SlideShare uma empresa Scribd logo

Explore the Implicit Requirements of the NERC CIP RSAWs

Transferir como PPTX, PDF
EnergySec
EnergySec

Regulated entities should consider the RSAW templates when preparing evidence of compliance with the NERC CIP Standards. There are a number of implicit requirements in CIP v5 which an entity needs to fulfill to be compliant, which are not specifically identified in the actual requirements. In this webinar, our experts will discuss such implicit requirements. Key learning's from this session would be: RSAW format Implicit requirements of CIP RSAWs Leveraging technology for RSAW management

Tecnologia
1 de 36
© 2015 MetricStream, Inc. All Rights Reserved. Explore the Implicit Requirements of the NERC CIP RSAWs Karl Perman VP Member Services EnergySec Shreyank Shrinath Kamat Product Manager MetricStream
© 2015 MetricStream, Inc. All Rights Reserved. Agenda  RSAW format  Implicit requirements of CIP RSAWs  Leveraging technology for RSAW management  Q&A
BACKGROUND © 2015 Energy Sector Security Consortium, Inc. 3
RSAW Template • Identifying Information – Standard, Entity, Names of Auditors, etc. • Applicability of Requirements by Functional Model • Color-coded – Fixed text, Entity-supplied information, Auditor-supplied information • Findings – Areas of Concern, Recommendations, Positive Observations © 2015 Energy Sector Security Consortium, Inc. 4
RSAW Template • Entity’s Subject Matter Experts • Requirement and Measures • Questions – Space for entity response, may reference other documents • Compliance Narrative • Evidence – Documents and descriptions • Guidance & Questions for Auditors © 2015 Energy Sector Security Consortium, Inc. 5
© 2015 Energy Sector Security Consortium, Inc. 6
Standard Drafting Team • CIP V5 Transition FAQ, Response to Comments • “It is inappropriate to suggest that there is an implicit requirement or an inherent requirement that must be complied with as requirements can only be explicit.” © 2015 Energy Sector Security Consortium, Inc. 7
Actual Auditors • Lew Folkerth, Reliability First – SPP RE CIP Workshop, June 2, 2015 • http://www.spp.org/documents/28852/2015%20cip%20works hop%20materials.pdf – RF Newsletter, Issue 3 • https://www.serc1.org/docs/default- source/outreach/communications/resource-documents/serc- transmission-reference/201507---st/cip-v5-rsaw---rf- newsletter-article.pdf?sfvrsn=2 • Kevin Perry, SPP – CIP Compliance Workshop, June 3, 2015 • Wayne Lewis, NPCC – CIP Compliance Seminar, 3/24/15 • https://www.npcc.org/Compliance/CIP%20Seminars/Spring% 202015%20CIP-010-2.pdf © 2015 Energy Sector Security Consortium, Inc. 8
IMPLICIT REQUIREMENTS © 2015 Energy Sector Security Consortium, Inc. 9
Update Policies • CIP-003-6 • Review and obtain CIP Senior Manager approval for policies • “The SDT received comments that Requirements R1 and R2 require annual review of the policy, but never explicitly require the policy to receive updates as a result of that review. The SDT believes this is implicit in the Requirement, and updates would occur as part of an entity’s ongoing compliance with the Requirement.” – http://www.nerc.com/pa/Stand/Project%20200806%2 0Cyber%20Security%20Order%20706%20DL/Consid eration_of_Comments_to_draft_3_102612_final.pdf © 2015 Energy Sector Security Consortium, Inc. 10
Shared Compliance Responsibility • Asset name or designation • Formal agreement describing shared compliance responsibility © 2015 Energy Sector Security Consortium, Inc. 11
Classify assets • CIP-002-5 requires entities to classify BES Cyber Systems • BES Cyber Asset will “adversely impact one or more Facilities, systems, or equipment” • Classify assets as High, Medium, or Low, and then BCA are those Cyber Assets which affect those assets, and take rating from the asset they effect © 2015 Energy Sector Security Consortium, Inc. 12
Cyber Assets • CIP-002 never explicitly says to identify (list) Cyber Assets – Need list of Cyber Assets to show that all that should be BES Cyber Assets were identified as such © 2015 Energy Sector Security Consortium, Inc. 13
Identify PCA • CIP-005-5 R1 Part 1.1 • Cyber Assets connected to network via routable protocol shall reside within a defined ESP – Applicable Systems • PCA Associated with High or Medium Impact BCS • Need to identify PCA – Auditors will likely want to audit a sample of PCA, so you need a list of PCA © 2015 Energy Sector Security Consortium, Inc. 14
