Reliability Assurance Initiative

Slides:

Advertisements

Similar presentations

Session No. 4 Implementing the State’s Safety Programme Implementing Service Providers SMS

Advertisements

Additional Assurance Services: Other Information

Internal Control–Integrated Framework

PER Update & Compliance Lessons Learned

Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.

Chapter 10 Accounting Information Systems and Internal Controls

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Control and Accounting Information Systems

▪ ▪ CLARITY ▪ ASSURANCE ▪ RESULTS MIDWEST RELIABILITY ORGANIZATION Improving RELIABILITY and mitigating RISKS to the Bulk Power System Thomas P. Tierney.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:

Security Controls – What Works

ProCognis SOX 404 & COSO Implementation Presentation

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Auditing A Risk-Based Approach To Conducting A Quality Audit

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

Office of Inspector General (OIG) Internal Audit

Computer Security: Principles and Practice

The Information Systems Audit Process

Chapter 7 Database Auditing Models

IA Clinic. การเตรียมการตรวจสอบ แผนการ ตรวจสอบ แผนการ ปฏิบัติงาน ตรวจสอบ หารือ หน่วยรับตรวจ รายงานผล การตรวจสอบ ติดตามผล การตรวจสอบ ผลการประเมินความเสี่ยง.

Chicagoland IASA Spring Conference

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

1 Enforcing Compliance: A Patch Management Strategy That Works.

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

1 Arizona Corporation Commission BTA Workshop Presenter: Steven Cobb May 23, 2008.

How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August 19-20, 2009.

Chapter Three IT Risks and Controls.

Copyright T. Rowe Price. All rights reserved 1 Ms. Deborah D. Seidel of T. Rowe Price Financial Services Vice President and Manager of Compliance.

Compliance Monitoring Strategy Kim Israelsson Manager, Compliance Program Coordination and Process Integration.

Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.

IRS Enterprise Risk Management (ERM)

Actions Affecting ERCOT Resulting From The Northeast Blackout ERCOT Board Of Directors Meeting April 20, 2004 Sam Jones, COO.

Overview of WECC and Regulatory Structure

5-1 McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Internal Control Evaluation: Assessing Control Risk.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.

Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009.

Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Reliability Assurance Initiative (RAI) 101 Ben Christensen Senior Compliance Risk Analyst, Cyber Security.

Bill Lewis, Compliance Team Lead NERC Reliability Working Group May 16, 2013 Texas RE Update Talk with Texas RE April 25, 2013.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

Paragraph 81 Project. 2RELIABILITY | ACCOUNTABILITY Background FERC March 15, 2012 Order regarding the Find, Fix, Track and Report (FFT) process  Paragraph.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.

1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.

Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

Developing an Audit Program By Rodney Kocot President Systems Control and Security Incorporated Copyright © 2005 Rodney Kocot.

Using GAO’s Fraud Risk Management Framework

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

Shared Services and Third Party Assurance: Panel May 19, 2016.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.

Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.

MOPC Meeting Oct , 2016 Little Rock, AR

Service Organization Control (SOC)

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Revision of the Internal Control Framework in the European Commission PEMPAL Internal Audit Community of Practice (IACOP) Brussels, 27th February 2017.

Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005

Reliability Assurance Initiative (RAI) 101

Compliance Monitoring Strategy

Presentation transcript:

Reliability Assurance Initiative NERC Reliability Working Group July 25, 2013

What is RAI? A collaborative effort between NERC, the Regional Entities, and registered entities to identify and implement changes that enhance the effectiveness of the Compliance Monitoring and Enforcement Program Represents risk-based compliance monitoring Focuses on risks to reliability Enforcement will be reserved for significant matters It is a customized compliance approach Individualized scoping for each registered entity Reduces administrative burdens and distractions

How will we know it’s successful? If the end state compliance monitoring and enforcement program is effective* at providing reasonable assurance through compliance monitoring, appropriate deterrence through enforcement and a feedback loop to continuously improve reliability standards. *resources expended to achieve and monitor compliance and carry out enforcement are sufficient on the larger risk areas and not necessarily over applied on the lower risk areas.

What are the components of the RAI? The four components of the RAI are: Assessing Reliability Risk Scoping Compliance Monitoring Processing Possible Violations in Accordance with Risk Strengthening the Feedback Loop to the Standards Development Process

In the context of RAI, what is meant by risk? Definition of risk to the BES Instability, uncontrolled separation, or cascading failures System-wide risks to the BES Entity’s Risk to the BES Inherent risk is a function of registrations and other relevant factors like system design, configuration, size, etc. Control risk is a function of the entity’s internal controls established to reduce risk of violation or system event. These two components will be considered in determining an entity’s risk profile or risk assessment. Project currently underway to determine a regional approach to develop a prototype for risk assessment.

