attributes of an internal compliance program · attributes of an internal compliance program eddy...
TRANSCRIPT
1
ATTRIBUTES OF AN INTERNAL
COMPLIANCE PROGRAM
� Eddy Reece
� Rayburn Country Electric Cooperative
� Rockwall Texas
2
� Why your company may want a compliance
program
� 13 questions about a company compliance
program
� Lessons learned from having a company
compliance program
� Questions
3
� Company Compliance Programs are part of
the enforcement determination as a
mitigating factor
� Company can receive some benefit for having
a compliance program
� A Company Compliance program has
benefits throughout the entire company
� From President/CEO to Field staff
4
3
� 13 questions asked about a company’s
compliance program
� As part of the 2008 end of the year Self-
Certifications
� Questionnaire will be sent to all registered Entities
� There are no right or wrong answers
� The answers will depend on the size of the company and the staffing available
5
� 1) What is the scope of your companies
compliance program?
� How is the company compliance program organized
� Is it formal or less structured
6
4
� 2) How is the company compliance program
distributed inside the company?
� Who manages it
� Who is part of the plan
� Who is required to participate
� Who receives training/updates/presentations concerning the compliance effort
7
� 13 questions asked about a company’s
compliance program
� As part of the 2008 end of the year Self-
Certifications
� Questionnaire will be sent to all registered Entities
� There are no right or wrong answers
� The answers will depend on the size of the company and the staffing available
8
5
� 3) Who is the identified as the company
compliance manager/officer?
� Is someone identified as a compliance officer as one of their duties
� Who is the individual
9
� 4) Is there an organizational chart showing
the chain of command for the compliance
manager/officer?
� Does this identified person have the ability to make changes in the company
10
6
� 5) Does the compliance manager/officer have
direct access to the CEO/Board of Directors/General Manager of the company?
� Can they report directly to those who can make necessary changes to the companies policies/procedures
11
� 6) Is the company compliance program
independent of other departments responsible
for performance to the standards?
� Is there a different group inside the company
reviewing the compliance of other departments work
� Is the compliance group reviewing their own work
� Both types of review can work as long as the
person/group reviews the work with an outsiders
perspective
12
7
� 7) Does your company have enough resources to support the company compliance program?� Staff requirements▪ Time for the staff to perform compliance review
processes
▪ Outside contracts may be useful
� Tools and programs▪ There may be some tools available to help manage the
company compliance program
13
� 8) Does your company compliance program
have the support of Senior management?
� Senior management support will enhance any changes needed throughout the company
� This support also gels the company together with
a clear vision that company compliance is a team goal and will benefit everyone
14
8
� 9) Does your company regularly review and
update the internal compliance program?
� Is there a scheduled review of the compliance program
� An active program should be reviewed at least
annually
15
� 10) Are relevant staff trained on the company
compliance program?
� Who is trained
� What are the trained objectives
� How often are they trained
16
9
� 11) Does your company perform Self-audits?
� How often is the internal compliance program audited
� Is the program audited or a gap analysis performed at certain times throughout the year
� Is a schedule followed to verify all applicable standards are reviewed
17
� 12) Does the company compliance program
include disciplinary action for employees
involved in violations?
� This is a company issue
� This may be separated by those who try to hide a violation from those that are actually involved in a violation
18
10
� 13) Does the company compliance program
include self-assessments and self-
enforcement to prevent reoccurrence of
violations?
� Are there follow up checks to verify that the problems have been corrected and remain that way
� Are spot checks performed
19
� Let all necessary staff know that company
compliance is there for a reason
� The staff may be the subject matter expert on an audit
� The staff’s reports may be the company’s evidence to support compliance
▪ So make sure the reports read well
▪ Time and date
▪ Who performed the test / report / etc.
