Add to collection(s) Add to saved
  1. Business
  2. Management

Compliance, audit, risk, security – what's the difference

Compliance, audit, risk, security – what’s the difference and why do we need it?
Presented By:
d
Sandy Bacik, Principal Consultant
© 2011 EnerNex. All Rights Reserved. www.enernex.com
Agenda
f Defining compliance, audit, risk, and security
g
p
,
,
,
y
f What is the difference between them?
f Why do I need all four functions?
f Can I build one program that includes all these functions?
© 2011 EnerNex. All Rights Reserved. www.enernex.com
Protecting Assets
Protecting Assets
f Consists of protection methods from liabilities (enterprise p
(
p
obligations)
– Information
– Contracts
– Personnel
– Systems
– Communications
© 2011 EnerNex. All Rights Reserved. www.enernex.com
3
Risk Triangle
Risk Triangle
Hardware and software is
replaceable it is not
replaceable,
customized
Hardware
Software
Data
People, Procedures, and
Facilities
© 2011 EnerNex. All Rights Reserved. www.enernex.com
Data risk is larger, because it
takes much to recreate it
should something
g happen
pp
People are sometimes a
wildcard when dealing with
assets
Change Is a Constant
Change Is a Constant
f Threats
f Risks
f Privacy and invasive technology
y
gy
f Legislation
f All related to a degradation of trust
– Trust Degrades over time
– Trust provides value to information
T
id
l
i f
i
– Multi‐faceted – experience, referral, observation, communicative
© 2011 EnerNex. All Rights Reserved. www.enernex.com
What
What is due diligence?
is due diligence?
Such a measure of prudence, activity, or assiduity, as properly exercised by a reasonable and prudent man under the particular circumstances; not measured by any d h
i l i
db
absolute standard, but depending on the relative facts of the case.
© 2011 EnerNex. All Rights Reserved. www.enernex.com
Governance
f Governance relates to decisions that define expectations, grant power or verify performance
grant power, or verify performance.
f It consists either of a separate process or of a specific part of management or leadership processes.
f The structure, oversight and management processes which ensure the delivery of the expected benefits of technology
ensure the delivery of the expected benefits of technology in a controlled way to help enhance the long term sustainable success of the enterprise.
© 2011 EnerNex. All Rights Reserved. www.enernex.com
Enterprise
Enterprise Governance Architecture
Governance Architecture
f A business organization
A business organization’ss risk reduction style and risk reduction style and
methodology
f A business organization’s compliance and audit methodology
f Designed to protect the assets of an organization, where assets are defined as resources that provide value to the
assets are defined as resources that provide value to the organization
f Program that facilitates systematic business change by continually aligning security and technology investments and projects with business mission needs
© 2011 EnerNex. All Rights Reserved. www.enernex.com
Convergence
Think about all areas, Think
about all areas
including the business processes, when developing asset protection.
Saves time in the future.
© 2011 EnerNex. All Rights Reserved. www.enernex.com
9
Risk
f Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of
prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities
pp
f Risks can come from uncertainty in project failures (at any phase in design, development, production, or sustainment life‐
cycles), legal liabilities, credit risk, accidents, natural causes and l ) l l li biliti
dit i k
id t
t l
d
disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root‐cause
© 2011 EnerNex. All Rights Reserved. www.enernex.com
10
Risk
f Risk management standards
– ISO/IEC Guide 73:2009 (2009)
ISO/IEC G id 73 2009 (2009)
– ISO/DIS 31000 (2009)
– NIST SP800‐30
NIST SP800‐30
© 2011 EnerNex. All Rights Reserved. www.enernex.com
11
Audit
f Internally and externally supported
y
y pp
f An evaluation of a person, organization, system, process, enterprise, project or product
f Audits are performed to ascertain the validity and reliability of information; also to provide an assessment of a system's internal control. The goal of an audit is to express an opinion g
p
p
of the person / organization / system (etc.) in question, under evaluation based on work done on a test basis.
f Very similar to a basic checklist
© 2011 EnerNex. All Rights Reserved. www.enernex.com
12
Compliance
f Internally and externally supported
f Conforming to a rule, such as a specification, policy, standard C f
i
l
h
ifi i
li
d d
or law
f Regulatory compliance describes the goal that the utility Regulatory compliance describes the goal that the utility
aspires to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations
f Due to the increasing number of regulations and need for h
b
f
l
d
df
operational transparency, organizations are increasingly p g
adopting the use of consolidated and harmonized sets of compliance controls. (This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources )
unnecessary duplication of effort and activity from resources.)