Risk Considerations Analysis of risk assists an entity to deploy controls more effectively. Review should focus on greatest threats to reliability based on impact and likelihood of occurrence. Cost of a control should not exceed benefits. Reliability Standards are dynamic and methodology should be flexible enough to adapt with changes. There is no “one size fits all” model.

How do I do an internal risk assessment? One size does not fit all!!! Entity BA DP LSE TO GO GOP IA PA PSE RC RP RSG TP TOP TSP Entity A (Co-Op) X Entity B (Gen) Entity C Entity D Entity E (SoCo)

What is a risk assessment process? Assess Risks Dev Assmnt Criteria Assess Risk Interaction Identify Risks Assess Risks Prioritize Risks Respond To Risks AKA Internal Controls

Questions to Consider What are risks to reliability of the bulk electric system? Consider registered functions. Review event analysis of the entity. Review operational issues in the industry. What keeps me up at night relative to reliability? What are compliance risks for the Standards? Are there stumbling blocks to compliance for the entity? Review self-reports for the entity (are there problematic standards?). Review frequently violated standards. What keeps me up at night relative to compliance? Risk Interactions Interactions between other events/conditions that could increase risk. How do risks rank relative to each other? Formal method to calculate risk Likelihood scale, impact scale “Pin the tail on the donkey”

Internal Control Program An internal control program helps provide a Registered Entity with reasonable assurance of compliance with the requirements of the Standards.

Functional Overlap of the Standards Future - Functions Based Current – Standards Based Change Management & Testing CIP-002 CIP-003 Device Management CIP-004 Info. Classification & Handling / Doc Control CIP-005 CIP-006 Access Control CIP-007 Physical Security CIP-008 CIP-009 Recovery & Incident Response

693 Standards

Management Controls Policies and procedures ensure management’s directives are carried out. Elements of controls work together and collectively reduce risk of not achieving objectives. Should not be considered discretely (defense in depth).

Types of Control Activities Internal control is a process, effected by an entity’s board of directors, management and other personnel (people), designed to provide reasonable assurance regarding the achievement of objectives Continuous Improvement Cycle

Associated NERC standard (s) Detective Internal Controls* Internal Controls Analysis Review existing processes, procedures and policies to determine if they facilitate compliance with the Reliability Standards Control Associated NERC standard (s) Frequency Detective Internal Controls* Compliance Program Management Controls Self-Assessments prior to Self-Certification All Standards Annual Targeted Compliance Site Assessments NYPA Internal Event Analysis Plan NERC EA process, EOP-004 Operations, Maintenance, and Cyber Security Controls Protection Control & Engr. (PC&E) Quarterly work order review and compliance attestations PRC-005, PRC-006, PRC-007, PRC-008, PRC-009, PRC-010, PRC-011, PRC-015, PRC-017, PRC-018, PRC-021 PC&E peer review of Relay Operation Analysis PRC-001, PRC-004 PC&E tracking Maintenance & Testing Exceptions Operator logging review COM-002, PRC-001, VAR-002, TOP-001, TOP-002, TOP-003, TOP-006 Incident Response Program CIP-008 Ongoing A ‘central’ logging mechanism and transmission to a third party service for the aggregation and analysis of security logs CIP-007 Operator Shift turn-over compliance check lists COM-002, PRC-001, VAR-002, TOP-001, TOP-002, TOP-003, , TOP-006

ERO RAI Program Conceptual White Papers ERO & Industry Documents RAI Q&A Internal Controls Working Guide Initial Phase Plan/Deliverables Audit Handbook ERO & Industry Collaborative Guides Benefits & Impacts Internal Control Library RAI Pilots MRO - ATC RFC – PJM, PPL SERC – integrating into audits Self-Reporting Process Enhancement Self-Report Guide Mitigation Plan Guide Violation vs Deficiency Pilots FFT Enhancements Regional Entity Triage Process

References Controls Framework Documents Auditing Guidance Documents Committee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control - Integrated Framework The Institute of Internal Auditors – International Professional Practices Framework – Standard 2210 – Engagement Objectives Information Systems Audit and Control Association – Control Objectives for Information and Related Technology Auditing Guidance Documents American Institute of Certified Public Accountants – Professional Standards, vol. 1 – AU Section 314 United States Government Accounting Office - Government Auditing Standards – Chapter 7 – Reporting Standards for Performance Audits NERC RAI Documents http://www.nerc.com/pa/comp/Pages/Reliability-Assurance- Intiative.aspx

Questions