Verify PCA • “After the ESP is defined, verify the “implied” requirement of identifying any PCA within the ESP has been completed” • Have a process • Use that process © 2015 Energy Sector Security Consortium, Inc. 15
ESP Process • “Verify the Responsible Entity has documented one or more process(es) which require all applicable Cyber Assets connected to a network via a routable protocol to reside within a defined ESP.” – RSAW CIP-005-5 • “In order to verify that each Cyber Asset residing within a defined ESP has been identified as either a BES Cyber Asset or as a PCA, it may be necessary to examine the ESP and conduct an inventory of network connections within the ESP.” © 2015 Energy Sector Security Consortium, Inc. 16
Transient Cyber Assets and Removable Media • Evidence that Transient Cyber Assets and Removable Media have been connected for 30 calendar days or less – Record of connection and disconnection • Evidence they have been utilized as authorized – Record who used them – Record where used – Record purpose • Record of review of Transient Cyber Assets managed by third parties • Record of Transient Cyber Asset patching if used to mitigate vulnerabilities • Record of anti-malware signature file updates if used to mitigate introduction of malware • Record of scans or other methods to detect and remove malicious code before introducing Removable Media into the Electronic Security Perimeter © 2015 Energy Sector Security Consortium, Inc. 17
Configuration Change Management • CIP-010-2 R1.4 – 1.4.1. Prior to the change, determine required cyber security controls in CIP‐005 and CIP‐007 that could be impacted by the change; – 1.4.2. Following the change, verify that required cyber security controls determined in 1.4.1 are not adversely affected; and – 1.4.3. Document the results of the verification. • Should have test procedures documented © 2015 Energy Sector Security Consortium, Inc. 18
Test Configuration Changes • CIP-010-2 R1.5 • Identify configuration of test environment • Identify how test environment differs from production environement – High Impact BCS © 2015 Energy Sector Security Consortium, Inc. 19
© 2015 Energy Sector Security Consortium, Inc. Where technically feasible, for each change that deviates from the existing baseline configuration: 1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. • Document which identifies devices and configurations in a test environment 20 CIP-010-2
© 2015 MetricStream, Inc. All Rights Reserved. Leveraging Technology for RSAW management Shreyank Shrinath Kamat Product Manager MetricStream
© 2015 MetricStream, Inc. All Rights Reserved. Key Components: NERC Compliance Management
© 2015 MetricStream, Inc. All Rights Reserved. A Robust & Flexible Information Model
© 2015 MetricStream, Inc. All Rights Reserved. Setup Content (CIP standards, requirements, controls etc.) Structure a logical compliance hierarchy, including Areas of Compliance, Standards, Requirements, Controls and Assets. Configure workflows for managing both internal and external standards, mapping regulations, developing controls, performing compliance audits, preparing and implementing action plans, and identifying and remedying issues. GRC Library Standards Areas of Compliance ControlsAssets Questions and Procedures Requirements
© 2015 MetricStream, Inc. All Rights Reserved. Update Content (Regulatory Changes) Regulatory Alert Interpretation Create Channel Subscribe Channel Filter Alerts Act on Alerts Track Issues
© 2015 MetricStream, Inc. All Rights Reserved. Test Cyber Security Management Controls  Define and Manage Controls to protect Cyber Assets  Manage Password Changes to CCAs  Perform Control Assessments on regular basis  Control Tests to identify strength of controls  Notifications to appropriate officers  Logs and audit trail maintenance  Equivalent to Self Correcting Process Improvement mentioned in Version 5
© 2015 MetricStream, Inc. All Rights Reserved. Issue Remediation Review & Approve Issues Create Remediation Plans Implement Planned Actions Monitor & Approve Actions Close Issue Review and Approve issues that arise from tests, self- assessments and certifications. Define one or more Action/Remediation plans to Document the work done and results and send the implemented Actions for review and approval. Monitor the status and progress of issues and implementation of remediation plans. Close issues after all the action plan is implemented and approved.
