In this webinar, ICF International experts discuss the increased focus on "internal controls" for North American Electric Reliability Council (NERC) compliance, the importance of internal controls, and what moving to an internal controls-based approach means for the energy industry. The discussion addresses questions such as:
*What are internal controls?
*What are the advantages of adopting an internal controls approach for CIP?
*What should I do to prepare?
*What are some pitfalls to avoid?
*What should an end state look like?
With the Reliability Assurance Initiative (RAI), NERC is increasing reliance on the ongoing internal controls operations for registered entities, an approach expected to continue throughout the implementation of the newly approved Version 5 of Critical Infrastructure Protection (CIP) standards. The adoption of internal controls and related testing methodologies should reduce audit preparation activities and assist companies to manage, maintain, and improve reliability and NERC compliance.
Call Girls Zirakpurđ§ Book Nowđą7837612180 đđCall Girl Service In Zirakpur No A...
Â
NERC CIP: Manage, Maintain, and Improve Compliance with Internal Controls
1. Welcome to Todayâs Webinar:
NERC CIP â Manage, Maintain & Improve
Compliance with Internal Controls
Tuesday, January 14, 2014
11:30 a.m. EST
Sid Shaffer, Senior Manager
Robert Janusaitis, Senior Manager
icfi.com |
1
2. NERC RAI â Expected Aspects
⢠RAI - Reliability Assurance Initiative
â NERC change in compliance strategy
⢠Shift away from the âZero Toleranceâ towards âRisk Basedâ
approach
⢠Fully implemented by 2016
â Similar to the enforcement timeline for v5 of CIP
⢠Use of traditional audit approaches (ie GAGAS, IIA)
⢠Greater focus on matters of greater risk
(Serious & Substantial)
⢠Larger emphasis on internal controls
icfi.com |
2
3. Our RAI Audit Experience
⢠RAI is a good thing
⢠Two week onsite audit was completed in 2.5 days
⢠How did we get there?
â Committed client team
â Controls based approach & Gap Analysis well before audit date
⢠Time to properly remediate concerns
â Use of Internal Controls concepts made evidence generation more
efficient
⢠Blue Text
⢠Attachment C
⢠RSAWs well written
â Mock Audit to prepare SMEs
â Open and honest communication with audit team
⢠RAI is not in its âfinalâ state â closely watch this develop
icfi.com |
3
4. Internal Controls Components
Monitoring
Control Activities
ď§ Assessment of a control systemâs
ď§ Policies/procedures that ensure
performance over time.
management directives are
carried out.
ď§ Combination of ongoing and
ď§ Range of activities including
separate evaluation.
approvals, authorizations, verific
ations, recommendations, perfor
mance reviews, asset security
and SOD
ď§ Management and supervisory
activities.
ď§ Internal audit activities.
Information and Communication
Control Environment
ď§ Pertinent information identified,
ď§ Sets tone of organization-
captured and communicated in a
timely manner.
influencing control consciousness
of its people.
ď§ Access to internal and externally
ď§ Factors include integrity, ethical
generated information.
values, competence, authority, res
ponsibility.
ď§ Flow of information that allows for
successful control actions from
instructions on responsibilities to
summary of findings for
management action.
ď§ Foundation for all other
Risk Assessment
ď§ Risk assessment is the
identification and analysis of
relevant risks to achieving the
entityâs objectives-forming the
basis for determining control
activities.
components of control.
All five components must be in place
for a control to be effective.
Source: COSO Internal Control - Integrated Framework
icfi.com |
4
5. Controls
â˘
Definition
â control noun, often attributive : an action, method, or
law that limits the amount or growth of something.