f Very similar to a basic checklist
© 2011 EnerNex. All Rights Reserved. www.enernex.com
13
Cybersecurity
f Internally and externally supported
f A measure of system’s ability to resist unauthorized attempts at usage or behavior modification, while still providing service to legitimate users.
service to legitimate users.
f The protection of data and systems
f Actions required to ensure freedom from danger and risk to the security of information in all its forms (electronic, physical), and the security of the systems and networks where information is stored, accessed, processed, and
where information is stored, accessed, processed, and transmitted (DoD)
© 2011 EnerNex. All Rights Reserved. www.enernex.com
All Comes Down To Asset Protection
All Comes Down To Asset Protection
Governance
Risk
Cybersecurity
Asset Asset
Protection
C
Compliance
li
© 2011 EnerNex. All Rights Reserved. www.enernex.com
A dit
Audit
How do we govern assets?
How do we govern assets?
f Administrative and managerial measures
f Physical
f Technical measures
© 2011 EnerNex. All Rights Reserved. www.enernex.com
How
How We Start (1)
We Start (1)
fIdentifying
– Assets
– Communications
– Architecture
– Industry policy, requirements, regulations
Industry policy requirements regulations
fPerform a risk assessment
– Evaluating on the acceptable level of risk
Evaluating on the acceptable level of risk
© 2011 EnerNex. All Rights Reserved. www.enernex.com
17
How
How We Start (2)
We Start (2)
fCompliance / Audit
fCompliance
/ Audit
– Controls
– Monitoring
– Ensure we meet the controls
fCybersecurity
– Controls – Monitoring
– Testing – penetration, vulnerability, assessments –
how well we meeting the controls
how well we meeting the controls
© 2011 EnerNex. All Rights Reserved. www.enernex.com
18
Governance
fThe protection of assets needs to have
fThe
protection of assets needs to have
– Risk
– Audit
– Compliance and
– Cybersecurity
fIn sourced and outsourced
fIn‐sourced and outsourced
© 2011 EnerNex. All Rights Reserved. www.enernex.com
19
5Ws
5Ws and 1H
and 1H
f “I keep six honest serving‐men (They taught me all I knew); Their names are What and Why
and When and How and Where
and Who.” –
d Wh ” Rudyard Kipling
R d d Ki li
f For example
– What ‐ Value
– What ‐ Goal
– How ‐ Function
– Degree Degree ‐ Metric
– Where ‐ Context
– When ‐ Time
– Who ‐
Wh Responsible
R
ibl
© 2011 EnerNex. All Rights Reserved. www.enernex.com
f Value – What kind of a structure
t t
f Goal – What is the goal
f Function – What does it do / have
f Metric – What does success mean
f Context –
Context – Where will the Where will the
structure be
f Time – What is the urgency
f Responsibility Responsibility – Who shall Who shall
build / who shall benefit
Assessing Example (1)
Assessing Example (1)
fRequirement:
– The SG system uniquely identifies and authenticates users (or processes acting on behalf ( p
g
of users). The SG system uses multifactor authentication for remote access to non‐
privileged accounts; local access to privileged accounts; and remote access to privileged accounts.
accounts
© 2011 EnerNex. All Rights Reserved. www.enernex.com
21
Assessing Example (2)
Assessing Example (2)
f The SG system uniquely y
q y
identifies and authenticates users (or processes acting on behalf of users) The SG
on behalf of users). The SG system uses multifactor authentication for remote access to non‐privileged accounts; local access to privileged accounts; and p
g
;
remote access to privileged accounts.
© 2011 EnerNex. All Rights Reserved. www.enernex.com
fRisk
– What SG systems require unique identification?
– What information is processed on the SG system?
– What risk does not having unique identification present?
– As we willing to accept the risk?
the risk?
22
Assessing Example (3)
Assessing Example (3)
f The SG system uniquely y
q y
identifies and authenticates users (or processes acting on behalf of users) The SG
on behalf of users). The SG system uses multifactor authentication for remote access to non‐privileged accounts; local access to privileged accounts; and p
g
;
remote access to privileged accounts.