© 2015 MetricStream, Inc. All Rights Reserved. Surveys and Certifications Create Questionnaire Initiate Surveys or Certifications File Responses Certify & Sign-Off Log Findings & Issues Create sections and add questions manually or from the GRC library under every questionnaire. Initiate a Survey or a Certification by choosing a questionnaire and selecting respondents and approvers. File responses or collaborate with other respondents for responses. Collate the Survey responses, Approve and sign-off the assessments and key compliance program data. Add Findings/Issues to capture non-conformance.
© 2015 MetricStream, Inc. All Rights Reserved. RSAW Management Initiate Survey using in-built CIP questionnaires Record Responses Attach Evidences Populate Survey Response into RSAW template Select a CIP questionnaires and initiate survey to one or more users. File responses or collaborate with other respondents for responses. Attach Evidence to the survey from the GRC library or from a previous survey or from the local system. Select the survey response and populate the same in the in-built RSAW template. Generate RSAW Generate and download the completed RSAW in word format for editing.
© 2015 MetricStream, Inc. All Rights Reserved. Enforce Policies to Effectively Manage Compliance Creation, Storage, Organization, Search Creation, Review, Approval Mapping to Risks and Controls Alerts and Notifications Awareness and Training Tracking and Visibility  Policies & Procedures for Implementing a physical security program  Setting prerequisites for granting approvals, assigning work etc.  Define methods, processes, and procedures for securing Cyber Assets & BES
© 2015 MetricStream, Inc. All Rights Reserved. Real time Monitoring and Reporting  Risk Intelligence by Regulations & Critical Assets  Track NERC version and Migration check  Monitor NERC Compliance Audit Readiness  Regulatory Filings, Certifications
© 2015 MetricStream, Inc. All Rights Reserved. Data Browser
© 2015 MetricStream, Inc. All Rights Reserved. MetricStream Advantage – NERC CIP Solution  Best in class Governance, Risk and Compliance solutions provider  Platform based solution – with integrated risk, compliance, policy, issue and change management systems  Experience in working with numerous electric utilities in the US ranging from co-ops to investor owned  Built in content with controls and industry best practices  One-Click Automated RSAW generation – reduction in RSAW production times from weeks to just few minutes/ hours.  Have real-time visibility into business to avoid compliance concerns
© 2015 MetricStream, Inc. All Rights Reserved. About MetricStream Vision Integrated Governance, Risk and Compliance for Better Business Performance Solutions • NERC CIP Compliance • Risk Management • Business Continuity Management • IT GRC • Audit Management • Supplier Governance • Quality Management • EHS & Sustainability • Governance & Ethics • Content and Training • Over 1,800+ employees • Headquarters in Palo Alto, California with offices worldwide • Over 350 enterprise customers •Privately held – Backed by global leading VCs, Sage View Capital, Goldman Sachs Differentiators • Technology - GRC Platform – 9 Patents • Breadth of Solutions – Single Vendor for all GRC needs • Cross-industry Best Practices and Domain Knowledge • ComplianceOnline.com - Largest Compliance Portal on the Web Organization Partners
© 2015 MetricStream, Inc. All Rights Reserved. Q&A Please submit your questions to the host by typing into the chat box on the lower right-hand portion of your screen. Thank you for participating! A copy of this presentation will be made available to all participants in next 48 working hours. For more details on upcoming MetricStream webinars: http://www.metricstream.com/events/webinars Karl Perman VP Member Services EnergySec Email: karl@energysec.org Shreyank S. Kamat Product Manager MetricStream Email: shreyank.kamat@metricstream.com
© 2015 MetricStream, Inc. All Rights Reserved. THANK YOU Contact Us: Website: www.metricstream.com | Email: webinar@metricstream.com Phone: USA +1-650-620-2955 | UAE +971-5072-17139 | UK +44-203-318-8554