(Merriam-Webster.com)
⢠i.e. limit the amount of risk
â˘
Everyday Examples of Controls
â Locking your vehicle when you park
â Assigning a passcode to your ATM
â Inspecting lawnmower (or other equipment) for
damage or defect
â Reviewing a bank statement for unauthorized
transactions
â˘
Controls are not always a âhindranceâ
â A correctly designed and implemented control
may actually help you go faster
⢠i.e. brakes on a car
icfi.com |
When an organization
internalizes similar
activities as part of an
ongoing process, they
become âinternal
controlsâ
5
6. Internal Controls
⢠Fundamental Concepts
â Geared to the achievement of objectives in one or more categories â
operations, reporting, and compliance
â A process consisting of ongoing tasks and activities â a means to an
end not an end in itself
â Effected by people â not merely about policy and procedure manuals,
systems, and forms, but about people and the actions they take at every
level of an organization to effect internal control
â Able to provide reasonable assurance â but not absolute assurance, to
an entityâs senior management and board of directors
â Adaptable to the entity structure â flexible in application for the entire
entity or for a particular subsidiary, division, operating unit, or business
process
Source: COSO Internal Control - Integrated Framework, Executive Summary (May 2013)
icfi.com |
6
7. Types of Internal Controls
â˘
Preventative â Before
â Controls designed to prevent event or reduce risk
before occurrence
⢠Policies and procedures
⢠Training and education
⢠Access Restrictions
â˘
Detective â During
â Controls designed to discover event or reduce risk
during or after occurrence
⢠Log reviews & analysis
⢠Access reviews
⢠Vulnerability Assessments
â˘
Corrective â After
â Controls designed to address or reduce risk after
event occurrence or discovery
⢠Firmware updates
⢠Corrective Changes to access
⢠Restoration from Backup
icfi.com |
Controls may be
more than one type
Anti Virus Software
is typically all 3
7
8. Internal Controls Example
â˘
CIP-007 Controls
â R6: Security Status Monitoring â The Responsible Entity shall ensure that all
Cyber Assets within the Electronic Security Perimeter, as technically feasible,
implement automated tools or organizational process controls to monitor system
events that are related to cyber security
â˘
Preventative Controls:
â Policy and procedures
â Training
â Configuration standards defined & implemented
â˘
Detective Controls:
â Alerts to potential events via email
â Event analysis
â˘
Corrective Controls:
â Manual or automatic shut down of affected
IP addresses, ports, or services
icfi.com |
8
9. Internal Control Benefits
â˘
â˘
â˘
â˘
â˘
â˘
Improved detection of control deficiencies
Increased confidence in overall compliance
Efficiency opportunities â address multiple compliance objectives at once
Potential for reduced penalties for violations1
Provides for increased accountability and greater oversight
Allows for more efficient resource utilization
â Proactive vs. Reactive
â˘
From NERC RAI Q&A V1:
â Future audits could evaluate and test an entityâs internal controls with a
reduced focus on the traditional audit
â Potential reduction in audit preparation activities
â Effective internal controls can support a determination of reduced
control risk for the entity
1Source:
NERC: Internal Controls; Their Role in Electric Reliability, and Effects on Compliance Monitoring (September 18, 2012)
icfi.com |
9
10. Applying Internal Controls Program to NERC & NERC CIP
⢠Not a âSilver Bulletâ to solve compliance
⢠Review existing processes, procedures and policies to determine if
they facilitate compliance with the Reliability Standards
⢠Document current internal controls to verify against a framework
â such as COSO
â˘
â˘
â˘
â˘
Maintain a process for corrective action
Identify accountable parties / Establish a command structure
Catalogue and document controls
Develop process for regular review and improvement of control
environment
icfi.com |
10
11. Internal Controls Program
⢠Management Controls Program should be able to:
â
â
â
â
Accurately log what has occurred
Maintain records of what has been done
Aggregate similar problems
Produce evidence to substantiate not only what you SAY happened, but
evidence what ACTUALLY happened
⢠Forms vs. System Logs
⢠Controls in an Internal Controls Program are:
â Defined & Documented
⢠All 8 control components defined
â Assigned
â Performed
â Monitored
icfi.com |
11
12. Monitor the Controls
⢠Reasons to Test
â
â
â
â
Ready for self certifications
Audit preparedness
Reduce risk of non-compliance
Great way to capture lessons learned and best practices
⢠Testing considerations
â
â
â
â
â
Use Test plans (scripts)
Select a sampling methodology
Test DESIGN and EFFECTIVENESS
Develop a schedule
Adjust testing focus based on Risk, Past Issues, Industry Concerns, etc.
