Audit-Ready SharePoint Applications

Transcription

1 Audit-Ready SharePoint Applications Page 1 of 16 July 7, 2015

2 Table of Contents 1 Overview Company Background Audit-Ready SharePoint Applications Audit-Ready Compliance Dashboard Audit-Ready Reporter Audit-Ready Document Loader Periodic Data Reporting Reminders Data Requests and Self-Logging Form Audit-Ready Setup GUI The Audit-Ready Operator Log (Beta Version) The Maintenance Center (Beta Version) Audit-Ready Asset Manager Implementing the Audit-Ready SharePoint Applications General Implementation Approach Project Management Approach System Documentation and Manuals Ongoing Support Services Testing Page 2 of 16 July 7, 2015

3 1 Overview The Cooper Compliance Audit-Ready SharePoint Applications are governance, risk management and compliance solution add-ons to Microsoft SharePoint. They are designed to specifically manage NERC Compliance and can be used to manage other regulations. Our solution offers a complete suite of applications that work together to streamline compliance, including the following four primary applications: Audit-Ready Compliance Dashboard Audit-Ready Reporter Audit-Ready Document Loader Audit-Ready Setup graphical user interface (GUI) The Audit-Ready SharePoint Applications provide a platform used by subject matter experts, compliance administration staff, and executives to monitor the compliance program. Our clients use these applications to document compliance with standards and to store evidence in a manner that builds compliance into their organization, thus reducing subject matter experts workload. Our solution builds in controls to ensure completeness, accuracy, and timeliness in order to reduce non-compliance risk. The Audit-Ready SharePoint Applications are installed on the entity s existing on-premise SharePoint system or on SharePoint 365. Furthermore, The Cooper Compliance Audit-Ready SharePoint Solution pamphlet and wiki page provides all the information required for the user to install, update, and use the applications. We have helped many entities administer their compliance programs using the Cooper Compliance Audit-Ready SharePoint Applications. The proven methodology used with the application suite is a process-oriented compliance solution that identifies controls for mitigating risk and reduces the amount of time subject matter experts must focus on NERC Compliance. That is, using our solution, the entity focuses on the things they do while performing their duties to serve the core business deliverables. For example, an entity s core business may be to generate or purchase reliable power and/or deliver it to the end-use customer in a safe manner at the lowest cost. Obviously, other regulatory agencies such as OSHA, gas, PUC, FERC also have a bearing on core business activities. The Audit-Ready SharePoint Applications can also be used to manage these other regulations. Our approach involves looking at the processes and controls and mapping them to the regulations to build compliance into, rather than on top of, your organization. The system is transparent while using out-of-the box Microsoft products and our customized open source code. Our proven method has been used to prepare many satisfied clients for their audits. Typical comments from auditors are: Page 3 of 16 July 7, 2015

4 RSAW packages were easy to review because evidence was well structured with meaningful names. We were able to cut the audit time down by 20% because the audit packages were relevant, sufficient, and well organized. The ability to quickly respond to data requests demonstrates a robust internal compliance program. Our clients ability to quickly respond was a direct result of their implementing Cooper Compliance Audit-Ready solution delivered on a SharePoint platform. Our services and applications benefit entities registered with NERC by: Provide a repot used for Reliability Standards Audit Worksheets (RSAWs). Providing a tool to implement the NERC Reliability Assurance Initiative (RAI). Improving its NERC Compliance program management and by enabling real-time internal reporting to its management team. Providing easy to export reports for an Internal Control Evaluation (ICE). Cooper Compliance is constantly innovating. Currently in our pipeline of future products are the Cooper Compliance Operator Log, Asset Manager, and Maintenance Center, both implemented via InfoPath forms in SharePoint. These applications build in controls to help employees to properly maintain compliance in real-time by ensuring maintenance and incident procedures are followed, and to give timely guidance as to the appropriate next steps. 2 Company Background Cooper Compliance Corp. is a qualified Women-Owned Small Business (WOSB) designated by the Department of General Services and Women Owned Business Entity (WBE) designated by the California Public Utilities Commission. We are in business to provide entities who are responsible for complying with NERC Standards the Audit-Ready SharePoint Applications. Additionally we provide NERC compliance administration and consulting services. Our experts are available to prepare you for an audit, conduct mock audits, design controls, write procedures, and provide training. 3 Audit-Ready SharePoint Applications The Cooper Compliance Audit-Ready Applications, installed on an entity s on-premise SharePoint or Microsoft Office 365 include the: Audit-Ready Compliance Dashboard to provide real-time executive level status. Audit-Ready Reporter to provide drill down reports that are similar to a Reliability Standards Audit Worksheet (RSAW). Audit-Ready Document Loader used to systematically load each evidence document into SharePoint once while it is automatically associated with applicable requirements. Page 4 of 16 July 7, 2015