Recomendados

NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
 
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011dma1965
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...TheAnfieldGroup
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryProlifics
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMPRay Potter
 

Recomendados

NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
 
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011dma1965
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...
Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compl...TheAnfieldGroup
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryProlifics
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMPRay Potter
 
20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopal20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopalCharles Symons
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramEnergySec
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Schellman & Company
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
Network Configuration and Audit Simplified
Network Configuration and Audit SimplifiedNetwork Configuration and Audit Simplified
Network Configuration and Audit SimplifiedChristopher Willard
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0Valdez Ladd MBA, CISSP, CISA,
 
Iso 9000 iso 9001
Iso 9000 iso 9001Iso 9000 iso 9001
Iso 9000 iso 9001billgates3970
 
Cybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureCybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureYokogawa1
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Jim Gilsinn
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Processtimmcguinness
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training1ECG
 
Chef: Compliance @ Velocity
Chef: Compliance @ VelocityChef: Compliance @ Velocity
Chef: Compliance @ VelocityChef
 
Does DevSecOps really exist?
Does DevSecOps really exist?Does DevSecOps really exist?
Does DevSecOps really exist?continohq
 
Practical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsPractical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsAdaCore
 
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Perficient
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsJim Gilsinn
 
Best practices for building network operations center
Best practices for building network operations centerBest practices for building network operations center
Best practices for building network operations centerSatish Chavan
 
Carrier grade linux maintenance
Carrier grade linux maintenanceCarrier grade linux maintenance
Carrier grade linux maintenanceNagesh Kollu
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
soc
socsoc
socDhirendra Thapa
 
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesNERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesSchneider Electric
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaEnergySec
 

Mais conteúdo relacionado

Mais procurados

20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopal20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopalCharles Symons
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramEnergySec
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Schellman & Company
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
Network Configuration and Audit Simplified
Network Configuration and Audit SimplifiedNetwork Configuration and Audit Simplified
Network Configuration and Audit SimplifiedChristopher Willard
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0Valdez Ladd MBA, CISSP, CISA,
 
Cybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureCybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureYokogawa1
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Jim Gilsinn
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Processtimmcguinness
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training1ECG
 
Chef: Compliance @ Velocity
Chef: Compliance @ VelocityChef: Compliance @ Velocity
Chef: Compliance @ VelocityChef
 
Does DevSecOps really exist?
Does DevSecOps really exist?Does DevSecOps really exist?
Does DevSecOps really exist?continohq
 
Practical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsPractical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsAdaCore
 
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Perficient
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsJim Gilsinn
 
Best practices for building network operations center
Best practices for building network operations centerBest practices for building network operations center
Best practices for building network operations centerSatish Chavan
 
Carrier grade linux maintenance
Carrier grade linux maintenanceCarrier grade linux maintenance
Carrier grade linux maintenanceNagesh Kollu
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 

Mais procurados (20)

20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopal20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopal
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure Program
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
 
Network Configuration and Audit Simplified
Network Configuration and Audit SimplifiedNetwork Configuration and Audit Simplified
Network Configuration and Audit Simplified
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
 
Iso 9000 iso 9001
Iso 9000 iso 9001Iso 9000 iso 9001
Iso 9000 iso 9001
 
Cybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, SecureCybersecurity - Simple, Sustainable, Secure
Cybersecurity - Simple, Sustainable, Secure
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Process
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training
 
Chef: Compliance @ Velocity
Chef: Compliance @ VelocityChef: Compliance @ Velocity
Chef: Compliance @ Velocity
 
Does DevSecOps really exist?
Does DevSecOps really exist?Does DevSecOps really exist?
Does DevSecOps really exist?
 
Practical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsPractical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related Systems
 
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
 
Best practices for building network operations center
Best practices for building network operations centerBest practices for building network operations center
Best practices for building network operations center
 
Carrier grade linux maintenance
Carrier grade linux maintenanceCarrier grade linux maintenance
Carrier grade linux maintenance
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
soc
socsoc
soc
 

Destaque

NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesNERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesSchneider Electric
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaEnergySec
 
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...Tim Davies
 
Security of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPSecurity of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPEnergySec
 
CIP Version 5 Immersion Workshop
CIP Version 5 Immersion WorkshopCIP Version 5 Immersion Workshop
CIP Version 5 Immersion WorkshopEnergySec
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachEnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...EnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueEnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introductionaqel aqel
 

Destaque (16)

NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesNERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
 
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...
 
