WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017
|
|
- Blaze Barnett
- 6 years ago
- Views:
Transcription
1 WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, North 400 West, Suite 200 Salt Lake City, Utah
2 WECC Internal Controls Evaluation Process 2 Table of Contents 1 Introduction Purpose Document Owner Scope ICE Overview WECC ICE Team Entity Participation in ICE Process Process Workflow Identify Scope of ICE Collect Internal Controls Information Assess Internal Controls Design Test the Implementation of Internal Controls Determine Maturity and Effectiveness of Entity s Internal Controls Program to Address Risk 6 4 Outputs of ICE Utilization of Results Sharing ICE Results with the Entity ICE Process Feedback Revision History References... 8
3 WECC Internal Controls Evaluation Process 3 1 Introduction This document describes WECC s Process for Internal Controls Evaluation (ICE). 1.1 Purpose The purpose of this document is to provide guidance to registered entities and WECC staff on WECC s Internal Controls Evaluation process. 1.2 Document Owner WECC s Director of Compliance Risk Analysis is the owner of this document. The document owner may delegate coordination, but is responsible for: Reviewing, editing and updating Coordinating revisions across the Oversight Department Management Posting the process 1.3 Scope The WECC ICE process is applicable to United States registered entities within WECC s footprint. WECC s international partners are not implementing the ERO Enterprise s Risk-Based Compliance Monitoring and Enforcement Program at this time. The ICE process is not intended to determine an entity s compliance with the NERC Reliability Standards. Although unlikely, if during the ICE process WECC observes or discovers an instance of potential noncompliance, WECC will document the facts and circumstances of the potential noncompliance and recommend the registered entity review it further and determine the necessity of Self Report submission to WECC. In the meantime, WECC will assess the risk associated with the potential noncompliance and determine the appropriate action pursuant to the risk-based CMEP. The results of the ICE process do not change any obligation for an entity to be compliant with all NERC Reliability Standards applicable to the entity s functions. While the ICE process intends to inform the scope of WECC s Compliance Oversight Plan for a particular entity, the ICE should not be interpreted as a limitation to WECC s authority under the NERC Rules of Procedure to conduct any compliance monitoring activities as WECC may determine are appropriate.
4 WECC Internal Controls Evaluation Process 4 2 ICE Overview ICE is a process within NERC s Risk-Based Compliance Oversight Framework. 1 ICE participation is voluntary for registered entities. The main goal of this review is to understand the Registered Entity s internal controls program that prevents, detects, and/or corrects noncompliance with Reliability Standards. 2 The ICE results are an input into the development of the entity s Compliance Oversight Plan (COP). 3 Along with the Inherent Risk Assessment (IRA) results, ICE results are used to further determine the tools, frequency, and scope of monitoring for a Registered Entity. 2.1 WECC ICE Team The ICE Process is a shared effort of Compliance Audit Team and Compliance Risk Analysis Team. WECC relies on the collective experience and professional judgment of the Oversight staff during the ICE process Entity Participation in ICE Process WECC collaborates with the entity throughout the ICE process to ensure WECC has current, appropriate, and sufficient information necessary to conduct the ICE and reach accurate conclusions. This collaboration may include phone calls, data requests, interviews, and onsite visits. During the ICE process, WECC will follow the documentation protocols listed in the NERC Internal Controls Evaluation Guide and rely on its professional judgment when gathering information from the entity during the ICE process. Entities are encouraged to provide an accurate and timely response to WECC requests for information. 1 NERC, ERO Enterprise Guide for Compliance Monitoring. October p.1. 2 In the context of the Risk-Based Compliance Oversight Framework, internal controls are the processes, practices, policies, or procedures, system applications and technology tools, and skilled human capital and entity employs to prevent, detect, and correct noncompliance with Reliability Standards and/or address risks and/or address risks associated with the reliable operation of its business. Examples may include: oversight, risk assessment, control activities, communications, and training and monitoring. Internal controls operate at both an entity or organizational level, as well as an activity or process level. NERC, ERO Enterprise Guide for Internal Controls. December p As defined by NERC, the Compliance Oversight Plan (COP) is a plan consisting of the oversight strategy for a registered entity, including the list of standard requirements for monitoring, the CMEP tool to be used, and the interval of monitoring. Id. 4 As defined by NERC, professional judgment represents the application of the collective, individual, knowledge, skills, and experiences of all the personnel involved with a CMEP activity. Id.