5 Audit-Ready Setup GUI, which is preloaded with FERC Standards and recommended process and controls, allowing users to manage new or revised Standards or changes to processes. At no additional cost, we will include beta applications of the: Audit-Ready Maintenance Center, used to track substation maintenance with controls that ensure timeliness. This integrates with the other Audit-Ready tools. Audit-Ready Operator Log, which provides a checklist to ensure regulatory requirements are met while automatically ing event reports. Audit-Ready Asset Manager, used to ensure critical assessments are completed in a timely manner. The Audit-Ready SharePoint Applications include workflow reminders that ensure appropriate approvals and timely reporting and logging of work performed. They include escalation reminders that notify management when certain due dates are approaching that have not been completed. They also update the Audit-Ready Compliance Dashboard status. The following sections describe each of these applications. 3.1 Audit-Ready Compliance Dashboard Use the Compliance Dashboard to observe the overall status of your organization s compliance with the Standards and the associated subject matter experts. The status will show if there is an open task, potential compliance issue or if setup is required for a new Standard. It can also be used to track internal audits, or the status of user reviews for self-certifications. Because there could be many processes associated with a Standard, the worst case status for any single associated process will establish the overall status for any one Standard. This design allows for an executive level view of the entire program. Links to each individual Standard open up the Reporter, where you can drill down to the process level to determine the status of activities being performed by individual subject matter experts. Page 5 of 16 July 7, 2015

6 Example of Compliance Dashboard: 3.2 Audit-Ready Reporter The Audit-Ready Reporter can be used to accomplish multiple compliance tasks. Behind the Reporter interface is a database of all pertinent regulations (Standards), such as those issued by NERC, Reliability Standards Audit Work Sheet (RSAW) questions, the NERC audit approach from the RSAWs, and the inherent risks identified by NERC. You can perform the following tasks with Audit-Ready Reporter: See the exact text of each requirement. View the evidence that has been associated with each requirement. Learn at a glance which standards are applicable to your organization. Read and edit process narratives that describe the process or controls performed to ensure compliance with each requirement. Identify the type of controls that reduce risk Complete an internal audit using the same audit approach as NERC. Prepare actual RSAWs for spot audits, Self-Certification data requests, or audits. Page 6 of 16 July 7, 2015

7 Print the report. You can use the print report to capture the current status for evidence of review prior to self-certification as an example. Click on the Standard Name (in blue) for a quick link to the actual Standard on the NERC website. Click on the Process Name (in blue) to edit the process narrative or associated information. Click on the associated evidence name (in blue) to view the evidence. Example of Reporter: Page 7 of 16 July 7, 2015

8 3.3 Audit-Ready Document Loader Use the Audit-Ready Document Loader to load evidence into your SharePoint Compliance website while associating the evidence with the appropriate process. Evidence that is collected periodically or sporadically is loaded into SharePoint by subject matter experts or those working on the SME s behalf. Each type of document should have a unique Process Narrative associated with it so auditors and others understand why you are presenting the document as evidence for demonstrating compliance to the regulation. When the evidence is loaded, a unique process ID is associated with the evidence and a link to the document is placed in a field with the associated Process. Examples of evidence that would use the Audit-Ready Document Loader include: RAPA receipts s demonstrating coordination of new facilities Attestations Meeting minutes, etc. The Document Loader includes filtering capability. The user can filter by the subject matter expert and/or the requirement to select the appropriate process. By selecting the subject matter expert first, the requirement will be filtered to only include those associated with the subject matter expert. Further drill down will show only processes associated with the subject matter expert and the selected requirement. Once the appropriate process is selected, a report is generated with the narrative of the process, existing evidence documents that are already loaded, and all associated requirements. Click on the evidence name (in blue) to view the existing evidence. Additionally, the Document Loader assigns the security level to the document based on the security set to the Process. As an example, documents loaded to a cyber-security process or control may only be viewed by those people who have met the cyber security requirements of your organization. Page 8 of 16 July 7, 2015

9 Example of Document Loader: 3.4 Periodic Data Reporting Reminders Cooper Compliance has developed and will implement our unique reminder system on SharePoint that tracks timeliness for periodic processes or data reporting. For example, for CIP-004, an entity is required to provide quarterly security awareness reinforcement. This can be provided by numerous means such as direct communication through s or memos, posters, etc. The Audit-Ready solution will create a task each quarter that is associated with the process to provide quarterly awareness reinforcement. The status for the process will be changed to Open Page 9 of 16 July 7, 2015

