1

ATTRIBUTES OF AN INTERNAL

COMPLIANCE PROGRAM

� Eddy Reece

� Rayburn Country Electric Cooperative

� Rockwall Texas

2

� Why your company may want a compliance

program

� 13 questions about a company compliance

program

� Lessons learned from having a company

compliance program

� Questions

3

� Company Compliance Programs are part of

the enforcement determination as a

mitigating factor

� Company can receive some benefit for having

a compliance program

� A Company Compliance program has

benefits throughout the entire company

� From President/CEO to Field staff

4

3

� 13 questions asked about a company’s

compliance program

� As part of the 2008 end of the year Self-

Certifications

� Questionnaire will be sent to all registered Entities

� There are no right or wrong answers

� The answers will depend on the size of the company and the staffing available

5

� 1) What is the scope of your companies

compliance program?

� How is the company compliance program organized

� Is it formal or less structured

6

4

� 2) How is the company compliance program

distributed inside the company?

� Who manages it

� Who is part of the plan

� Who is required to participate

� Who receives training/updates/presentations concerning the compliance effort

7

� 13 questions asked about a company’s

compliance program

� As part of the 2008 end of the year Self-

Certifications

� Questionnaire will be sent to all registered Entities

� There are no right or wrong answers

� The answers will depend on the size of the company and the staffing available

8

5

� 3) Who is the identified as the company

compliance manager/officer?

� Is someone identified as a compliance officer as one of their duties

� Who is the individual

9

� 4) Is there an organizational chart showing

the chain of command for the compliance

manager/officer?

� Does this identified person have the ability to make changes in the company

10

6

� 5) Does the compliance manager/officer have

direct access to the CEO/Board of Directors/General Manager of the company?

� Can they report directly to those who can make necessary changes to the companies policies/procedures

11

� 6) Is the company compliance program

independent of other departments responsible

for performance to the standards?

� Is there a different group inside the company

reviewing the compliance of other departments work

� Is the compliance group reviewing their own work

� Both types of review can work as long as the

person/group reviews the work with an outsiders

perspective

12

7

� 7) Does your company have enough resources to support the company compliance program?� Staff requirements▪ Time for the staff to perform compliance review

processes

▪ Outside contracts may be useful

� Tools and programs▪ There may be some tools available to help manage the

company compliance program

13

� 8) Does your company compliance program

have the support of Senior management?

� Senior management support will enhance any changes needed throughout the company

� This support also gels the company together with

a clear vision that company compliance is a team goal and will benefit everyone

14

8

� 9) Does your company regularly review and

update the internal compliance program?

� Is there a scheduled review of the compliance program

� An active program should be reviewed at least

annually

15

� 10) Are relevant staff trained on the company

compliance program?

� Who is trained

� What are the trained objectives

� How often are they trained

16

9

� 11) Does your company perform Self-audits?

� How often is the internal compliance program audited

� Is the program audited or a gap analysis performed at certain times throughout the year

� Is a schedule followed to verify all applicable standards are reviewed

17

� 12) Does the company compliance program

include disciplinary action for employees

involved in violations?

� This is a company issue

� This may be separated by those who try to hide a violation from those that are actually involved in a violation

18

10

� 13) Does the company compliance program

include self-assessments and self-

enforcement to prevent reoccurrence of

violations?

� Are there follow up checks to verify that the problems have been corrected and remain that way

� Are spot checks performed

19

� Let all necessary staff know that company

compliance is there for a reason

� The staff may be the subject matter expert on an audit

� The staff’s reports may be the company’s evidence to support compliance

▪ So make sure the reports read well

▪ Time and date

▪ Who performed the test / report / etc.

▪ Conclusion

20

11

� The number one comment I hear from companies after an audit:� This has made us take a good look at how we are

doing things and finding better ways to perform the tasks to meet NERC standards and our own needs

