Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and Regulation Management - Part 2

After a brief introduction by Mr. Humphreys, Henry Bailey will talk a few minutes about SAP’s roadmap for utilities. This will be followed by a discussion led by Chris Humphreys about the evolutionary transition from disparate point solutions to enterprise-wide, end-to-end, Regulation Management where controls are consolidated and leveraged such that compliance is a byproduct of industry best practices. Finally, Mr. Rice and Chris Humphreys will end the hour with a presentation expanding on the concept of controls consolidation and compliance as a byproduct focused on NERC CIP Ver 3-5 and NIST transitional capabilities of Regulation Management.

  • Soyez le premier à commenter

SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and Regulation Management - Part 2

  1. 1. The Evolution of Regulatory Compliance An End-to-End Solution for Ensuring & Managing Regulatory Compliance by SAP August 2014
  2. 2. © 2014 SAP AG. All rights reserved. 2 Agenda  Cybersecurity Landscape  Evolution of Compliance Solutions  Managing Access Violations (SOX)  Financial Impact of Access Risk  Continuous Control Monitoring (SoD & Critical Access)  Real-Time Cross Enterprise Control (Business Applications & IT Systems)  Managing Regulations (FERC, NERC, CIP, etc.)  Regulatory Change Management  Enterprise Control Management  Unified Regulatory Controls
  3. 3. © 2014 SAP AG. All rights reserved. 3 Agenda  Cybersecurity Landscape  Evolution of Compliance Solutions  Managing Access Violations (SOX)  Financial Impact of Access Risk  Continuous Control Monitoring (SoD & Critical Access)  Real-Time Cross Enterprise Control (Business Applications & IT Systems)  Managing Regulations (FERC, NERC, CIP, etc.)  Regulatory Change Management  Enterprise Control Management  Unified Regulatory Controls
  4. 4. © 2014 SAP AG. All rights reserved. 4 Security By The Numbers  2 billion Internet-enabled devices exist today  Trends suggest 7 billion+ in four years  68,000+ hacker tools available today  5.6M counterfeit computer chips seized  8 character passwords cracked in an hour  14 char alphanumeric cracked in <3 min
  5. 5. © 2014 SAP AG. All rights reserved. 5 Advantage: Adversaries Intelligent, adaptive adversaries exist. They don’t follow the rules or compliance checklists. They have three things you don’t: people, money and time.
  6. 6. © 2014 SAP AG. All rights reserved. 6 Cybersecurity Landscape  Research, espionage, organized crime, cyber/info warfare  Nation state quality defense is the new norm  Inference and Aggregation  Cyber-kinetic impacts  Engineering vs. Security
  7. 7. © 2014 SAP AG. All rights reserved. 7 No 100% Prevention
  8. 8. © 2014 SAP AG. All rights reserved. 8  Critical infrastructure is a high-value target; sufficient “MMO” exist for significant impacts to any size organization – no matter how big/small  Adversaries will easily outpace regulation, procurement and implementation cycles; hackers are faster than laws  Focus on people and process first, technology second; automating bad process/practice will only cause you to fail faster and more accurately  Beware of complexity, it can be the enemy of security; don’t forget that technology still requires care and feeding (read: people)  Continuous Monitoring is most mature state, always be working toward it  Balance prevention, detection and response; seek to achieve “singularity” Strategic Security Outlook
  9. 9. © 2014 SAP AG. All rights reserved. 9  Most utilities have one or more security/operational tools in place Stand Alone “Point Solution” with a singular purpose.  Regulatory Compliance obligations have resulted in the exploration of compliance outputs from security/operational toolsets. • These tool sets were never designed as singular compliance driven solutions That is changing as compliance solutions are in high-demand at utilities and vendors see opportunity to address compliance Evolution of Compliance Solutions- Point Solutions
  10. 10. © 2014 SAP AG. All rights reserved. 10  Typical Point Solutions Security Incident and Event Management (SIEM) •Security Logging •Patch Management •Configuration Management Evolution of Compliance Solutions- Point Solutions