10 Task, while providing an overall Standard status of Open Task on the Audit-Ready Dashboard. The task will be marked as complete once a document has been loaded into SharePoint using the Audit-Ready Document Loader that provides evidence that the task is complete. Escalation reminders will be sent when a tolerance period prior to the due date is reached. In addition, the status of the associated process will be changed. 3.5 Data Requests and Self-Logging Form Similar to the Periodic Data Reporting Reminders, a workflow creates tasks and sends out reminders to monitor for timely completion of data requests that have a specific due date. The form is also used to log minimum risk violations for the self-logging option offered for some entities under the NERC 2015 Compliance Monitoring and Enforcement Implementation Plan. 3.6 Audit-Ready Setup GUI The Audit-Ready Set-up GUI guides your staff to add or modify the process narratives used to identify how your entity complies with the Standards. Use the Set-up GUI to drill down and select existing processes to associate with the Standard Requirement or add a new process. Cooper Compliance provides updates to the Standards which include generic recommended narratives that describe the processes and controls an entity could use to demonstrate compliance. These narratives would be modified by your subject matter experts to represent it s specific policies, procedures, activities, and controls. Page 10 of 16 July 7, 2015

11 Example of Setup GUI: 3.7 The Audit-Ready Operator Log (Beta Version) The Audit-Ready Operator Log is used to track station or control room activity. The operator, dispatcher, or other personnel will select the type of activity being logged. They will then select a subcategory. Multiple instructions or a procedure for the operator are associated with the subcategory. A check box identifies the time the instruction was completed and the person who completed the instruction. In addition, s can be automatically generated to notify a predesignated group, such as NERC for event reporting, when a certain type of event occurs. Page 11 of 16 July 7, 2015

12 Example of Operator Log 3.8 The Maintenance Center (Beta Version) The Maintenance Center is used to track the status of the maintenance program to ensure compliance with PRC-005. The Maintenance Center provides a centralized platform to identify the status of all work orders down to the equipment level. It can be used by the compliance administrator to monitor approaching due dates and can also be used to collect data in the workflows. After the records are updated in SharePoint, a workflow marks the record as complete, establishes the next test date, and sends reminders in a predetermined number of days prior to the next due date. If the record is not updated in a timely manner, the workflow will generate an escalation so that appropriate action can be taken by management. If a piece of equipment is approaching a grace period, the overall status of PRC-005 will change to alert your entity s management team that immediate attention and action is required. Page 12 of 16 July 7, 2015

13 3.9 Audit-Ready Asset Manager The Audit-Ready Asset Manager is used to track new or changes to existing assets. This tool is used to do the risk assessment of the Asset to determine the level of criticality in accordance with CIP-002. It is then used to identify and track all Critical Cyber Systems and to ensure proper change management. An electronic approval process is used to ensure timely reviews. 4 Implementing the Audit-Ready SharePoint Applications 4.1 General Implementation Approach In addition to being SharePoint developers, the Cooper Compliance staff are experts in NERC compliance, process development, risk management, and internal controls. Our approach builds controls into the daily processes performed by your employees. Cooper Compliance staff are available to quickly and fully implement the product migration of your existing program materials and documentation. Full implementation can be completed within a 3 to 4 month period for most entities who have a typical existing compliance program. When Cooper Compliance s solution is fully implemented, all existing processes and controls are documented and all current evidence required to demonstrate compliance within the bookmark from the last audit is migrated. After our initial setup activities, an entity will have access to the Audit-Ready applications to monitor compliance, track tasks, and collect and maintain evidence in real-time. For NERC compliance, the SharePoint website is pre-loaded with NERC Standards, separated into individual requirements. The Cooper Compliance solution can be adapted to other regulation sets as well. 4.2 Project Management Approach Our products utilize a set of SharePoint lists and libraries that are maintained by Cooper Compliance. We can provide detailed instructions for setting up the lists and libraries or, if given access to the on premise SharePoint, we can set them up for you. The SharePoint applications are placed in the SharePoint client store or solutions center. Using our instructions to install the apps takes less than 15 minutes. Once the required lists and libraries are established we begin the migration process. We obtain all your process narratives, procedures, evidence documents and insert them into the appropriate locations on the SharePoint Compliance website. We utilize the Audit-Ready Dashboard to track status at the Standard level. You can track the completion of the work at a high level by viewing the status of each requirement. Ideally, the entity already possesses material that addresses each Requirement, but if not, Cooper Compliance can assist in gathering or developing the necessary processes, procedures, or evidence. As documents are added, status of each Requirement is monitored for compliance, meaning the necessary supporting documentation is present for each Requirement. Page 13 of 16 July 7, 2015

