In this webinar, ICF International experts discuss the increased focus on "internal controls" for North American Electric Reliability Council (NERC) compliance, the importance of internal controls, and what moving to an internal controls-based approach means for the energy industry. The discussion addresses questions such as: *What are internal controls? *What are the advantages of adopting an internal controls approach for CIP? *What should I do to prepare? *What are some pitfalls to avoid? *What should an end state look like? With the Reliability Assurance Initiative (RAI), NERC is increasing reliance on the ongoing internal controls operations for registered entities, an approach expected to continue throughout the implementation of the newly approved Version 5 of Critical Infrastructure Protection (CIP) standards. The adoption of internal controls and related testing methodologies should reduce audit preparation activities and assist companies to manage, maintain, and improve reliability and NERC compliance.

1. Welcome to Today’s Webinar:
NERC CIP – Manage, Maintain & Improve
Compliance with Internal Controls
Tuesday, January 14, 2014
11:30 a.m. EST
Sid Shaffer, Senior Manager
Robert Janusaitis, Senior Manager
icfi.com |
1

2. NERC RAI – Expected Aspects
• RAI - Reliability Assurance Initiative
– NERC change in compliance strategy
• Shift away from the ―Zero Tolerance‖ towards ―Risk Based‖
approach
• Fully implemented by 2016
– Similar to the enforcement timeline for v5 of CIP
• Use of traditional audit approaches (ie GAGAS, IIA)
• Greater focus on matters of greater risk
(Serious & Substantial)
• Larger emphasis on internal controls
icfi.com |
2

3. Our RAI Audit Experience
• RAI is a good thing
• Two week onsite audit was completed in 2.5 days
• How did we get there?
– Committed client team
– Controls based approach & Gap Analysis well before audit date
• Time to properly remediate concerns
– Use of Internal Controls concepts made evidence generation more
efficient
• Blue Text
• Attachment C
• RSAWs well written
– Mock Audit to prepare SMEs
– Open and honest communication with audit team
• RAI is not in its ‗final‘ state – closely watch this develop
icfi.com |
3

4. Internal Controls Components
Monitoring
Control Activities
 Assessment of a control system‘s
 Policies/procedures that ensure
performance over time.
management directives are
carried out.
 Combination of ongoing and
 Range of activities including
separate evaluation.
approvals, authorizations, verific
ations, recommendations, perfor
mance reviews, asset security
and SOD
 Management and supervisory
activities.
 Internal audit activities.
Information and Communication
Control Environment
 Pertinent information identified,
 Sets tone of organization-
captured and communicated in a
timely manner.
influencing control consciousness
of its people.
 Access to internal and externally
 Factors include integrity, ethical
generated information.
values, competence, authority, res
ponsibility.
 Flow of information that allows for
successful control actions from
instructions on responsibilities to
summary of findings for
management action.
 Foundation for all other
Risk Assessment
 Risk assessment is the
identification and analysis of
relevant risks to achieving the
entity‘s objectives-forming the
basis for determining control
activities.
components of control.
All five components must be in place
for a control to be effective.
Source: COSO Internal Control - Integrated Framework
icfi.com |
4

5. Controls
•
Definition
– control noun, often attributive : an action, method, or
law that limits the amount or growth of something.
(Merriam-Webster.com)
• i.e. limit the amount of risk
•
Everyday Examples of Controls
– Locking your vehicle when you park
– Assigning a passcode to your ATM
– Inspecting lawnmower (or other equipment) for
damage or defect
– Reviewing a bank statement for unauthorized
transactions
•
Controls are not always a “hindrance”
– A correctly designed and implemented control
may actually help you go faster
• i.e. brakes on a car
icfi.com |
When an organization
internalizes similar
activities as part of an
ongoing process, they
become “internal
controls”
5

6. Internal Controls
• Fundamental Concepts
– Geared to the achievement of objectives in one or more categories –
operations, reporting, and compliance
– A process consisting of ongoing tasks and activities – a means to an
end not an end in itself
– Effected by people – not merely about policy and procedure manuals,
systems, and forms, but about people and the actions they take at every
level of an organization to effect internal control
– Able to provide reasonable assurance – but not absolute assurance, to
an entity‘s senior management and board of directors
– Adaptable to the entity structure – flexible in application for the entire
entity or for a particular subsidiary, division, operating unit, or business
process
Source: COSO Internal Control - Integrated Framework, Executive Summary (May 2013)
icfi.com |
6