5 WECC Internal Controls Evaluation Process 5 3 Process Workflow WECC follows five steps during the ICE process: 1. Identify scope of ICE. 2. Collect internal controls information. 3. Assess internal control design. 4. Test the implementation of internal controls. 5. Determine maturity and effectiveness of the Entity s Internal Controls Program to address risk. 3.1 Identify Scope of ICE During this step, WECC uses the results of the IRA and COP to identify Standards and requirements that will be considered during the ICE. Any previous ICE results will be considered during the review of the COP before identifying new ICE scope. ICE will be performed on requirements that are associated with areas of medium or high inherent risk and have been identified for on-site monitoring based on the IRA and COP processes. Consideration will be given to the NERC and WECC CMEP IP Areas of Focus, performance based requirements, and other trends noticed during COP review. At the end of this step, WECC notifies the Registered Entity of the Standard and requirements that will be considered for ICE. 3.2 Collect Internal Controls Information During this step, WECC collects internal control information from the entity through information requests for specific Standards and requirements determined for ICE Scope. WECC will customize requests for information-based internal controls information already available to WECC through the IRA process and past CMEP activities (e.g., mitigation plan review or prior ICE). Entities participating in the ICE process will receive instruction on how to submit internal controls information to WECC. WECC will evaluate the sufficiency, timeliness, and credibility of the controls information prior to making any decisions about the effectiveness of the internal controls. At the end of this step, WECC has collected the entity s internal controls information relating to the inherent risks and associated requirements in scope of the ICE.
6 WECC Internal Controls Evaluation Process Assess Internal Controls Design During this step, WECC evaluates the design of the internal control system as it relates to meeting a specific risk objective. Registered entities may have a variety of preventative, detective, or corrective controls that work together to support the objective of the NERC Reliability Standards. WECC considers internal controls specific to the requirements as well as overarching controls that are considered key controls implemented across all Business Units for ensuring compliance. WECC identifies whether the design of the controls provides reasonable assurance of compliance with the requirement or whether significant deficiencies exist. 3.4 Test the Implementation of Internal Controls 5 During this step, WECC reviews supporting information that demonstrates that the entity is implementing the internal controls as designed. WECC gathers implementation information through documentation review, direct observation, interviews, or by collecting evidence that demonstrates performance of the control. In most cases, WECC will perform the implementation review concurrently with the entity s scheduled on-site audit. WECC relies on the professional judgement of the Oversight staff to determine the type and amount of information that is needed to provide reasonable assurance that the controls have been implemented. 3.5 Determine Maturity and Effectiveness of Entity s Internal Controls Program to Address Risk During this step, WECC assesses the type, strength, and maturity of controls implemented by the entity. WECC s assessment may consider the following factors: Types of controls implemented (i.e., preventive, detective, or corrective) Strength of controls evidence submitted Depth of controls documentation Ability to override controls Management supervision and oversight of controls Use of technology (manual versus automated) in implementing the controls Conflict of interest and segregation of duties for personnel implementing the controls Independent review and testing of internal controls by the entity Process for consistent implementation of internal controls 5 WECC may perform steps 3.3 and 3.4 concurrently or as separate, but closely timed, activities.