Security of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPSecurity of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIP
 
CIP Version 5 Immersion Workshop
CIP Version 5 Immersion WorkshopCIP Version 5 Immersion Workshop
CIP Version 5 Immersion Workshop
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introduction
 

Semelhante a Explore the Implicit Requirements of the NERC CIP RSAWs

1 - Introduction to Computerized Systems Validation - for review.pptx
1 - Introduction to Computerized Systems Validation - for review.pptx1 - Introduction to Computerized Systems Validation - for review.pptx
1 - Introduction to Computerized Systems Validation - for review.pptxpatemalabanan
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsOracle
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Oracle
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
360 facility
360 facility360 facility
360 facilityqjopera
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentationjamesholler
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...Steffan Stringer
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
CA World 2014 - Monitoring Complex Networks
CA World 2014 - Monitoring Complex NetworksCA World 2014 - Monitoring Complex Networks
CA World 2014 - Monitoring Complex NetworksNiamh Cahill
 
Brighttalk - Role of ChM in SI process(1)
Brighttalk - Role of ChM in SI process(1)Brighttalk - Role of ChM in SI process(1)
Brighttalk - Role of ChM in SI process(1)Anthony Oxley
 
NERC CIP - Top Testing & Compliance Challenges, How to Address Them
NERC CIP - Top Testing & Compliance Challenges, How to Address ThemNERC CIP - Top Testing & Compliance Challenges, How to Address Them
NERC CIP - Top Testing & Compliance Challenges, How to Address ThemInflectra
 
Pre-Con Education: Effective Change/Configuration Management With CA Service...
Pre-Con Education: Effective Change/Configuration Management With CA Service...Pre-Con Education: Effective Change/Configuration Management With CA Service...
Pre-Con Education: Effective Change/Configuration Management With CA Service...CA Technologies
 

Semelhante a Explore the Implicit Requirements of the NERC CIP RSAWs (20)

1 - Introduction to Computerized Systems Validation - for review.pptx
1 - Introduction to Computerized Systems Validation - for review.pptx1 - Introduction to Computerized Systems Validation - for review.pptx
1 - Introduction to Computerized Systems Validation - for review.pptx
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
360 facility
360 facility360 facility
360 facility
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentation
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
CA World 2014 - Monitoring Complex Networks
CA World 2014 - Monitoring Complex NetworksCA World 2014 - Monitoring Complex Networks
CA World 2014 - Monitoring Complex Networks
 
Brighttalk - Role of ChM in SI process(1)
Brighttalk - Role of ChM in SI process(1)Brighttalk - Role of ChM in SI process(1)
Brighttalk - Role of ChM in SI process(1)
 
NERC CIP - Top Testing & Compliance Challenges, How to Address Them
NERC CIP - Top Testing & Compliance Challenges, How to Address ThemNERC CIP - Top Testing & Compliance Challenges, How to Address Them
NERC CIP - Top Testing & Compliance Challenges, How to Address Them
 
Pre-Con Education: Effective Change/Configuration Management With CA Service...
Pre-Con Education: Effective Change/Configuration Management With CA Service...Pre-Con Education: Effective Change/Configuration Management With CA Service...
Pre-Con Education: Effective Change/Configuration Management With CA Service...
 
It32015 slides
It32015 slidesIt32015 slides
It32015 slides
 

Mais de EnergySec

Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsEnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...EnergySec
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherEnergySec
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherEnergySec
 
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...EnergySec
 
Sea Changes, Strategic Implications, Board Cyber Perspectives
Sea Changes, Strategic Implications, Board Cyber PerspectivesSea Changes, Strategic Implications, Board Cyber Perspectives
Sea Changes, Strategic Implications, Board Cyber PerspectivesEnergySec
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityEnergySec
 
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationOpen Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationEnergySec
 
CIP-014-1: Next Steps from an Auditor’s Perspective
CIP-014-1: Next Steps from an Auditor’s PerspectiveCIP-014-1: Next Steps from an Auditor’s Perspective
CIP-014-1: Next Steps from an Auditor’s PerspectiveEnergySec
 
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...EnergySec
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorEnergySec
 
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...EnergySec
 
Event Correlation Applications for Utilities
Event Correlation Applications for UtilitiesEvent Correlation Applications for Utilities
Event Correlation Applications for UtilitiesEnergySec
 

Mais de EnergySec (15)

Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each Other
 
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
 
Sea Changes, Strategic Implications, Board Cyber Perspectives
Sea Changes, Strategic Implications, Board Cyber PerspectivesSea Changes, Strategic Implications, Board Cyber Perspectives
Sea Changes, Strategic Implications, Board Cyber Perspectives
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid Security
 
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationOpen Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
 
CIP-014-1: Next Steps from an Auditor’s Perspective
CIP-014-1: Next Steps from an Auditor’s PerspectiveCIP-014-1: Next Steps from an Auditor’s Perspective
CIP-014-1: Next Steps from an Auditor’s Perspective
 