© 2011 EnerNex. All Rights Reserved. www.enernex.com
fAudit
– List the ID on a SG system and determine if all the IDs unique and not shared?
– What about remote What about remote
access IDs?
– What are the privileged accounts and are they unique and not shared
– Show configuration file Show configuration file
on access
23
Assessing Example (4)
Assessing Example (4)
f The SG system uniquely y
q y
identifies and authenticates users (or processes acting on behalf of users) The SG
on behalf of users). The SG system uses multifactor authentication for remote access to non‐privileged accounts; local access to privileged accounts; and p
g
;
remote access to privileged accounts.
© 2011 EnerNex. All Rights Reserved. www.enernex.com
fCompliance
– How does the system conform to the requirement?
– Show configuration file(s)
– List the IDs and show separation of duties and look at ID descriptions
24
Assessing Example (5)
Assessing Example (5)
f The SG system uniquely y
q y
identifies and authenticates users (or processes acting on behalf of users) The SG
on behalf of users). The SG system uses multifactor authentication for remote access to non‐privileged accounts; local access to privileged accounts; and p
g
;
remote access to privileged accounts.
© 2011 EnerNex. All Rights Reserved. www.enernex.com
fCybersecurity
– Identify a SG system
– Select a non‐privileged id, privileged id, remote access id, local id
– Attempt to use the IDs Attempt to use the IDs
for proper and unauthorized use
25
Simplification
fWhat processes cross multiple assessments
fWhat
processes cross multiple assessments
fReporting into the same part of the organization ( p
(separation from operational functions)
p
)
fSplitting assessments between in‐sourced and outsourced engagements
g g
fKeep current evidence of assessments
fDetermine what best fit into the culture
© 2011 EnerNex. All Rights Reserved. www.enernex.com
26
Summary
f Discussed the merging of the risk, audit, compliance, i
d h
i
f h ik
di
li
security, and governance concepts
– To get a complete picture of asset protection the To get a complete picture of asset protection the
organization needs all the pieces
f How to simplify the processes
f Why a utility needs risk, audit, compliance, security, and governance programs implemented
© 2011 EnerNex. All Rights Reserved. www.enernex.com
EnerNex Cyber Security Offerings
EnerNex Cyber Security Offerings
f
f
f
f
f
f
f
f
f
f
Security Architecture and Policy Development
Utility Automation Security
NERC‐CIP
Hardware Embedded Security
Hardware Embedded Security
Security & Penetration Testing
Vulnerability Analysis
Risk Assessments
ik
Security Audit Development
Regulatory Compliance
Security Training
f Clients:
Clients: Consumers Energy, U.S Department of Energy, Duke Energy, Florida Power Consumers Energy, U.S Department of Energy, Duke Energy, Florida Power
& Light (FPL), Southern California Edison (SCE), Tennessee Valley Authority (TVA), TXU Energy
© 2011 EnerNex. All Rights Reserved. www.enernex.com
Thank
Thank you for attending
you for attending
f Contact me: sandy.bacik@enernex.com
f Visit us on the web: www.enernex.com
Follow us on Twitter @ EnerNex
ll
i
@
Connect with us on LinkedIn
Subscribe to the EnerNex blog
© 2011 EnerNex. All Rights Reserved. www.enernex.com
Related documents
Jeremy Laundergan, EnerNex - Peak Load Management Alliance
Jeremy Laundergan, EnerNex - Peak Load Management Alliance
EnerNex PowerPoint Template
EnerNex PowerPoint Template
Coles Group - Institute of Public Utilities
Coles Group - Institute of Public Utilities
Impact of Non-Linear Loads on Wiring Requirements
Impact of Non-Linear Loads on Wiring Requirements
Discussion of Presenters for IEEE PES General Meeting - IEEE
Discussion of Presenters for IEEE PES General Meeting - IEEE
Grounding Task Force meeting_6_Minutes Jul-24
Grounding Task Force meeting_6_Minutes Jul-24
download/Silicon Valley ISSA meeting May 19
download/Silicon Valley ISSA meeting May 19
Risk management strategy - Leicestershire County Council
Risk management strategy - Leicestershire County Council
Community Initiative - RCCG Cornerstone Worship Center
Community Initiative - RCCG Cornerstone Worship Center
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
this File - SOCTEC1-EN
this File - SOCTEC1-EN
Download