  11. 11. © 2014 SAP AG. All rights reserved. 11  Document Management •Compliance audits were documentation/evidence focused •still manually dependent population of the solution • Sharepoint •Still manual but can incorporate calendar notifications and task management •Easy to Deploy •Data Integrity Concerns •Non-sustainable Evolution of Compliance Solutions- GRC
  12. 12. © 2014 SAP AG. All rights reserved. 12  Why GRC? Expanding granularity in regulatory requirements makes a manual approach non-sustainable Pro-active vs Re-active Enterprise layer to manage/integrate point solution outputs Workflow automation Self-Assessment functionality Detection and Mitigation automation through workflows Controls Testing and Design Forces consistency in data Evolution of Compliance Solutions- GRC
  13. 13. © 2014 SAP AG. All rights reserved. 13 “I don’t have time to do this compliance stuff and my day job!” Utilities should never have to hear this complaint again if: – Sound Operational/Security-driven Processes and Controls are in place that “Bake In” Compliance – GRC technology is being leveraged to sustain and enforce controls and processes Evolution of Compliance Solutions- GRC
  14. 14. © 2014 SAP AG. All rights reserved. 14 Agenda  Cybersecurity Landscape  Evolution of Compliance Solutions  Managing Access Violations (SOX)  Financial Impact of Access Risk  Continuous Control Monitoring (SoD & Critical Access)  Real-Time Cross Enterprise Control (Business Applications & IT Systems)  Managing Regulations (FERC, NERC, CIP, etc.)  Regulatory Change Management  Enterprise Control Management  Unified Regulatory Controls
  15. 15. © 2014 SAP AG. All rights reserved. 15 Current GRC situation Access governance processes continue to be manually intensive and operate in silos across the enterprise Lack of visibility into the financial exposure resulting from access risk violations
  16. 16. © 2014 SAP AG. All rights reserved. 16 Today’s Approach Assess the financial exposure of access risk  Summarize the dollar value of actual access violations  Clearly articulate financial exposure that broad user access has on the business  Drive change where impact exceeds materiality threshold Enable exception based monitoring  Automate identification and review of actual access violations  Alert business owners only when exceptions occur, reducing manual control efforts and eliminating false positives  Comprehensive library of automated SoD controls across business processes  Centralized tracking, investigation and resolution of access violations Reduce enterprise-wide access governance costs  Extend the capabilities of SAP Access Control across enterprise systems  Enable business ownership of access governance and remediation activities $ ¥ € £
  17. 17. © 2014 SAP AG. All rights reserved. 17 SOX Access Risk Analysis, User Access Management, Emergency Access Management, Business Role Management Real-Time Cross Enterprise Control Discovery, Aggregation, Correlation and Normalization Continuous Monitoring User, Role and Risk Modeling, Accelerated Remediation, Automated Mitigating Controls Financial Exposure of Access Risk Bottom-line Dollar Value Cloud & SaaS Business Applications Core ERP Legacy/Custom Solutions Other ERP SAP Access Violation Management Manage user access based on business impact
  18. 18. © 2014 SAP AG. All rights reserved. 18 SAP Access Control Manage access risk and prevent fraud Monitor emergency access and transaction usage Certify access assignments are still warranted Define and maintain roles in business terms Automate access assignments across enterprise systems Find and remediate SoD and critical access violations SAP_ALL X Legacy Oracle
  19. 19. © 2014 SAP AG. All rights reserved. 19 Access Violation Management Reduce enterprise-wide access governance costs Authorization models for all business applications are correlated and normalized which enables SOD rules to be maintained in one location – Access Control
  20. 20. © 2014 SAP AG. All rights reserved. 20 Access Violation Management Reduce enterprise-wide access governance costs Access risk analysis, simulation, mitigation, and access requests are the same for the end user across all business applications
