NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice



Similar documents
Regulatory Compliance Management for Energy and Utilities

NERC CIP Compliance with Security Professional Services

LogRhythm and NERC CIP Compliance

Standard CIP Cyber Security Systems Security Management

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

TRIPWIRE NERC SOLUTION SUITE

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

Information Shield Solution Matrix for CIP Security Standards

Standard CIP 007 3a Cyber Security Systems Security Management

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

North American Electric Reliability Corporation (NERC) Cyber Security Standard

BSM for IT Governance, Risk and Compliance: NERC CIP

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Payment Card Industry Data Security Standard

Effective Use of Assessments for Cyber Security Risk Mitigation

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Patching & Malicious Software Prevention CIP-007 R3 & R4

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Information Blue Valley Schools FEBRUARY 2015

Maximizing Configuration Management IT Security Benefits with Puppet

Information security controls. Briefing for clients on Experian information security controls

Vendor Risk Management Financial Organizations

NERC CIP VERSION 5 COMPLIANCE

Effective Defense in Depth Strategies

Summary of CIP Version 5 Standards

Professional Services Overview

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

Cyber Security for NERC CIP Version 5 Compliance

Critical Controls for Cyber Security.

PCI Compliance for Cloud Applications

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

FERC, NERC and Emerging CIP Standards

Security Controls What Works. Southside Virginia Community College: Security Awareness

John Essner, CISO Office of Information Technology State of New Jersey

Implementation Plan for Version 5 CIP Cyber Security Standards

The Protection Mission a constant endeavor

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Cyber Security Compliance (NERC CIP V5)

Attachment A. Identification of Risks/Cybersecurity Governance

How To Achieve Pca Compliance With Redhat Enterprise Linux

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Ovation Security Center Data Sheet

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Document ID. Cyber security for substation automation products and systems

Microsoft Services Premier Support. Security Services Catalogue

1 Introduction Product Description Strengths and Challenges Copyright... 5

Conquering PCI DSS Compliance

BPA Policy Cyber Security Program

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

How To Manage Security On A Networked Computer System

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

SUMMARY OF AUDIT FINDINGS

(Instructor-led; 3 Days)

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Verve Security Center

How To Improve Your Business

HOW SECURE IS YOUR PAYMENT CARD DATA?

Current IBAT Endorsed Services

Ecom Infotech. Page 1 of 6

NEC Managed Security Services

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Four Top Emagined Security Services

Ovation Security Center Data Sheet

IoT & SCADA Cyber Security Services

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

IT Security & Compliance. On Time. On Budget. On Demand.

Cyber Security and Privacy - Program 183

Introduction to Cyber Security / Information Security

The Next Generation of Security Leaders

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

How RSA has helped EMC to secure its Virtual Infrastructure

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Total Protection for Compliance: Unified IT Policy Auditing

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Client Security Risk Assessment Questionnaire

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Healthcare and IT Working Together KY HFMA Spring Institute

Lot 1 Service Specification MANAGED SECURITY SERVICES

THE TOP 4 CONTROLS.

Supplier Security Assessment Questionnaire

White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

Big Data, Big Risk, Big Rewards. Hussein Syed

Security from a customer s perspective. Halogen s approach to security

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

GE Measurement & Control. Cyber Security for NERC CIP Compliance

Cisco Advanced Services for Network Security

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

SANS Top 20 Critical Controls for Effective Cyber Defense

Transcription:

NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice

Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which are intended to ensure the protection of the Critical Cyber Assets that control or effect the reliability of North America s bulk electric systems. NERC CIP Standards seek to address the question How well protected is this critical infrastructure? Compliance with these standards can be both risky and complicated given the differences between electrical utilities and the newness of the standards. Certainly, the remoteness of power generation and the wide coverage of electric transmission greatly complicate the job of securing these assets from direct attack. HCL Governance, Risk & Compliance (GRC) consulting practice offers market leading services to organization seeking compliance support for NERC CIP standards by improving their security & governance posture while reducing cost. Many of our Managed Security Services and Professional services align NERC CIP Cyber Security Standards, allowing organizations to easily meet and exceed the requirements they set forth. Starting from compliance health-check HCL can work with your organization to implement the recommendations by providing technical, documentation and project management. Challenges Addressed Lack of confidence in organizational security posture and siloed approach for engineering, operations and IT department Real-time systems make patch application, validation, and user authentication difficult Cyber Security requires a toolset and knowledge base that is traditionally not located within the same experience pool that understands and manages the day-to-day operations of a power grid. Diversified risk-assessment approach Lack of basic security mechanism in SCADA/EMS and DCS design when compared to standard business information system High cost of audit and compliance sustenance HCL GRC focus is to offer end to end Advisory & Implementation service to enable an organization in meeting the business objectives of their NERC Cyber Security Compliance initiative 2

Approach NERC Cyber Security compliance HCL GRC team can assist Responsible Entities by offering a comprehensive program of capabilities that enable the achievement of NERC standards compliance in a cost effective and timely manner. The spectrum of HCL services covers the complete gamut of standards CIP-002 through CIP-009 providing a robust solution to support robust and reliable operations of bulk electric systems. The approach and key activities are detailed as below: NERC Requirement HCL GRC Capability Deliverables CIP-002-1 Critical Cyber Asset Automated Enterprise discovery of Inventory of Critical Cyber Identification Critical Assets Assets Risk library pertaining Identification of critical assets by to cyber asset operations client and HCL SMEs who have Annual Reviews qualified experience in Grid Analysis Risk based assessment, analysis & prioritization by application CIP-003-1 Management Control Policy evaluation & analysis Cyber Security Policy Policy Documentation CIP-003-1 Management Control Establishing of Security Program Leadership & Exceptions Management Office for Compliance CIP-003-1 Management Control Catalogued information Information Protection classification for Critical Cyber Assets Defining access controls, encryption & for Enhanced Cyber Security Policy for NERC Compliance Established governance for NERC compliance management & reporting Information classification Data security reference architecture System Security & disaster 3