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy Sector
 
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
 
Event Correlation Applications for Utilities
Event Correlation Applications for UtilitiesEvent Correlation Applications for Utilities
Event Correlation Applications for Utilities
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 

Último (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Explore the Implicit Requirements of the NERC CIP RSAWs

  • 1. © 2015 MetricStream, Inc. All Rights Reserved. Explore the Implicit Requirements of the NERC CIP RSAWs Karl Perman VP Member Services EnergySec Shreyank Shrinath Kamat Product Manager MetricStream
  • 2. © 2015 MetricStream, Inc. All Rights Reserved. Agenda  RSAW format  Implicit requirements of CIP RSAWs  Leveraging technology for RSAW management  Q&A
  • 3. BACKGROUND © 2015 Energy Sector Security Consortium, Inc. 3
  • 4. RSAW Template • Identifying Information – Standard, Entity, Names of Auditors, etc. • Applicability of Requirements by Functional Model • Color-coded – Fixed text, Entity-supplied information, Auditor-supplied information • Findings – Areas of Concern, Recommendations, Positive Observations © 2015 Energy Sector Security Consortium, Inc. 4
  • 5. RSAW Template • Entity’s Subject Matter Experts • Requirement and Measures • Questions – Space for entity response, may reference other documents • Compliance Narrative • Evidence – Documents and descriptions • Guidance & Questions for Auditors © 2015 Energy Sector Security Consortium, Inc. 5
  • 6. © 2015 Energy Sector Security Consortium, Inc. 6
  • 7. Standard Drafting Team • CIP V5 Transition FAQ, Response to Comments • “It is inappropriate to suggest that there is an implicit requirement or an inherent requirement that must be complied with as requirements can only be explicit.” © 2015 Energy Sector Security Consortium, Inc. 7
  • 8. Actual Auditors • Lew Folkerth, Reliability First – SPP RE CIP Workshop, June 2, 2015 • http://www.spp.org/documents/28852/2015%20cip%20works hop%20materials.pdf – RF Newsletter, Issue 3 • https://www.serc1.org/docs/default- source/outreach/communications/resource-documents/serc- transmission-reference/201507---st/cip-v5-rsaw---rf- newsletter-article.pdf?sfvrsn=2 • Kevin Perry, SPP – CIP Compliance Workshop, June 3, 2015 • Wayne Lewis, NPCC – CIP Compliance Seminar, 3/24/15 • https://www.npcc.org/Compliance/CIP%20Seminars/Spring% 202015%20CIP-010-2.pdf © 2015 Energy Sector Security Consortium, Inc. 8
  • 9. IMPLICIT REQUIREMENTS © 2015 Energy Sector Security Consortium, Inc. 9
  • 10. Update Policies • CIP-003-6 • Review and obtain CIP Senior Manager approval for policies • “The SDT received comments that Requirements R1 and R2 require annual review of the policy, but never explicitly require the policy to receive updates as a result of that review. The SDT believes this is implicit in the Requirement, and updates would occur as part of an entity’s ongoing compliance with the Requirement.” – http://www.nerc.com/pa/Stand/Project%20200806%2 0Cyber%20Security%20Order%20706%20DL/Consid eration_of_Comments_to_draft_3_102612_final.pdf © 2015 Energy Sector Security Consortium, Inc. 10
  • 11. Shared Compliance Responsibility • Asset name or designation • Formal agreement describing shared compliance responsibility © 2015 Energy Sector Security Consortium, Inc. 11
  • 12. Classify assets • CIP-002-5 requires entities to classify BES Cyber Systems • BES Cyber Asset will “adversely impact one or more Facilities, systems, or equipment” • Classify assets as High, Medium, or Low, and then BCA are those Cyber Assets which affect those assets, and take rating from the asset they effect © 2015 Energy Sector Security Consortium, Inc. 12
  • 13. Cyber Assets • CIP-002 never explicitly says to identify (list) Cyber Assets – Need list of Cyber Assets to show that all that should be BES Cyber Assets were identified as such © 2015 Energy Sector Security Consortium, Inc. 13
  • 14. Identify PCA • CIP-005-5 R1 Part 1.1 • Cyber Assets connected to network via routable protocol shall reside within a defined ESP – Applicable Systems • PCA Associated with High or Medium Impact BCS • Need to identify PCA – Auditors will likely want to audit a sample of PCA, so you need a list of PCA © 2015 Energy Sector Security Consortium, Inc. 14
  • 15. Verify PCA • “After the ESP is defined, verify the “implied” requirement of identifying any PCA within the ESP has been completed” • Have a process • Use that process © 2015 Energy Sector Security Consortium, Inc. 15
