euci mapping cybersecurity to cip

Mapping Cybersecurity Programsto CIP Compliance

Scott M. BaronDirector – Digital Risk & Security Governance

National Grid

Agenda

• Introductions • Section 1: What is…• Section 2: IT GRC Convergence Stages• Section 3: Tools, Automation and Metrics• Section 4: Building the Program

– Establish Governance Body for IT– Supported Policies, Standards and Controls– Consistent Risk Analysis and Management– Single Empowered Compliance Team

INTRODUCTIONSMapping Cybersecurity Programs to CIP Compliance

Introductions

An Overview of National Grid• National Grid is an international electricity and gas company and one of the

largest investor-owned utilities in the world. We are the largest utility in the UK and the second-largest utility in the US. , focused on delivering energy safely, reliably and efficiently.

• In the northeastern US we have electricity transmission systems and distribution networks that deliver electricity to 3.3 million customers.

• We own and operate generation stations with a total capacity of 6,650MW and provide services to the 1.1 million electricity customers of the Long Island Power Authority.

• We own gas storage facilities and provide natural gas to approximately 3.4 million customers.

Objectives

Mapping Cybersecurity Programs to CIP ComplianceThis session will demonstrate how you can integrate the NERC CIP standards into an effective cybersecurity program. Key points include:•Principles of an aligned and effective governance, risk and compliance program•Evaluation of a risk-based vs. rules-based security program•Effective use of a rules-based framework to support your cybersecurity program

IS Risk & Compliance Framework

Consolidated Controls Set

IS Risk Profile

Assurance

SECTION 1: WHAT IS…?

Mapping Cybersecurity Programs to CIP Compliance

What is… IT GRC

Source: Wikipedia

What is IT GRC

What is… IT Governance• “… consists of the leadership and organizational structures

and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives”

Governance

Benefits of a well executed Governance Program•IT investments that support business objectives•Alignment of policy with business objectives•Effective use of resources•Consistency in decisions and enforcement•Collaboration breeds support

What is… IT Risk• Risk Management is the process by which an organization

sets the risk appetite, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization.

Risk

Benefits of a well executed Risk Program•Clearly demonstrate the corporations current risk profile•Transparency allows management to make informed business decisions•Establishes a risk tolerance / appetite for the business•Clear definition of roles and responsibilities related to IT risks•Aligns with enterprise risk management (ERM)

What is… IT Compliance

• Compliance is the process that records and monitors the policies, procedures and controls needed to enable compliance with legislative or industry mandates as well as internal policies

• Risk• Risk Management is the process by which an organization sets the risk appetite, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization.

Compliance

Benefits of a well executed Compliance Program•Provide assurance to stakeholders that policies are enforced and standards are in place•Develop a clear understanding internal processes•Efficient response to regulatory requirements•Focused effort on identifying and resolving policy deficiencies•Provide validation for the risk profile

Section Recap

• Key take aways:– Governance, Risk and

Compliance programs are interrelated

– Roles and Responsibilities for GRC tasks must be defined

SECTION 2: IT GRC CONVERGENCE STAGES


Stage 1: Silo Compliance

• Access and Identity Management•Threat and Vulnerability Management•Policy / Standard Creation•Compliance Enforcement

•Perimeter Security•Incident Response•Policy / Standard Creation•Compliance Enforcement

•Project Methodology•Project Risk•Policy / Standard Creation•Compliance Enforcement

Stage 1: Silo Compliance

Stage 2: Regulatory Compliance

Regulatory Compliance Team•Sarbanes-Oxley•PCI-DSS•HIPAA•GLBA•NERC

Stage 2: Regulatory Compliance

Stage 3: Converged IT GRC

•Common Policy / Controls •IT Compliance Enforcement•Risk Management

Stage 3: Converged IT GRC

Section Recap

• Key take aways:– Three stages of IT GRC– Nearly all organizations have a

GRC program in varying stages… but may not realize it

– Work within your own company processes

SECTION 3: TOOLS, AUTOMATION AND METRICS


Tools, Automation and Metrics

GRC Suite

•SharePoint•WebSphere•Workflow tools

•Tripwire (Open Source or Commercial)•SNORT

•SharePoint•WebSphere•Workflow tools

•MS Excel•CIS Audit Tools•NESSUS / Microsoft

Tools, Automation and Metrics

Section Recap

• Key take aways:– No single tool will fill all GRC

requirements, it is important to focus on interoperability

– Other useful resources available free or nearly free on the Internet

SECTION 4: BUILDING THE PROGRAM


Building the Program

ESTABLISH A GOVERNANCE BODY FOR IT

GRC in a Bag:Building a Complete GRC Program Utilizing ISACA Resources

Establish a Governance Body for IT

Resources

• ITGI Documents– IT Governance Domain Practices and Competencies Series

• Information Risks: Whose Business Are They?• Optimising Value Creation From IT Investments• Measuring and Demonstrating the Value of IT• Governance of Outsourcing• IT Alignment—IT Strategy Committees

– Board Briefing on IT Governance– Information Security Governance: Guidance for Boards and Executive

Management– IT Governance Global Status Report

• ISACA– Implementing and Continually Improving IT Governance– Val IT Framework

SUPPORTED POLICIES, STANDARDS AND CONTROLS


Policy Consolidation / Mapping

Policy Creation / Mapping

Standards, Controls, Risks and Tests

Resources

• CobiT– CobiT Mapping Series– Cobit Quickstart, 2nd Edition– Cobit Security Basline, 2nd Edition– IT Assurance Guide: Using CobiT

• Compliance / Regulatory Frameworks– PCI DSS– NIST 800-53– ISO 27001 / 27002

• Unified Compliance Framework

CONSISTENT RISK ANALYSIS & MANAGEMENT


Consistent Risk Analysis & Management• Risk Governance (RG)

– Establish and Maintain a Common Risk View– Integrate with Enterprise Risk Management (ERM)– Make Risk-aware Business Decisions

• Risk Evaluation (RE)– Collect Data– Analyze Risk– Maintain Risk Profile

• Risk Response (RR)– Articulate Risk– Manage Risk– React to Events

Resources

• Risk IT– Risk IT Framework– Risk IT Practitioners Guide (and toolkit)

• COSO– COSO Enterprise Risk Management Framework

• ISO– ISO 31000 – Risk Management – Principles

and Guidelines

SINGLE EMPOWERED IT COMPLIANCE TEAM


Single Empowered IT Compliance Team• More than just regulatory compliance, this team must be able to

partner with Governance and Risk to build a corporate risk profile– Identifying compliance-related risks and threats– Performing compliance-based risk assessments – Working with end users and enterprise legal and compliance

departments to identify IT-specific risks, end-user risks and enterprise risks that IT can assist in mitigating

– Designing compliance-friendly systems and applications– Monitoring changes in legislation, regulations, rulings and court orders

that may impact the way risks are addressed by the enterprise and by IT security.

– Considering the regulatory compliance issues inherent in the introduction of new technology, processes or applications

Resources

• IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals

• ITAF: A Professional Practices Framework for IT Assurance

Objectives

Learning Objectives for this presentation:

• Discuss the function and interrelation of governance, risk and compliance

• Utilize ISACA and other resources to create policies, standards and controls

• Show mapping between industry regulations and policies, standards and controls

• Demonstrate how GRC can be implemented in a company

Thank you

Scott M. BaronDirector – Digital Risk & Security GovernanceNational GridEmail: [email protected]