  21. 21. © 2014 SAP AG. All rights reserved. 21 Access Violation Management Detective Segregation of Duties Preventative Prevent potential risk & detect actual violations SoD Rules Reviewing user access rights and monitoring application security tables Visibility into users and roles with the capability to perform high risk transactions Mitigation Rules Leveraging SoD rule sets =+ Reviewing transaction meta data and monitoring usage in transaction tables Visibility into actual usage and violations executed against high risk transactions in conflict with policy Leveraging analytics rule sets =+
  22. 22. © 2014 SAP AG. All rights reserved. 22
  23. 23. © 2014 SAP AG. All rights reserved. 23
  24. 24. © 2014 SAP AG. All rights reserved. 24
  25. 25. © 2014 SAP AG. All rights reserved. 25
  26. 26. © 2014 SAP AG. All rights reserved. 26
  27. 27. © 2014 SAP AG. All rights reserved. 27
  28. 28. © 2014 SAP AG. All rights reserved. 28 Customer Value Gain a clear understanding of cost of access violations and impact on the organization Reduce manual control efforts and eliminate false positives Centrally track investigation and resolution of access violations Give business users ownership of remediation activities Alert business owners only when exceptions occur Extend the investment in & functionality of GRC
  29. 29. © 2014 SAP AG. All rights reserved. 29 Agenda  Cybersecurity Landscape  Evolution of Compliance Solutions  Managing Access Violations (SOX)  Financial Impact of Access Risk  Continuous Control Monitoring (SoD & Critical Access)  Real-Time Cross Enterprise Control (Business Applications & IT Systems)  Managing Regulations (FERC, NERC, CIP, etc.)  Regulatory Change Management  Enterprise Control Management  Unified Regulatory Controls
  30. 30. © 2014 SAP AG. All rights reserved. 30 Utility Dive “State of the Electric Utility” Report Do you anticipate your utility’s regulatory model to change over the next 10 years? 95% anticipate their regulatory model will change over the next 10 years 57% believe regulations will change significantly What are the three most pressing challenges for your utility? 1.Old Infrastructure (48%) 2.Current Regulatory Model (32%) 3.Aging Workforce (31%) … 12.Cybersecurity (11%) http://app.assetdl.com/landingpage/siemens-2014-electric-utility-survey/
  31. 31. © 2014 SAP AG. All rights reserved. 31 Challenges in Managing Regulatory Change IT ComplianceBusiness Audit Legal Requirements RequirementsRequirements ControlControl Control Requirements Control
  32. 32. © 2014 SAP AG. All rights reserved. 32 Unified Regulatory Change Management Unified Control IT ComplianceBusiness Audit Legal Regulatory Change Management Requirements RequirementsRequirements Requirements
  33. 33. © 2014 SAP AG. All rights reserved. 33 Customer challenge Quickly assess and accommodate new and changed regulations  Customers need the ability to: – Establish accountability and unify regulatory requirements across key stakeholders – Align regulatory requirements with internal control activities and operations – Automate execution and testing of controls across enterprise systems
  34. 34. © 2014 SAP AG. All rights reserved. 34 Regulation Management Process Regulatory Intake, Collaboration & Execution 1 Regulatory Citations  Capture, intake and reporting of regulations  Leverage content from UCF, LexisNexis, Thomson Reuters, etc.  Regulatory alerts and monitoring 2 Requirements  Version control and gap analysis  Delta change management  Pre-built reports for regulatory requirements 3 Collaboration  Central repository for regulatory content, requirement and reporting  Comment and interact from start to finish  Share and review best practices Workflow  Dynamic, multi-threaded workflow capabilities  Review all or part of citations, requirements or controls at any time Control Definition  Best practice control mapping & content creation  Unified control framework for all regulatory agencies  Map controls back to citations 4 Controls Management  Manage, monitor and test controls against production systems Control Automation  Automatically execute control tests and import results Reporting and Documentation  Capture, store and report results  Manage and maintain findings IT ComplianceBusiness Audit Legal