  • 16. ESP Process • “Verify the Responsible Entity has documented one or more process(es) which require all applicable Cyber Assets connected to a network via a routable protocol to reside within a defined ESP.” – RSAW CIP-005-5 • “In order to verify that each Cyber Asset residing within a defined ESP has been identified as either a BES Cyber Asset or as a PCA, it may be necessary to examine the ESP and conduct an inventory of network connections within the ESP.” © 2015 Energy Sector Security Consortium, Inc. 16
  • 17. Transient Cyber Assets and Removable Media • Evidence that Transient Cyber Assets and Removable Media have been connected for 30 calendar days or less – Record of connection and disconnection • Evidence they have been utilized as authorized – Record who used them – Record where used – Record purpose • Record of review of Transient Cyber Assets managed by third parties • Record of Transient Cyber Asset patching if used to mitigate vulnerabilities • Record of anti-malware signature file updates if used to mitigate introduction of malware • Record of scans or other methods to detect and remove malicious code before introducing Removable Media into the Electronic Security Perimeter © 2015 Energy Sector Security Consortium, Inc. 17
  • 18. Configuration Change Management • CIP-010-2 R1.4 – 1.4.1. Prior to the change, determine required cyber security controls in CIP‐005 and CIP‐007 that could be impacted by the change; – 1.4.2. Following the change, verify that required cyber security controls determined in 1.4.1 are not adversely affected; and – 1.4.3. Document the results of the verification. • Should have test procedures documented © 2015 Energy Sector Security Consortium, Inc. 18
  • 19. Test Configuration Changes • CIP-010-2 R1.5 • Identify configuration of test environment • Identify how test environment differs from production environement – High Impact BCS © 2015 Energy Sector Security Consortium, Inc. 19
  • 20. © 2015 Energy Sector Security Consortium, Inc. Where technically feasible, for each change that deviates from the existing baseline configuration: 1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. • Document which identifies devices and configurations in a test environment 20 CIP-010-2
  • 21. © 2015 MetricStream, Inc. All Rights Reserved. Leveraging Technology for RSAW management Shreyank Shrinath Kamat Product Manager MetricStream
  • 22. © 2015 MetricStream, Inc. All Rights Reserved. Key Components: NERC Compliance Management
  • 23. © 2015 MetricStream, Inc. All Rights Reserved. A Robust & Flexible Information Model
  • 24. © 2015 MetricStream, Inc. All Rights Reserved. Setup Content (CIP standards, requirements, controls etc.) Structure a logical compliance hierarchy, including Areas of Compliance, Standards, Requirements, Controls and Assets. Configure workflows for managing both internal and external standards, mapping regulations, developing controls, performing compliance audits, preparing and implementing action plans, and identifying and remedying issues. GRC Library Standards Areas of Compliance ControlsAssets Questions and Procedures Requirements
  • 25. © 2015 MetricStream, Inc. All Rights Reserved. Update Content (Regulatory Changes) Regulatory Alert Interpretation Create Channel Subscribe Channel Filter Alerts Act on Alerts Track Issues
  • 26. © 2015 MetricStream, Inc. All Rights Reserved. Test Cyber Security Management Controls  Define and Manage Controls to protect Cyber Assets  Manage Password Changes to CCAs  Perform Control Assessments on regular basis  Control Tests to identify strength of controls  Notifications to appropriate officers  Logs and audit trail maintenance  Equivalent to Self Correcting Process Improvement mentioned in Version 5
  • 27. © 2015 MetricStream, Inc. All Rights Reserved. Issue Remediation Review & Approve Issues Create Remediation Plans Implement Planned Actions Monitor & Approve Actions Close Issue Review and Approve issues that arise from tests, self- assessments and certifications. Define one or more Action/Remediation plans to Document the work done and results and send the implemented Actions for review and approval. Monitor the status and progress of issues and implementation of remediation plans. Close issues after all the action plan is implemented and approved.