⢠Capture and share lessons learned and best practices
icfi.com |
12
13. Example of an End State
⢠Manage
â Holistic corporate controls framework covers areas of business risk
(including NERC)
⢠Reduces redundancy (could apply to NERC, SOX, other compliance efforts)
⢠Maintain
â Ongoing operation of internal controls will ensure that compliance is
maintained
⢠Improve
â Reviewing & Revising steps to ensure internal controls are effective will
continuously improve the compliance efforts
â Corrective actions taken as a result of ongoing monitoring of the control
environment will improve overall risk profile
icfi.com |
13
14. Questions, Contact Information
â˘
ICF offers the following cyber security services:
â
â
â
â
â
â
â
â
â˘
Regulatory Monitoring and Policy Support
Compliance Program Evaluation
Compliance Assessments and Mock Audits
Cybersecurity Readiness
Mitigation and Implementation
Internal Controls and Audit Programs
Training
Managed Services
Familiar with multiple frameworks and methodologies
â
â
â
â
â
â
â
icfi.com |
NERC CIP
NRC 5.71 and NEI 08-09
NIST 800-53 and NISTIR-7628
COBIT
ISO17799/BS7799
ES-C2M2
COSO
Contact Information:
Sid Shaffer,
Senior Manger
Sid.Shaffer@icfi.com
+1.713.445.2019
Michael Sanchez, VP
Michael.Sanchez@icfi.com
+1.713.445.2002
14
Hinweis der Redaktion
The evolution of the CMEP program towards the RAI program often draws parallels to the SOX audit maturation progression â (by Charles Berardesco, NERC Senior VP & General Counsel)one away from testing everything â towards a greater reliance on managementâs attestation of the controls and a more reasoned testing approach thereof-However practical application involves a bit of âreading the tea leaves, looking into the crystal ballShift away from the âZero Toleranceâ method of prior monitoring and enforcement towards a more âRisk Basedâ approach.Expected to use foundational audit approaches presented by:Generally Accepted Government Auditing Standards (GAGAS) Institute of Internal Auditors (IIA)Expected to be fully implemented by 2016Similar to the enforcement timeline for v5 of the CIP standardsExpected to place a greater focus on matters of greater risk (Serious & Substantial) and provide an alternate path forward for items that are deemed lesser risk (Moderate and Minor).Expected to place a larger emphasis on internal controls and provide a synergy between internal controls and the monitoring and enforcement process.
Attachment C used by RFC, SERC, and othersRSAW well written = Clear & Concise, just the factsUncertainty around practical application of RAIâSerious & Substantial Riskâ not yet definedâSuccessful Internal Compliance Programâ not yet definedLots of currently moving parts â donât know how they will all fit togetherFind, Fix, Track & Report process (FFT)âIdentify, Assess, & Correctâ (IAC) language in CIP v5 (and elsewhere)FERC Order of 11/22/2013 directs NERC to remove IAC language included in 17 requirements of CIPv5 and submit proposal to address within 1 year. Also details need distinguish âSuccessful Internal Compliance Programâ from one that is inadequate.Either way - Internal Controls Programs will be the futureAdopting a comprehensive controls approach now will address ambiguity in the IAC language or other uncertainties â as it provides a stable platform from which to address risk
Lots of Complexity / Things to think aboutFor NERCRAI, focus is primarily on Control Activity & Monitoring components Both the IIA and GAGAS endorse the COSO framework which aligns with the NERC Rules of Procedure, Appendix 4C (CMEP) §3.1
CIP-007 example of a detective control might be: A âcentralâ logging mechanism and transmission to a third party service for the aggregation and analysis of security logs.
Improved detection = Allows quicker response.
NERC has said they are not asking management to reinvent their management practices. Merely taking inventory of those management practices already in place may address much of what is being asked for.process for corrective action = âCorrective Action Programâ
Without testing DESIGN controls can atrophy / become irrelevantTEST OF EFFECTIVENESS