7 WECC Internal Controls Evaluation Process 7 Based on these factors, WECC makes decisions about the effectiveness of the internal controls at addressing the risks in the scope of ICE. WECC documents any design or implementation deficiencies that may prevent the internal controls from meeting their objective. 4 Outputs of ICE The output of the ICE process is: A list of assessed internal controls and results of internal control design and implementation effectiveness Impact to the entity s COP based on this review 4.1 Utilization of Results WECC uses results of the ICE process to determine whether the entity has implemented internal controls that provide reasonable assurance of compliance with the Standards. WECC considers the IRA, entity performance information, regional risk information, and ICE results during development of the entity s COP. After completing the ICE process, WECC retains relevant documentation that supports the analysis performed during the ICE process. The retained documentation may be used during subsequent reviews or revisions of the entity s ICE. 4.2 Sharing ICE Results with the Entity After the ICE process is complete, WECC provides the entity with an ICE Report. The ICE Report identifies areas of strength in the entity s internal controls environment and areas of improvement in controls design or implementation. Following the ICE Report, WECC updates the entity s COP based on the results of the ICE process. The COP specifies the compliance oversight tools WECC will use to monitor the entity s risks and associated Standards. 4.3 ICE Process Feedback Entities will have the opportunity to share feedback with WECC on the ICE process. The feedback should be specific to the ICE process itself, including ideas that WECC may consider to further improve and refine the ICE process. WECC will continue to provide feedback to NERC on lessons learned during the ICE process. WECC s feedback to NERC may include metrics such as the completion of IRAs and ICEs for entities across WECC, how an entity s IRA and ICE impacts a scheduled audit, and the average time taken by WECC to initiate and complete IRA and ICE processes before a scheduled or nonscheduled compliance monitoring engagement.
8 WECC Internal Controls Evaluation Process 8 5 Revision History Revision Date Modified By Comments 1 6/17/2014 Keshav Sarin Original Version 2 10/1/2017 Jennifer Hart Updated to align with ERO Enterprise Guide for Internal Controls (December 2016). Clarifies process for gathering controls information, evaluating the effectiveness of controls, and performing periodic revisions to ICE. Removes concept of key controls and partially/largely/fully implemented rating scale. 6 References NERC Rules of Procedure NERC Overview of the ERO Enterprise s Risk-Based Compliance Monitoring and Enforcement Program NERC Annual ERO CMEP Implementation Plan NERC ERO Enterprise Guide for Compliance Monitoring NERC ERO Enterprise Guide for Internal Controls Generally Accepted Government Auditing Standards WECC CMEP Implementation Plan
Internal Controls Evaluation (ICE) Processing
Internal Controls Evaluation (ICE) September 28, 2017 RAM-102 3000 Bayport Drive, Suite 600 Tampa, Florida 33607-8411 (813) 289-5644 - Phone (813) 289-5646 Fax www.frcc.com Table of Contents Page 3 of
More informationMulti-Region Registered Entity Coordinated Oversight Program
Multi-Region Registered Entity Coordinated Oversight Program Ken McIntyre, Vice President and Director of Standards and Compliance Compliance Committee Open Meeting February 7, 2018 Coordinated Oversight
More informationInternal Controls Procedure
Internal Controls Procedure September 30, 2017 MON-114 3000 Bayport Drive, Suite 600 Tampa, Florida 33607-8411 (813) 289-5644 - Phone (813) 289-5646 Fax www.frcc.com Table of Contents Page 3 of 7 Page
More informationCritical Infrastructure Protection Version 5
Critical Infrastructure Protection Version 5 Tobias Whitney, Senior CIP Manager, Grid Assurance, NERC Compliance Committee Open Meeting August 9, 2017 Agenda Critical Infrastructure Protection (CIP) Standards
More informationCyber Security Reliability Standards CIP V5 Transition Guidance:
Cyber Security Reliability Standards CIP V5 Transition Guidance: ERO Compliance and Enforcement Activities during the Transition to the CIP Version 5 Reliability Standards To: Regional Entities and Responsible
More informationPhysical Security Reliability Standard Implementation
Physical Security Reliability Standard Implementation Attachment 4b Action Information Background On March 7, 2014, the Commission issued an order directing NERC to submit for approval, within 90 days,
More informationERO Compliance Enforcement Authority Staff Training