disposal, printing and other tasks CIP-003-1 Management Control Modeling for role based access Access Controls control for internet facing systems and critical backend solutions CIP-003-1 Management Control Establishing change management Change Management Conducting impact analysis of changes (includes configuration) Enabling functional testing for changes Review of corporate & process control networks (SCADA) CIP-004-1 Personnel & Training Conduct security awareness Awareness evaluations & employee assertion program Security awareness training plan development CIP-004-1 Personnel & Training Identification & deployment of Training role based trainings CIP-004-1 Personnel & Training Development of personal Personnel Risk Assessment background check policies & CIP-005-1- Electronic Security Identification of control points, Parameter(s) Electronic Security ports and services Parameter Conduct vulnerability assessments & penetration testing CIP-005-1- Electronic Security Development of authentication Parameter(s) Electronic Access Controls Firewall audits Log management & review Real time threat analysis through SOC (includes NIPS & HIPS) CIP-005-1- Electronic Security Documentation of all systems in Parameter(s) Documentation electronic security parameters Review & Maintenance Quarterly review of all documentation CIP-006-1- Physical Security Assessment of facilities physical Program security Assessment of organization physical security plan Development of log & DVR retention policies Physical security audits CIP-007-1 System Security Test evaluation for Management patch management, device management, anti-virus policies Documentation for non-critical cyber asset policy Creating inventory of non-critical cyber assets recovery plan Access control policies & Change Management & Control Process Back-out Security Enforcement Policy Security awareness report Training roadmap Specific procedural training modules Background check policy Vulnerability & Penetration assessment report Remediation report Firewall implementation Authentication Audit Reports Log review & reporting Threat analysis report Documentation of network changes Physical security assessment report Log retention & governance policies Malicious software prevention policy Test and controls for device management Password policy Asset disposal policy Identity management process 4

Policy documentation for malware Security incident management and malicious software prevention process Documentation and enforcement Documentation lifecycle process of password management policy Policy creation for disposal & redeployment of cyber assets Establishing governance and org. structure for documentation & policy review CIP-008-1 Incident Reporting & Assessment of Incident Incident management Response Planning Cyber Security management Business Continuity Plan Incident Response plan Documentation of business Business Continuity Test continuity plan Procedures Testing of business continuity plan Process for retention of incident logs CIP-008-1 Incident Reporting & Process for retention of incident Log retention policy Response Planning Cyber Security logs Incident Documentation CIP-009-1 Disaster Recovery Identification & definition of Disaster Recovery Plan Recovery Plan, Backup & restore, action triggers, acceptable Back-up Testing Media downtime service levels and Test plan for backup storage acceptable data loss Development of verification criteria & CIP-009-1 Disaster Recovery Conducting DR drills DR test report Exercises Automated NERC Compliance Management GRC Manager Power and utility executives today are faced with many challenges as they work to meet their compliance requirements. Some of the most pervasive and difficult of these obstacles include: Multiple regulatory bodies and requirements High cost of defining controls High cost of demonstrating compliance Budget impacts of NERC and other regulatory efforts on the business Allocation of resources away from key business initiatives Difficulty with ongoing sustainability of ad-hoc compliance projects In order to mitigate these challenges & offer a streamlined sustenance for compliance, HCL has partners with various GRC platform vendors and help Energy & Utilities organizations establish an automated solution for optimal blend of centralization, monitoring & reporting for effective oversight. The GRC platform can also be used for implementing governance initiatives, such as programs for Standards of Conduct and Environmental Health and Safety (EH&S) through document control, compliance training and ongoing auditing, as well as recording and reporting of Federal Energy Regulatory Commission (FERC)-related violations or process nonconformance and the resulting corrective actions. 5

Some of the basic features of the automated GRC platform are as under: Capturing, Compiling & Reporting Compliance Information Dynamic Real time analysis of Risk & Controls Single Global Repository for Risk & Controls Integrated Industry Standard Framework for Control Optimization Role based dashboards that streamline decision making Integrated Program Resource Management capabilities to manage Control Remediation. Integration with Enterprise business systems for audit evidence collection A sample snapshot from automated GRC platform is shown below Figure 1. Governance Risk and Compliance Platform Why choose HCL One stop shop for all your information security & compliance needs Matured consulting framework with integrated solution implementation methodology to reduce compliance cost Strong engineering with R&D practice with focus on Energy & Utilities vertical Expertise across all micro verticals in Electric, Gas distribution, Water & Water Waste/ Recycling Utilities. First in APAC and amongst only 9 companies in the world to receive Cisco s Master Security Certification. Accredited by Govt. of India CERT as providers of Information Security Assessment Services. Recognized by Gartner & NASSCOM for its Information Security Strengths. First Indian Company to provide PCI ASV Vulnerability Management Services. 6

HCL is ranked as the No. 1 Security Services provider by Dataquest, V&D and Frost & Sullivan Experienced consultants with certifications like CEH, GWAS, CISSP, CISA, CBCP, BS 25999 and ISO27001 Partnership with leading security product and service vendors Technology labs in Identity and Access Management, Software Security, Security Testing, Networks and Systems. For further information on HCL GRC Consulting Services or to have a HCL representative contact you, mail at CFS- GRC-PMG@hcl.in or visit http://www.hclisd.com/governance-risk-compliance-consulting.aspx 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information