14 PM Review Required: The initial status, which means the Cooper Compliance project manager (PM) has not completed the initial review of all Requirements. Open Task: The Cooper Compliance PM has completed the initial review and is waiting on completion of an open task for at least one process or control. Technical Writer Approved: The Cooper Compliance technical writer has completed a review of the narratives used to document how compliance and controls are achieved. Cooper Compliance Approved: The Cooper Compliance president has completed review. Expert Review Required: The Cooper Compliance PM needs to meet with the your entity s expert to refine and obtain acceptance. Not Applicable, Do Not Own, Compliant: The Cooper Compliance PM has met with the SME and the SME has acceptance the work. Represents completion of the project. Note that the status could end up in a Possible Violation state, however, this status would be established by your entity s management team. The following describes the activity that takes place during implementation as we track the status: PM Review Required We start by populating the system with our base set of process narratives and controls that represent best practice from our other clients. These processes and controls are pre-mapped to Requirements. We review the documentation provided by the entity that has previously been gathered to demonstrate compliance. We modify the narratives to specifically describe the entity s activities. Open Task We utilize the SharePoint task list to identify documents that we discover missing. We also utilize the task list to identify areas of possible improvement. Each week we meet with your entity s experts to go over the task list and assign out to the appropriate subject matter expert. A SharePoint drop box is used for an entity staff to provide missing documentation until the setup is complete. Technical Writer Approved Once the Cooper Compliance PM has determined completion, our technical writer will review process narratives for accuracy and completion. Cooper Compliance Approved Our president will review all documentation after the technical writer review to ensure the work meets the expectations that represent the company s reputation of excellence. Expert Review Required Page 14 of 16 July 7, 2015

15 After all Standards have been addressed we meet individually with each expert to review for accuracy and completeness. We will modify the process narratives to better identify the evidence and repeat the Cooper Compliance technical writer review and president review until accepted by the entity s expert(s). While we provide overview training to all staff during this period, we also provide individualized training and troubleshooting to all experts. We look for areas where better efficiencies can be brought to the individual expert to integrate compliance better into their regular daily activities. The concepts will be brought to the entity s management team to consider prior to being implemented. Not Applicable, Do Not Own, Compliant After obtaining acceptance, all workflows are started and steady-state has been reached for the known Standards. The status will be changed to Open Task when a workflow used to control timeliness has identified the start-time for an activity to occur for a process. For example, quarterly cyber security awareness needs to be completed, procedure needs to be reviewed, regional reporting is due, etc. During a self-certification or audit period the task list will use a similar approach to track the readiness to self-certify or submit audit documentation. 4.3 System Documentation and Manuals Our pamphlet, The Audit-Ready SharePoint Solution, which is also included as a SharePoint wiki page, documents the structure and use of our unique and innovative solution for regulated entities to ensure compliance with reliability standards. It describes our method of applying Institute of Internal Auditor methodologies for documenting processes and controls. It also documents workflows used, describes the required SharePoint libraries and lists, and provides documentation on the JavaScript code used behind the Audit-Ready SharePoint Applications. In addition, we have a set of how-to videos that are provided in the How-to library. These videos include topics such as How to use the Audit-Ready document loader, How to use the Audit- Ready applications for Self-certification, How to use the Reporter. 5 Ongoing Support Services Ongoing support includes the following: Maintaining NERC and regional inputs. These inputs include the FERC approved Standards, RSAW Questions, NERC Inherent Risks, and RSAW Audit approach. Cooper Compliance maintains the lists and libraries on the web. A macro-driven Microsoft Access tool is used to periodically pull in updates. For the pull, the user will simply push one macro button. Any modifications to the Microsoft Access database as a result of changes to the tables based on changes to NERC will be provided at no additional cost. Page 15 of 16 July 7, 2015

16 Generic Process narratives and control statements. These are maintained by Cooper Compliance and be used as a starting point to develop your entity s specific process narratives and controls. Updates will be provided in the same manner as described above, utilizing the Microsoft Access tool. Application Enhancements. Oft enhancements to our applications are implemented based on changes in the industry or at the request of our customers. All products beta tested by your entity will be delivered for install onto your entity s SharePoint site. Help Desk Support. Support on our products will be provided during regular business hours of 07:00 to 18:00 PST Monday to Friday to resolve any user problems or help on the use of the applications. Maintaining NERC and regional inputs. These inputs include the FERC approved Standards, RSAW Questions, NERC Inherent Risks, and RSAW Audit Approach. Cooper Compliance maintains the lists and libraries on the web. A macro-driven Microsoft Access tool is used to periodically pull in updates. For the pull, the user will simply push one macro button. Any modifications to the Microsoft Access database as a result of changes to the tables based on changes to NERC will be provided at no additional cost. 5.1 Testing Cooper Compliance prepares a test script and tests each release in our own SharePoint environment to ensure no issues exist when installing our applications on client sites. The applications are then installed in a test environment in our client s on-premise SharePoint to ensure the NERC change management requirements are met and to avoid disruption to the users. Once all test scripts, provided by Cooper Compliance, are run, the applications are ready to be added to the production site. Page 16 of 16 July 7, 2015