Drew Payne, CISA Corporate Security Senior Manager

Slides:



Advertisements
Similar presentations
1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
Advertisements

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
CIP Cyber Security – Security Management Controls
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Computer Security: Principles and Practice
Stephen S. Yau CSE , Fall Security Strategies.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
Session 3 – Information Security Policies
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
SEC835 Database and Web application security Information Security Architecture.
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
Evolving IT Framework Standards (Compliance and IT)
Basics of OHSAS Occupational Health & Safety Management System
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 Crisis Management / Emergency Management Overview.
AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
NFPA 1600 Disaster/Emergency Management and Business Continuity Programs.
Pro-active Security Measures
Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.
Purchasing Forum – May The integration of the activities, plans, attitudes, policies, and efforts of the people of an organization working together.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Chapter 8 Auditing in an E-commerce Environment
February 2, 2016 | Chicago NFA Cybersecurity Workshop.
Business Continuity Disaster Planning
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Information Security tools for records managers Frank Rankin.
The NIST Special Publications for Security Management By: Waylon Coulter.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Business Continuity Planning 101
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA.
Managing Compliance for All Departments
BruinTech Vendor Meet & Greet December 3, 2015
Information Security Program
CPA Gilberto Rivera, VP Compliance and Operational Risk
Iowa Communications Alliance
Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Auditing Cloud Services
Cybersecurity Policies & Procedures ICA
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Information Security Board
IS4680 Security Auditing for Compliance
8 Building Blocks of National Cyber Strategies
ISO/IEC 27001:2005 A brief introduction Kaushik Majumder
NERC Critical Infrastructure Protection Advisory Group (CIP AG)
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Cybersecurity ATD technical
Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005
Managing IT Risk in a digital Transformation AGE
Cyber Security in a Risk Management Framework
DSC Contract Management Committee Meeting
DSC Contract Management Committee Meeting
Anatomy of a Common Cyber Attack
Presentation transcript:

Drew Payne, CISA Corporate Security Senior Manager Oregon Public Utility Commission - Cyber Security Workshop June 28, 2018 Drew Payne, CISA Corporate Security Senior Manager CONFIDENTIAL

Planning – Policies and Standards Corporate Security Policy Business Continuity & Disaster Recovery Standard Business Continuity Program Identity Theft Prevention Program Cyber Security Controls Standard Cyber Security Controls Standard Manual Cyber Security Incident Response Standard Cyber Security Incident Response Plan Physical Event Reporting Standard Physical Access Standard Physical Security Program IPC has a corporate security policy to oversee and respond to security-related issues arising in day-to-day operations. This policy requires the development of written standards and a training and awareness program. CONFIDENTIAL

Planning – Auditing Audit Services – Idaho Power WECC Operational Audits: Determined based on annual risk assessment process Approved by Audit Committee of the Board of Directors Sarbanes Oxley Audits: Completed Annually Critical Information Protection (CIP) Audits: Requested by Regulatory Compliance group based on risk assessment WECC Audits completed every 3 years Operational: 2016 - Disaster Recovery Follow-Up; Desktop, Laptop, and Mobile Device Security: Boardvantage; Outage Management System: System Implementation; Desktop, Laptop, and Mobile Device Security: GOOD; Application Primary Service Level Accounts and MV90 App Controls 2017 - Network Administration and Security; IT Software License Guidelines Follow Up; Records Management and Document Services; Corporate Security Program; HIPAA; HRIS 2018 - AssetSuite/PeopleSoft Application Controls; SAP Application Controls; IT Software License Guidelines; Network Administration and Security; Records Management and Document Services; Disaster Recovery SOX – ITSS, ITCM, ITCH, ITMO CIP – Review completed in 2017; WECC Audit 2018 CONFIDENTIAL

Planning – DHS Interaction Information received from: ICS-CERT US-CERT HSIN (Homeland Security Information Network) Collaboration: Office of Infrastructure Protection Office of Intelligence and Analysis Two IPC employees have security clearances for classified briefings IPC receives information from DHS via ICS-CERT, US-CERT, and HSIN (Homeland Security Information Network). We have partnerships with the Office of Infrastructure Protection and the Office of Intelligence and Analysis (Fusion Centers). Two individuals in the organization have clearances for classified briefings. CONFIDENTIAL

Planning – Cyber Security Incident Response Plan (CSIRP) CSIRP is reviewed and updated annually and in the interim as necessary CSIRP is exercised annually (at a minimum) Testing typically involves other groups within IPC CONFIDENTIAL

Response & Recover - CSIRP CSIRP includes roles and responsibilities Cyber Security Incident Response Team (CSIRT) includes: Technologists Management (Middle and Executive) Legal Corporate Communications Human Resources Compliance Finance Government Entities (FBI, DHS, etc.) A CSIRT Lead is responsible for overseeing cyber security incident activities IPC is a member of the EEI’s Cyber Mutual Assistance Program CONFIDENTIAL

