore work into our days. The fear of compliance is of concern to each individual; everyone wants to succeed. What s the problem? 4

5 Specific business requirements of MISO Ability to conduct File Integrity Monitoring (FIM) as a replacement solution for SSAE monitoring of application files Run FIM in parallel with old solution as a validation cycle New solution must scale beyond FIM, Configuration Monitoring and Policy Management to address NERC CIP Shopping for a solution Evaluated three vendor solutions Evaluated the experience of other ISO s Utilized Gartner experience analyst research, and IT industry measurements (Magic Quadrant vendor comparisons) Chose Tripwire as a best in class product and service provider Why Tripwire? 5

6 Tripwire s foundation DETECT leading indicators of breach; leads to early incident detection. PROTECT systems using pragmatic approach; SANS critical security controls CONNECT security to the business, make it: (1) visible, (2) actionable, (3) measurable. Gained the ability to translate Technical Risk into Overall Security Intelligence Why Tripwire? 6

7 2012 Ran parallel of old solution against Tripwire for SSAE 16 scope Limited monitoring to application code and database changes (Began 4/1/2013) Rolled into production 10/01/2012 COMPLETE BUSINESS VALUE (1) Removed manual reporting process using a tool that was not fit for purpose (ESM) (2) Became more efficient (3) Satisfied Internal Audit and Board of Director concerns surrounding insufficient monitoring of actual environment changes, not just change tickets (4) Validated the decision that Tripwire was the right vendor for our solution, based on it s capability and specialty being directly focused on this business issue Implementation Roadmap 7

8 2013 Expand change monitoring capabilities across systems governed by NERC CIP requirements (expands beyond applications and databases; move into monitoring infrastructure changes that we will be doing for the first time) COMPLETE BUSINESS VALUE (1) Expanded production monitoring across all NERC CIP devices (2) Developed automation to validate discovered changes against validate, approved change tickets (3) BONUS: used new capability to automate the review of database table changes (4) *** Achieved a platform upon which to grow future configuration monitoring, especially security configuration monitoring which is business critical and NERC CIP regulated Implementation Roadmap 8

9 Decentralize process support; move outwards from the Change Management team and institutionalize operational support of this across all IT stakeholders COMPLETE Drive increased transparency and ownership of change management responsibility COMPLETE Consider utilizing Tripwire on corporate infrastructure FUTURE BUSINESS VALUE (1) Implemented full-loop reporting of unauthorized changes to change owners (2) Allowed for process improvement as monitoring rules are refined (3) Attained the capability to discover, capture, report and mitigate risks of changes with adverse impacts to the reliability of our critical business functions Implementation Roadmap 9

10 Enabled support of future NERC CIP V5 R010 Configuration Management requirement Automated management of NERC CIP policy monitoring rules (i.e. CIP 007 nr2 Ports and Services) Ability for a tool to define approved baselines Ability to monitor baseline configuration drift for each change to production systems (Includes processes to mitigate, back out or correct documentation errors) Ability to manage changes to baselines [Change Management] Easy extract of data to prove compliance Looking forward 10

11 Enabled support of future NERC CIP V5 R010 Configuration Management requirement Automated management of NERC CIP policy monitoring rules (i.e. CIP 007 nr2 Ports and Services) Ability for a tool to define approved baselines Ability to monitor baseline configuration drift for each change to production systems (Includes processes to mitigate, back out or correct documentation errors) Ability to manage changes to baselines [Change Management] Easy extract of data to prove compliance Looking forward 11

12 How do we do this?

13 Understand the now

14 MISO s Approach

15 Develop a sustainable process solution to manage baseline security configuration data Six Sigma approach Kaizen Implement a new baseline security configuration management process across all devices in the ESP Short term

16 Create a foundation that can be used for future expansion of configuration management activities Link short term and long term: engage the team to realize configuration management best practices IT Service Transformation Long term

17 Kaizen + IT Service Transformation Comprehensive approach

18 Questions 18