Internal Controls And Good Utility Practices. Ruchi Ankleshwaria Manager, Compliance Risk Analysis

Similar documents

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1

Notable Changes to NERC Reliability Standard CIP-010-3

CIP R1 & R2: Configuration Change Management

Automating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference

Implementation Plan for Version 5 CIP Cyber Security Standards

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

NERC CIP VERSION 5 COMPLIANCE

TRIPWIRE NERC SOLUTION SUITE

Best Practices for Cyber Security Testing. Tyson Jarrett Compliance Risk Analyst, Cyber Security

Patch and Vulnerability Management Program

Risks and Controls for VAR and EOP Richard Shiflett Ruchi Ankleshwaria

Summary of CIP Version 5 Standards

Technology Solutions for NERC CIP Compliance June 25, 2015

LogRhythm and NERC CIP Compliance

Information Technology General Controls (ITGCs) 101

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Cyber Security Walk-Through Procedure

NERC CIP Tools and Techniques

Standard CIP Cyber Security Systems Security Management

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Service Asset & Configuration Management PinkVERIFY

Verve Security Center

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

4.4 Customer Relations Management Tools

Management (CSM) Capability

Title: Security Patch Management

NERC CIP Ports & Services. Part 2: Complying With NERC CIP Documentation Requirements

Independent Accountants Report

Data Management Policies. Sage ERP Online

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

General Platform Criterion Assessment Question

ASDI Full Audit Guideline Federal Aviation Administration

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Standard CIP 007 3a Cyber Security Systems Security Management

Eric Moriak - CISSP, CISM, CGEIT, CISA, CIA Program Manager - IT Audit Children s Medical Center Dallas. Dallas, Texas

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Patch Management Procedure. Andrew Marriott PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

PII Compliance Guidelines

Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security

FISMA / NIST REVISION 3 COMPLIANCE

Reclamation Manual Directives and Standards

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

How To Audit The Mint'S Information Technology

Paranet Solutions Network Discovery Client. Paranet Professional Services

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

ipatch System Manager - HIPAA Compliance

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Privacy Impact Assessment

SANS Top 20 Critical Controls for Effective Cyber Defense

FFIEC Cybersecurity Assessment Tool

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

2012 CIP Spring Compliance Workshop May Testing, Ports & Services and Patch Management

From Chaos to Clarity: Embedding Security into the SDLC

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

GENERAL PLATFORM CRITERIA. General Platform Criterion Assessment Question

Alberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1

GE Measurement & Control. Cyber Security for Industrial Controls

Defining, building, and making use cases work

FedRAMP Standard Contract Language

Virtual Private Networks (VPN) Connectivity and Management Policy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cyber Security Compliance (NERC CIP V5)

Security Controls for the Autodesk 360 Managed Services

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Columbia College Process for Change Management Page 1 of 7

IPLocks Vulnerability Assessment: A Database Assessment Solution

IT Service Continuity Management PinkVERIFY

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

SCAC Annual Conference. Cybersecurity Demystified

CIP Ben Christensen Senior Compliance Risk Analyst, Cyber Security

Miami University. Payment Card Data Security Policy

Auditing Applications. ISACA Seminar: February 10, 2012

White Paper: Librestream Security Overview

Applicant Guide to EMR Certification

Securing Data in Oracle Database 12c

PATCHING WINDOWS SERVER 2012 DOMAIN CONTROLLERS. Prepared By: Sainath K.E.V MVP Directory Services

Transcription:

Internal Controls And Good Utility Practices Ruchi Ankleshwaria Manager, Compliance Risk Analysis

2 Introduction Joined WECC in March 2013 6 years of industry experience prior to joining WECC 4 years at a BA/TO/TOP/GO/GOP in WECC as an EMS engineer and project controls engineer 2 years as a project manager Electrical Engineer Master in Business Administration Certified Project Management Professional (PMP)

3 Objective Share examples of internal controls that were considered effective during Internal Control Evaluation or CIP V5 outreach.