Standards – CIP Compliance Programs, standards, and policies & procedures are in place across IPC for the various CIP requirements to maintain compliance Regulatory Compliance group oversees the program and compliance monitoring/reporting IPC has a strong culture of compliance (noted by WECC, FERC, and other regulatory agencies) Internal reviews and assessments, along with external audits by WECC, ensure a compliance verification method CONFIDENTIAL

Standards – Cyber Security Implementation Prioritization Cyber Security Risk Assessment Threats are evaluated against likelihood of occurrence and impact to the organization, taking into consideration IPC controls (policies, procedures, tools, etc.) to determine residual risk IPC reviews proposed tools and processes to identify if appropriate risk reduction would be obtained with implementation Ongoing Optimization IPC technologists reviews tools and processes to ensure: Performance is at optimal levels Tools/systems are capable of adjusting to the changing threat landscape CONFIDENTIAL

Standards – Cyber Security Framework Cyber Security utilizes NIST SP 800-53 framework as a foundation Standards are tailored to IPC based upon applicable NIST requirements CONFIDENTIAL

Reporting – Incident Reporting Incidents with potential impact to bulk electric power system: Department of Energy (DOE) specifies reporting requirements to both the DOE and Electricity Information Sharing and Analysis Center (E-ISAC) Other incident types (HIPAA, PII, etc.): IPC’s CSIRP contains a methodology to determine the type of incident and the severity Methodology, along with regulatory requirements and sound business practices, informs when there is a need to report CONFIDENTIAL

Partnerships – Information Sharing Current Information Monitoring/Sharing Industry Organizations (E-ISAC, EEI, WEI, WECC, and others) Idaho Fusion Center (DHS) InfraGard (FBI) NERC/FERC Security Research Other Utilities ICS/US-CERT Vendors Conferences Academic Conferences (i.e. IEEE, ASIS, RSA, etc.) Industry Conferences (i.e. Energy Sec Summit, GridSec Con, etc.) Practitioner Conferences (i.e. DEFCON, etc.) Joint Exercises INL “Advanced SCADA Security Red/Blue Team” NERC GridEx CONFIDENTIAL

Procurement Practices – Procurement Security Language Contract Security Language Standard security language has been developed that addresses a breadth of security concerns (breach reporting, vulnerability and patch management programs, etc.) Seek to obtain third party indemnification when possible Language is customized based on product or service being acquired Business unit, Legal, Contracting, and Cyber Security determine acceptable risks based on the inability of vendor/contractor to meet requirements CONFIDENTIAL

Procurement Practices – Background Checks Personal Risk Assessments (PRAs), which include a background check, are required for all individuals (employee/contractor/vendor/etc.) prior to gaining unescorted physical or electronic access Criteria is defined for what is acceptable and what requires an adjudication process to occur CONFIDENTIAL

Procurement Practices – Cyber Security Personnel The Cyber Security department consists of a manager and seven security specialists This group is charged with setting policy and standards, consulting on technology projects, monitoring/maintaining security tools, and incident response CONFIDENTIAL

Procurement Practices – Other Security Practitioners IT Infrastructure: Corporate Active Directory Firewalls Port Security Privilege Access Management Integrated Operations Center (IOC) Performs initial security alerts monitoring and triage on some alerts Energy Management System (EMS) Analysts: Monitor/maintain security tools and controls for EMS system System Protection Manages the security tools and controls for system protection and apparatus groups CONFIDENTIAL

Risk Management – Risk Assessment IPC performs a risk assessment utilizing the NIST threat list as a basis The risk assessment is reviewed by a broad group as needed and at least annually Included in the review is the impact (consequence) of the threat and the likelihood CONFIDENTIAL

Risk Management – Vulnerability Assessments Baseline requirements for operating systems – monitored by Cyber Security System Security Plans required for major upgrades to existing systems/applications and for all new purchases Internal Red Team / Blue Team exercises (ad hoc) External assessments by third parties are managed by Audit Services with consultation from Cyber Security and Legal CONFIDENTIAL

Effectiveness – Cyber Security Policy Several methods provided feedback on the effectiveness of our program: Risk Assessment Process Internal Exercises Phishing Awareness Program Legal Review Audit Services Assessments Operational SOX CIP Third Party Assessments Vulnerability Assessments FERC-OEIS/DHS Architecture Review WECC CONFIDENTIAL

Effectiveness – Program Improvement Risk Assessment provides visibility to threats that are at an unacceptable level of risk Business cases are developed to show the value of changing particular systems or processes and reduction of risk New risks/threats emerging daily Resource limitations; O&M cost intensive CONFIDENTIAL

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.