  • 28. © 2015 MetricStream, Inc. All Rights Reserved. Surveys and Certifications Create Questionnaire Initiate Surveys or Certifications File Responses Certify & Sign-Off Log Findings & Issues Create sections and add questions manually or from the GRC library under every questionnaire. Initiate a Survey or a Certification by choosing a questionnaire and selecting respondents and approvers. File responses or collaborate with other respondents for responses. Collate the Survey responses, Approve and sign-off the assessments and key compliance program data. Add Findings/Issues to capture non-conformance.
  • 29. © 2015 MetricStream, Inc. All Rights Reserved. RSAW Management Initiate Survey using in-built CIP questionnaires Record Responses Attach Evidences Populate Survey Response into RSAW template Select a CIP questionnaires and initiate survey to one or more users. File responses or collaborate with other respondents for responses. Attach Evidence to the survey from the GRC library or from a previous survey or from the local system. Select the survey response and populate the same in the in-built RSAW template. Generate RSAW Generate and download the completed RSAW in word format for editing.
  • 30. © 2015 MetricStream, Inc. All Rights Reserved. Enforce Policies to Effectively Manage Compliance Creation, Storage, Organization, Search Creation, Review, Approval Mapping to Risks and Controls Alerts and Notifications Awareness and Training Tracking and Visibility  Policies & Procedures for Implementing a physical security program  Setting prerequisites for granting approvals, assigning work etc.  Define methods, processes, and procedures for securing Cyber Assets & BES
  • 31. © 2015 MetricStream, Inc. All Rights Reserved. Real time Monitoring and Reporting  Risk Intelligence by Regulations & Critical Assets  Track NERC version and Migration check  Monitor NERC Compliance Audit Readiness  Regulatory Filings, Certifications
  • 32. © 2015 MetricStream, Inc. All Rights Reserved. Data Browser
  • 33. © 2015 MetricStream, Inc. All Rights Reserved. MetricStream Advantage – NERC CIP Solution  Best in class Governance, Risk and Compliance solutions provider  Platform based solution – with integrated risk, compliance, policy, issue and change management systems  Experience in working with numerous electric utilities in the US ranging from co-ops to investor owned  Built in content with controls and industry best practices  One-Click Automated RSAW generation – reduction in RSAW production times from weeks to just few minutes/ hours.  Have real-time visibility into business to avoid compliance concerns
  • 34. © 2015 MetricStream, Inc. All Rights Reserved. About MetricStream Vision Integrated Governance, Risk and Compliance for Better Business Performance Solutions • NERC CIP Compliance • Risk Management • Business Continuity Management • IT GRC • Audit Management • Supplier Governance • Quality Management • EHS & Sustainability • Governance & Ethics • Content and Training • Over 1,800+ employees • Headquarters in Palo Alto, California with offices worldwide • Over 350 enterprise customers •Privately held – Backed by global leading VCs, Sage View Capital, Goldman Sachs Differentiators • Technology - GRC Platform – 9 Patents • Breadth of Solutions – Single Vendor for all GRC needs • Cross-industry Best Practices and Domain Knowledge • ComplianceOnline.com - Largest Compliance Portal on the Web Organization Partners
  • 35. © 2015 MetricStream, Inc. All Rights Reserved. Q&A Please submit your questions to the host by typing into the chat box on the lower right-hand portion of your screen. Thank you for participating! A copy of this presentation will be made available to all participants in next 48 working hours. For more details on upcoming MetricStream webinars: http://www.metricstream.com/events/webinars Karl Perman VP Member Services EnergySec Email: karl@energysec.org Shreyank S. Kamat Product Manager MetricStream Email: shreyank.kamat@metricstream.com
  • 36. © 2015 MetricStream, Inc. All Rights Reserved. THANK YOU Contact Us: Website: www.metricstream.com | Email: webinar@metricstream.com Phone: USA +1-650-620-2955 | UAE +971-5072-17139 | UK +44-203-318-8554

Notas do Editor

  1. Might as well end the webinar, NERC said there’s no such thing.
  2. Example of
  3. Quote from Lew Folkerth at CIP Workshop, June 2, 2015
  4. No definition for security control has been offered. It Is highly recommended that entities establish a list of security controls that they consider in-scope for testing. This list of controls should be considered when determining which controls could be adversely impacted by any proposed change.
  5. This can be used to more easily document the differences between the test environment and the production environment.