ERO Compliance Enforcement Authority Staff Training Vision Comprehensive ERO CEA staff training program that promotes high quality and consistency in the conduct of audits The methods to accomplish the
More informationRisk-Based Compliance Monitoring & Enforcement Oversight Framework. FRCC Spring Compliance Workshop April 14 16, 2015
Risk-Based Compliance Monitoring & Enforcement Oversight Framework FRCC Spring Compliance Workshop April 14 16, 2015 Upcoming Events FRCC is Conducting Individual Outreach NERC CIP Version 5 Workshop &
More informationERO Enterprise Strategic Planning Redesign
ERO Enterprise Strategic Planning Redesign Mark Lauby, Senior Vice President and Chief Reliability Officer Member Representatives Committee Meeting February 10, 2016 Strategic Planning Redesign Current
More informationTexas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13
Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13 I. Vision A highly reliable and secure bulk power system in the Electric Reliability Council of Texas
More informationRELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO
RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO June 27, 2016 Training provided for Ontario market participants by the Market Assessment and Compliance Division of the IESO Module 1 A MACD training presentation
More informationCompliance Enforcement Initiative
Compliance Enforcement Initiative Filing and Status Update November 2, 2011 Rebecca Michael Status of the Filings NERC filed several components of the Compliance Enforcement Initiative on September 30,
More informationCyber Security Incident Report
Cyber Security Incident Report Technical Rationale and Justification for Reliability Standard CIP-008-6 January 2019 NERC Report Title Report Date I Table of Contents Preface... iii Introduction... 1 New
More information2018 MRO Regional Risk Assessment
MIDWEST RELIABILITY ORGANIZATION 2018 MRO Regional Risk Assessment Ben Lewiski, Risk Assessment and Mitigation Engineer November 28, 2017 Improving RELIABILITY and mitigating RISKS to the Bulk Power System
More informationQuébec Reliability Standards Compliance Monitoring and Enforcement Program Implementation Plan Annual Implementation Plan
Québec Reliability Standards Compliance Monitoring and Enforcement Program Implementation Plan 2017 Annual Implementation Plan Effective Date: January 1, 2017 Approved by the Régie: December 1, 2016 Table
More informationBoard of Trustees Compliance Committee
Board of Trustees Compliance Committee August 13, 2014 10:00 a.m. 11:00 a.m. Pacific The Westin Bayshore 1601 Bayshore Drive Vancouver, BC V6G 2V4 Reliability Assurance Initiative (RAI) Progress Report
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationCyber Security Standards Drafting Team Update
Cyber Security Standards Drafting Team Update Michael Assante, VP & Chief Security Officer North American Electric Reliability Corp. February 3, 2008 Overview About NERC Project Background Proposed Modifications
More informationProvider Monitoring Process Overview Training. Updated August Course#: C Music Only No Narration
Music Only No Narration Course#: C-017-1 1 This webcast includes spoken narration. To adjust the volume, use the controls at the bottom of the screen. While viewing this webcast, there is a pause and reverse
More informationCertification Program
Certification Program Ryan Stewart, Manager of Registration, NERC FRCC Reliability Performance Workshop September 20, 2017 Purpose of the Certification Program Rules of Procedure (ROP) Section 500: The
More informationTOP-010-1(i) Real-time Reliability Monitoring and Analysis Capabilities
A. Introduction 1. Title: Real-time Reliability Monitoring and Analysis Capabilities 2. Number: TOP-010-1(i) 3. Purpose: Establish requirements for Real-time monitoring and analysis capabilities to support
More information3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework
COSO Revised: Implications for Compliance and Ethics Programs Urton Anderson, CCEP Director of the Von Allmen School of Accountancy and EY Professor The University of Kentucky Session Agenda The COSO Framework
More informationCIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security System Security Management 2. Number: CIP-007-5 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in
More informationArticle I - Administrative Bylaws Section IV - Coordinator Assignments
3 Article I - Administrative Bylaws Section IV - Coordinator Assignments 1.4.1 ASSIGNMENT OF COORDINATORS To fulfill the duties of the Fiscal Control and Internal Auditing Act (30 ILCS 10/2005), the Board
More informationCIP Version 5 Evidence Request User Guide
CIP Version 5 Evidence Request User Guide Version 1.0 December 15, 2015 NERC Report Title Report Date I Table of Contents Preface... iv Introduction... v Purpose... v Evidence Request Flow... v Sampling...