4 Benefit to you Know what is WECC looking for? Use as guidance for Internal Control Program Already have the control? Document it for WECC s ICE evaluation Not implemented yet? Consideration for implementing it

5 Internal Controls Evaluation Process Expectation of the Standard Focus on Risks List of Controls Review of Control Design Test Effectiveness of Controls

6 Internal Controls Evaluation Process Expectation of the Standard Focus on Risks List of Controls Review of Control Design Test Effectiveness of Controls

7

8 Criteria for Good Controls Should be implemented at least for a year Management Approval/Notification Combination of Manual and Automatic control Preventive, Detective or Corrective Control

9 Area Of Focus CIP-007-6 R2 CIP-010-2 R1 CIP-002-5.1 R2 CIP-004-6 R2

10 CIP-007-6 R2 - Controls Security Patch Management

11 CIP-007-6 R2 Requirement Expectation Patches installation documented Systems identified Applications identified Patches installed or Update Mitigation Patch Source identified Patches evaluated Patch tracking planned Patches identified Patches tracked

12 CIP-007-6 R2 Possible Points of Failure Failure to track a security patch Failure to evaluate a security patch Failure to install a security patch or update the mitigation plan

13 CIP-007-6 R2- Failure Point Failure to track a security patch

CIP-007-6 R2 Examples of Good Utility Technical Controls Practice Automated scanning tool that detects what is running and alerts of any changes to a system Automated tools to scan devices and determine if up to date or if any patches are available for the system Task management tools to ensure periodic tasks are being completed Administrative controls Limited user rights that prevent the unplanned installation of software Manual Controls Change control peer reviews to verify no unexpected changes Checklist to ensure application gets added to patch tracking procedures when a new software is added 14

15 CIP-007-6 R2- Failure Point Failure to evaluate a security patch

CIP-007-6 R2 Examples of Good Utility Technical Controls Practice Tools that will automatically notify of applicable patches Task management tools to ensure periodic tasks are being completed Manual Control Peer review to ensure security patch evaluation is done as per the defined criteria 16 Procedural Controls Reminders for periodic tasks. Clear criteria and assignments for what makes a patch applicable, and who can make that determination

17 CIP-007-6 R2- Failure Point Failure to install a security patch or update the mitigation plan

CIP-007-6 R2 Examples of Good Utility Technical Controls Practice Centralized patch management so admins don t have to go to each individual machine for applying patches. Technical tool that can scan to verify patch was applied Manual Controls Random sample verifications to ensure technical controls are working. Manual verification or audits that procedures were followed and documentation is accurate. Procedural Controls Checklist to ensure all steps are complete as part of patch install Limited user rights preventing personnel from patching their own machines when they feel like it. 18

19 CIP-010-2 R1 - Controls Configuration Change Management

20 CIP-010-2 R1- Requirement Expectation Identify all applicable systems Update baseline for any changes Document Baseline for devices Test to ensure security controls are not adversely impacted Create authorization procedures for changes to baseline Create security controls verification procedures Identify potential impacts to security controls

21 CIP-010-2 R1- Possible Points of Failure Inaccurate Baseline Changes made inappropriately Failure to document changes to the baseline accurately

CIP-010-2 R1 Examples of Good Utility Practice Inaccurate Baseline Method for developing and Maintaining baseline Automated scanning Manual Review Ensure Confidentiality, Integrity and Availability (CIA) of the list Limited Write Privileges to change baseline Location of Baseline Protection from Unauthorized changes 22

CIP-010-2 R1 Examples of Good Utility Practice Changes Made Inappropriately 23 Have authorization criteria for changes Have process map of common scenarios that can affect security controls Peer review process to verify impact of changes

CIP-010-2 R1 Examples of Good Utility Practice Failure to document changes to the baseline accurately Have automated system that can update baseline upon changes 24 Peer Review to ensure documentation is accurate Periodic update to management for changes to baseline

25 CIP-002-5.1 R2 - Controls BES Cyber System Categorization - Review & Approval

26 CIP-002-5.1 R2 Conduct annual physical walk down review of BCS to verify that the master list of BCS is accurate. Automated scanning tools to identify IP enabled devices Automated system that can notify of upcoming tasks and can escalate notifications depending on the time remaining to complete the tasks Ensure CIA of the list

27 CIP-004-6 R2 - Controls Cyber Security Personnel & Training

28 CIP-004-6 R2 Automated program to track training Add periodic check to verify the access list. Periodic reviews to ensure the training is being completed as required Automated/periodic notification to management

Upcoming Changes 29

30 Upcoming Changes to ICE Process Update ICE Survey Questions for CIP V5 Changes in timing for performing ICE Use ICE for long term Monitoring Strategy Focus on subset of Inherent Risks

31 Summary Focus on Standard expectation & failure points Focus on combination of Automated and Manual Controls Combination of Preventive, Detective and Corrective Control

32 Questions Ruchi Ankleshwaria Email: rankleshwaria@wecc.biz Phone: (801) 883-6881