  35. 35. © 2014 SAP AG. All rights reserved. 35 Regulatory Change Management – Example Regulatory Requirements NERC CIP-002 Critical Asset Identification SANS Top 20 Critical Controls (NIST)  Control 1: Inventory of Authorized Devices  Control 2: Inventory of Authorized and Unauthorized Software ISO 27002 Section 7  Responsibility of Assets  Ownership and Accountability Sarbanes-Oxley (SOX)  Risk Assessment  Objective Setting  Event Identification Universal Control Asset Identification that includes ownership and accountability to the asset Instead of 4 controls that are compliance driven, now you have one control that is operations driven where compliance is a natural byproduct
  36. 36. © 2014 SAP AG. All rights reserved. 36 Unified Regulatory Control Framework – Example NERC CIP Version 3 NERC CIP Version 5 SANS Top 20 CIP-002-3 Critical Cyber Asset Identification CIP-002-5 BES Cyber System Categorization R1: Risk-Based Assessment Methodology (RBAM) to id Critical Assets (CA) R1: Attachment 1 CIP-002-5 Incorporates the “Bright Line Criteria” to classify BES Assets as Low, Medium, or High. Called BES Cyber Systems consolidating CAs and CCAs Control 1: Inventory of Authorized and Unauthorized Device Control 2: Inventory of Authorized and Unauthorized Software Control 4: Continuous Vulnerability Assessment and Remediation R2: Apply RBAM to ID Critical Assets R2: BES Cyber System Lists must be reviewed and approved every 15 calendar months R3: Identify Critical Cyber Assets (CCA) R4: Annual Approval of RBAM, CA list, CCA List CIP-004-3 Personnel and Training CIP-004-5 Personnel and Training R1: Awareness: Security Awareness Program R1: Security Awareness Program- reference Table 1: Security Awareness Program Criteria in standard Critical Control 15: Controlled Access based on need to know Critical Control 9: Security Skills Assessment and appropriate training to fill gaps R2: Training: Cyber Security Training Program R2: Training Program- reference Table R2 Cyber Security Training Program in standard R3: Personnel Risk Assessment R3: PRA Program- reference Table R3 PRA Program in standard R4: Access R4: Access Management Program- Reference Table R4 Access Management Program in standard for required program criteria R5: Access Revocation Program- Reference Table R5 Access Revocation for required program criteria CIP-005-3 Electronic Security Perimeter(s) CIP-005-5 Electronic Security Perimeter(s) R1: Electronic Security Perimeters: All CCAs must reside within an ESP R1: Electronic Security Perimeters- reference Table R1 Electronic Security Perimeter for required criteria Control 1: Inventory of Authorized and Unauthorized Devices Control 2: Inventory of Authorized and Unauthorized Software Control 4: Continuous Vulnerability Assessment/Remediation Critical Control 13: Boundary Defense R2: Electronic Access Controls R2: Interactive Remote Access Management Table R2 Control 1: Inventory of Authorized and Unauthorized Devices Control 2: Inventory of Authorized and Unauthorized Software Control 4: Continuous Vulnerability Assessment/Remediation Critical Control 13: Boundary Defense Critical Control 16: Account Monitoring and Control R3: Monitoring Electronic Access R4: Cyber Vulnerability Assessment
  37. 37. © 2014 SAP AG. All rights reserved. 37 Unified Regulatory Control Framework – Example #2 ISO 17799 2005 Cobit 4.0 SOX PCI NERC CIP SANS TOP 20 Section 1: Risk Assessment 1.1 Assessing Security Risks Identify, quantify, and prioritize risks against criteria for risk acceptance relevant to the organization Plan and Organize: • PO9 Assess and Manage IT Risks Monitor and Evaluate: • ME3 Ensure Regulatory Compliance • ME4 Provide IT Governance • Risk Assessment • Objective Setting • Event Identification N/A • 002 – Critical Cyber Asset Identification Control 1: Inventory of Authorized and Unauthorized Devices Control 2: Inventory of Authorized and Unauthorized Software Control 4: Continuous Vulnerability Assessment and Remediation 1.2 Treating Security Risks Determine risk treatment options: Apply appropriate controls, accept risks, avoid risks or transfer risk to other parties Plan and Organize: • PO9 Assess and Manage IT Risks Monitor and Evaluate: • ME1 Monitor and Evaluate IT Performance • ME2 Monitor and Evaluate Internal Control • Risk Response • Event Identification N/A • 