� Every company gets better as they review their own processes

21

22

12

Public

� Threats & Vulnerabilities

� Security Management Framework

� Protection Strategy

� ERCOT Information Security Mission

Statement & Organization

� Information Security Roadmap

� Security Maturity Model

Public 24

13

Public 25

1980 1985 1990 1995 2000 2005 2010

Distributed Attack Tools

BOTS

Malicious Code

Automated Probes/Scans

Password Guessing

Self-Replicating Code

Password Cracking

Exploiting Known Vulnerabilities

Disabling Audits

Hijacking Sessions

Sweepers

Sniffers

Denial of Service

GUI

Network Management Diagnostics

Web Attacks

“Stealth”/AdvancedScanning TechniquesHigh

Low

Intruders

Back Doors

Zombies

Morphing

Attack Sophistication

Intruder Knowledge

Packet Spoofing

Sources: Carnegie Mellon University, 2002 and Idaho National Laboratory, 2005

Public 26

AdvancedIntrudersDiscover NewVulnerability

CrudeExploit Tools

Distributed

Novice IntrudersUse Crude

Exploit Tools

AutomatedScanning/ExploitTools Developed

Widespread Use of Automated

Scanning/Exploit

Tools

Intruders

Begin Using New

Types

of Exploits

Highest ExposureTime

# Of

Incidents

Vulnerability Exploit Cycle

Source: Federal Bureau of Investigation

14

Public 27

1) Security Vision & Strategy:

•Mission Statement, guiding principles•Strategy for addressing information protection•Security/Executive committee as an authoritative decision & communication vehicle

2) Sr. Mgmt Commitment:

•Commitment in principle & practice•Support through policy, directives & resource allocation•Determination of risk tolerance

Information Security Management Framework

Public 28

4) Training & Awareness Program:

•Communication covers all levels of organization and all aspects of information security•Continuous, pervasive and an integral part training plans

3) Security Mgmt Structure:

•Centralized & Decentralized resource deployment•Cross functional roles and responsibilities

Information Security Management Framework

15

Public 29

Information Security Management Framework

Public 30

Information Security Management Framework

16

Public 31

Information Security Management Framework

Public 32

Design

ImplementMaintain

Assess

Educate

� Encourages continuous

assessment

� Helps to keep security

relevant to business

processes & goals

Security Lifecycle

17

Public 33

Response

Detection

Prevention

Forensics GOVERNANCE:

� POLICY

� PROCESS

� COMPLIANCE

AWARENESS

EDUCATION

SECURITY SECURITY SECURITY SECURITY

TECHNOLOGYTECHNOLOGYTECHNOLOGYTECHNOLOGY

Firewalls

Anti(V/S/A)

Patch Mgmt

IPS

Web Filtering

Email Security

Encryption

Host IPS

Proxies

Access Management

Policies

Standards

Processes

Awareness

Education

Vuln Scanners

Monitoring Tech

Server Compliance

DB Compliance

IDS

Risk Mgmt

Patch Auditing

Access Review

Process

Compliance

Monitoring

SIRT

Alerts

To accomplish our mission, we commit to:� Add value to the business through the development and delivery of

cost beneficial asset protection programs� Proactively focus on identification and mitigation of risk� Seamlessly integrate security into business operations� Respond in a timely and effective way to incidents that threaten the

safety, security, integrity or availability of ERCOT’s assets� Conduct our security program in a manner that demonstrates the

highest ethical standards� Provide excellence in customer service� Continually practice quality in our craft

Public 34

The Information Systems Security Department’s mission is to

protect assets owned by and entrusted to ERCOT and enable

ERCOT’s business objectives.

18

Public 35

Manager, InformationSystem Security Department

Compliance &

Process

Architecture

& Consulting

Security Operations

ISSD Organization

External:� ERCOT Critical Infrastructure Protection

Advisory Group (CIP-AG)� NERC CIP Committee� NERC CIP Task Forces and Drafting Teams� ISO/RTO Security Working GroupInternal:� Corporate Security Advisory Group� Line of Business Security Committee� Security Risk Management Subcommittee

Public 36

19

Public 37

Public 38

30%30%40%40%

10%10%

20%20%

Security

Budget

(% of IT Budget)

Develop NewPolicy Set

Initiate Strategic Program

Process Formalization

Track Technology andBusiness Change

Continuous

Process

Improvement

Review Status Quo

DesignArchitecture

Conclude Catch-up

Projects

(Re-)Establish Security Team

Nonexistent Initial Developing Defined Managed Optimizing

Level of Process Maturity

NOTE: Population distributions represent typical, large G2000-type organizations

1 2 3 4 50

Blissful Ignorance Awareness Corrective Operations Excellence

3%-4%4%-6% 7%-8%<3%

Rela

tive P

rog

ram

Matu

rity

Security Program Maturity Timeline

Source: Gartner