7. Types of Internal Controls
•
Preventative — Before
– Controls designed to prevent event or reduce risk
before occurrence
• Policies and procedures
• Training and education
• Access Restrictions
•
Detective — During
– Controls designed to discover event or reduce risk
during or after occurrence
• Log reviews & analysis
• Access reviews
• Vulnerability Assessments
•
Corrective — After
– Controls designed to address or reduce risk after
event occurrence or discovery
• Firmware updates
• Corrective Changes to access
• Restoration from Backup
icfi.com |
Controls may be
more than one type
Anti Virus Software
is typically all 3
7

8. Internal Controls Example
•
CIP-007 Controls
– R6: Security Status Monitoring — The Responsible Entity shall ensure that all
Cyber Assets within the Electronic Security Perimeter, as technically feasible,
implement automated tools or organizational process controls to monitor system
events that are related to cyber security
•
Preventative Controls:
– Policy and procedures
– Training
– Configuration standards defined & implemented
•
Detective Controls:
– Alerts to potential events via email
– Event analysis
•
Corrective Controls:
– Manual or automatic shut down of affected
IP addresses, ports, or services
icfi.com |
8

9. Internal Control Benefits
•
•
•
•
•
•
Improved detection of control deficiencies
Increased confidence in overall compliance
Efficiency opportunities – address multiple compliance objectives at once
Potential for reduced penalties for violations1
Provides for increased accountability and greater oversight
Allows for more efficient resource utilization
– Proactive vs. Reactive
•
From NERC RAI Q&A V1:
– Future audits could evaluate and test an entity‘s internal controls with a
reduced focus on the traditional audit
– Potential reduction in audit preparation activities
– Effective internal controls can support a determination of reduced
control risk for the entity
1Source:
NERC: Internal Controls; Their Role in Electric Reliability, and Effects on Compliance Monitoring (September 18, 2012)
icfi.com |
9

10. Applying Internal Controls Program to NERC & NERC CIP
• Not a ―Silver Bullet‖ to solve compliance
• Review existing processes, procedures and policies to determine if
they facilitate compliance with the Reliability Standards
• Document current internal controls to verify against a framework
– such as COSO
•
•
•
•
Maintain a process for corrective action
Identify accountable parties / Establish a command structure
Catalogue and document controls
Develop process for regular review and improvement of control
environment
icfi.com |
10

11. Internal Controls Program
• Management Controls Program should be able to:
–
–
–
–
Accurately log what has occurred
Maintain records of what has been done
Aggregate similar problems
Produce evidence to substantiate not only what you SAY happened, but
evidence what ACTUALLY happened
• Forms vs. System Logs
• Controls in an Internal Controls Program are:
– Defined & Documented
• All 8 control components defined
– Assigned
– Performed
– Monitored
icfi.com |
11

12. Monitor the Controls
• Reasons to Test
–
–
–
–
Ready for self certifications
Audit preparedness
Reduce risk of non-compliance
Great way to capture lessons learned and best practices
• Testing considerations
–
–
–
–
–
Use Test plans (scripts)
Select a sampling methodology
Test DESIGN and EFFECTIVENESS
Develop a schedule
Adjust testing focus based on Risk, Past Issues, Industry Concerns, etc.
• Capture and share lessons learned and best practices
icfi.com |
12

13. Example of an End State
• Manage
– Holistic corporate controls framework covers areas of business risk
(including NERC)
• Reduces redundancy (could apply to NERC, SOX, other compliance efforts)
• Maintain
– Ongoing operation of internal controls will ensure that compliance is
maintained
• Improve
– Reviewing & Revising steps to ensure internal controls are effective will
continuously improve the compliance efforts
– Corrective actions taken as a result of ongoing monitoring of the control
environment will improve overall risk profile
icfi.com |
13

14. Questions, Contact Information
•
ICF offers the following cyber security services:
–
–
–
–
–
–
–
–
•
Regulatory Monitoring and Policy Support
Compliance Program Evaluation
Compliance Assessments and Mock Audits
Cybersecurity Readiness
Mitigation and Implementation
Internal Controls and Audit Programs
Training
Managed Services
Familiar with multiple frameworks and methodologies
–
–
–
–
–
–
–
icfi.com |
NERC CIP
NRC 5.71 and NEI 08-09
NIST 800-53 and NISTIR-7628
COBIT
ISO17799/BS7799
ES-C2M2
COSO
Contact Information:
Sid Shaffer,
Senior Manger
Sid.Shaffer@icfi.com
+1.713.445.2019
Michael Sanchez, VP
Michael.Sanchez@icfi.com
+1.713.445.2002
14