002 – Critical Cyber Asset Identification • 007 – Systems Security Management • 008 – Incident Report and Response Planning Control 1: Inventory of Authorized and Unauthorized Devices Control 2: Inventory of Authorized & Unauthorized Software Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers , and Switches Critical Control 18: Incident Response and Management Section 2: Security Policy 2.1 Information Security Policy An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. The information security policy should be reviewed at planned intervals Plan and Organize: • PO1 Define a Strategic IT Plan • PO4 Define the IT Processes, Organization and Relationships • PO6 Communicate Management Aims and Direction • PO7 Manage IT Human Resources • Internal Environment • Objective Setting • Risk Assessment Maintain an Information Security Policy: 12. Maintain a policy that addresses information security • 003 – Security Management Controls Critical Control 15: Controlled Access based on need to know Section 3: Organization of Information Security 3.1 Internal Organization A management framework should be established to initiate and control the implementation of information security within the org Deliver and Support: • DS5 Ensure Systems Security • Internal Environment • Control Activities • Information and Communication Maintain an Information Security Policy: 12. Maintain a policy that addresses information security • 003 – Security Management Control Critical Control 15: Controlled Access based on need to know 3.2 External Parties To maintain the security of information and information processing facilities that are accessed, processed, communicated to, or managed by external parties Plan and Organize: • PO8 Manage Quality Deliver and Support: • DS1 Define & Manage Service Levels • DS2 Manage Third-Party Services • DS5 Ensure Systems Security • Internal Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring Maintain an Information Security Policy: 12. Maintain a policy that addresses information security N/A
  38. 38. © 2014 SAP AG. All rights reserved. 38
  39. 39. © 2014 SAP AG. All rights reserved. 39
  40. 40. © 2014 SAP AG. All rights reserved. 40
  41. 41. © 2014 SAP AG. All rights reserved. 41
  42. 42. © 2014 SAP AG. All rights reserved. 42
  43. 43. © 2014 SAP AG. All rights reserved. 43
  44. 44. © 2014 SAP AG. All rights reserved. 44
  45. 45. © 2014 SAP AG. All rights reserved. 45
  46. 46. © 2014 SAP AG. All rights reserved. 46 Enterprise Control Management – Example Enterprise Control Automation HR termination / position based revocation of user access Enterprise de-provisioning Audit reporting Regulatory Requirements NERC CIP, NIST, etc.  24 / 48 hour de-provisioning to critical infrastructure Sarbanes-Oxley (SOX)  User access reviews Universal Control Regulatory compliance becomes a byproduct of enterprise control automation One control to satisfy operational security, compliance regulations and audit requirements
  47. 47. © 2014 SAP AG. All rights reserved. 47 Automated De-Provisioning
  48. 48. © 2014 SAP AG. All rights reserved. 48 Compliance Control
  49. 49. © 2014 SAP AG. All rights reserved. 49
  50. 50. © 2014 SAP AG. All rights reserved. 50
  51. 51. © 2014 SAP AG. All rights reserved. 51 Customer value Compliance “just happens” •Centrally manage and report on regulatory and compliance requirements across the organization •Enable auditability for enterprise regulatory compliance processes •Reduce cost and risk of control redundancy
  52. 52. © 2014 SAP AG. All rights reserved. 52 Pacific Gas & Electric Eliminate manual activities associated with SOD & critical access risk Reduce FTE hours required to prepare SOD reports Provide compliance and business stakeholders visibility into the financial impact of risk to the organization Southern California Edison Reduce costs of regulatory compliance & manual activities Reduce audit related costs for key IT & business controls 100% visibility, monitoring & reporting of transactional activity Florida Power & Light Enable enterprise SOD risk management Automate manual compliant user provisioning / de-provisioning The EDF Group Eliminate manual security processes Automate risk management between SAP & CashPooler Example Utility Customer Profiles

×