▪ Conclusion
20
11
� The number one comment I hear from companies after an audit:� This has made us take a good look at how we are
doing things and finding better ways to perform the tasks to meet NERC standards and our own needs
� Every company gets better as they review their own processes
21
22
12
Public
� Threats & Vulnerabilities
� Security Management Framework
� Protection Strategy
� ERCOT Information Security Mission
Statement & Organization
� Information Security Roadmap
� Security Maturity Model
Public 24
13
Public 25
1980 1985 1990 1995 2000 2005 2010
Distributed Attack Tools
BOTS
Malicious Code
Automated Probes/Scans
Password Guessing
Self-Replicating Code
Password Cracking
Exploiting Known Vulnerabilities
Disabling Audits
Hijacking Sessions
Sweepers
Sniffers
Denial of Service
GUI
Network Management Diagnostics
Web Attacks
“Stealth”/AdvancedScanning TechniquesHigh
Low
Intruders
Back Doors
Zombies
Morphing
Attack Sophistication
Intruder Knowledge
Packet Spoofing
Sources: Carnegie Mellon University, 2002 and Idaho National Laboratory, 2005
Public 26
AdvancedIntrudersDiscover NewVulnerability
CrudeExploit Tools
Distributed
Novice IntrudersUse Crude
Exploit Tools
AutomatedScanning/ExploitTools Developed
Widespread Use of Automated
Scanning/Exploit
Tools
Intruders
Begin Using New
Types
of Exploits
Highest ExposureTime
# Of
Incidents
Vulnerability Exploit Cycle
Source: Federal Bureau of Investigation
14
Public 27
1) Security Vision & Strategy:
•Mission Statement, guiding principles•Strategy for addressing information protection•Security/Executive committee as an authoritative decision & communication vehicle
2) Sr. Mgmt Commitment:
•Commitment in principle & practice•Support through policy, directives & resource allocation•Determination of risk tolerance
Information Security Management Framework
Public 28
4) Training & Awareness Program:
•Communication covers all levels of organization and all aspects of information security•Continuous, pervasive and an integral part training plans
3) Security Mgmt Structure:
•Centralized & Decentralized resource deployment•Cross functional roles and responsibilities
Information Security Management Framework
15
Public 29
Information Security Management Framework
Public 30
Information Security Management Framework
16
Public 31
Information Security Management Framework
Public 32
Design
ImplementMaintain
Assess
Educate
� Encourages continuous
assessment
� Helps to keep security
relevant to business
processes & goals
Security Lifecycle
17
Public 33
Response
Detection
Prevention
Forensics GOVERNANCE:
� POLICY
� PROCESS
� COMPLIANCE
AWARENESS
EDUCATION
SECURITY SECURITY SECURITY SECURITY
TECHNOLOGYTECHNOLOGYTECHNOLOGYTECHNOLOGY
Firewalls
Anti(V/S/A)
Patch Mgmt
IPS
Web Filtering
Email Security
Encryption
Host IPS
Proxies
Access Management
Policies
Standards
Processes
Awareness
Education
Vuln Scanners
Monitoring Tech
Server Compliance
DB Compliance
IDS
Risk Mgmt
Patch Auditing
Access Review
Process
Compliance
Monitoring
SIRT
Alerts
To accomplish our mission, we commit to:� Add value to the business through the development and delivery of
cost beneficial asset protection programs� Proactively focus on identification and mitigation of risk� Seamlessly integrate security into business operations� Respond in a timely and effective way to incidents that threaten the
safety, security, integrity or availability of ERCOT’s assets� Conduct our security program in a manner that demonstrates the
highest ethical standards� Provide excellence in customer service� Continually practice quality in our craft
Public 34
The Information Systems Security Department’s mission is to
protect assets owned by and entrusted to ERCOT and enable
ERCOT’s business objectives.
18
Public 35
Manager, InformationSystem Security Department
Compliance &
Process
Architecture
& Consulting
Security Operations
ISSD Organization
External:� ERCOT Critical Infrastructure Protection
Advisory Group (CIP-AG)� NERC CIP Committee� NERC CIP Task Forces and Drafting Teams� ISO/RTO Security Working GroupInternal:� Corporate Security Advisory Group� Line of Business Security Committee� Security Risk Management Subcommittee
Public 36
19
Public 37
Public 38
30%30%40%40%
10%10%
20%20%
Security
Budget
(% of IT Budget)
Develop NewPolicy Set
Initiate Strategic Program
Process Formalization
Track Technology andBusiness Change
Continuous
Process
Improvement
Review Status Quo
DesignArchitecture
Conclude Catch-up
Projects
(Re-)Establish Security Team
Nonexistent Initial Developing Defined Managed Optimizing
Level of Process Maturity
NOTE: Population distributions represent typical, large G2000-type organizations
1 2 3 4 50
Blissful Ignorance Awareness Corrective Operations Excellence
3%-4%4%-6% 7%-8%<3%
Rela
tive P
rog
ram
Matu
rity
Security Program Maturity Timeline
Source: Gartner