More informationStandard CIP Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)
More informationNovember 9, Revisions to the Violation Risk Factors for Reliability Standards IRO and TOP
!! November 9, 2016 VIA ELECTRONIC FILING Jim Crone Director, Energy Division Manitoba Innovation, Energy and Mines 1200-155 Carlton Street Winnipeg MB R3C 3H8 RE: Revisions to the Violation Risk Factors
More informationFERC Reliability Technical Conference Panel III: ERO Performance and Initiatives ESCC and the ES-ISAC
: ERO Performance and Initiatives June 4, 2015 Chairman Bay, Commissioners, and fellow panelists, I appreciate the opportunity to address the topics identified for the third panel of today s important
More informationStandard CIP 004 3a Cyber Security Personnel and Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-3a 3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access
More informationThis section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationThreat and Vulnerability Assessment Tool
TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards...
More informationNew Brunswick 2018 Annual Implementation Plan Version 1
New Brunswick Energy and Utilities Board Reliability Standards, Compliance and Enforcement Program New Brunswick 2018 Annual Implementation Plan Version 1 December 28, 2017 Table of Contents Version History...
More informationGOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI CONTENTS Overview Conceptual Definition Implementation of Strategic Risk Governance Success Factors Changing Internal Audit Roles
More informationOPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith
OPUC Workshop March 13, 2015 Cyber Security Electric Utilities Portland General Electric Co. Travis Anderson Scott Smith 1 CIP Version 5 PGE Implementation Understanding the Regulations PGE Attended WECC
More informationStandard Development Timeline
CIP-008-6 Incident Reporting and Response Planning Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard
More informationStandard CIP 007 4a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4a 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for
More informationStandard COM-002-2a Communications and Coordination
A. Introduction 1. Title: Communication and Coordination 2. Number: COM-002-2a 3. Purpose: To ensure Balancing Authorities, Transmission Operators, and Generator Operators have adequate communications
More informationERO Certification and Review Procedure
ERO Certification and Review Procedure Reliability Assurance December 15, 2016 3353 Peachtree Road NE Suite 600, North Tower Atlanta, GA 30326 404-446-2560 www.nerc.com 1 of 16 Table of Contents Table
More informationStandard CIP 005 2a Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2a 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014
Federal Energy Regulatory Commission Order No. 791 June 2, 2014 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently proposed
More informationCASA External Peer Review Program Guidelines. Table of Contents
CASA External Peer Review Program Guidelines Table of Contents Introduction... I-1 Eligibility/Point System... I-1 How to Request a Peer Review... I-1 Peer Reviewer Qualifications... I-2 CASA Peer Review
More informationAnalysis of CIP-006 and CIP-007 Violations
Electric Reliability Organization (ERO) Compliance Analysis Report Reliability Standard CIP-006 Physical Security of Critical Cyber Assets Reliability Standard CIP-007 Systems Security Management December
More informationWECC Criterion INT-001-WECC-CRT-3
WECC Criterion INT-001-WECC-CRT-3 A. Introduction 1. Title: e-tag Requirements for WECC including Wrongful Denial of Request for Interchange (RFI) 2. Number: INT-001-WECC-CRT-3 3. Purpose: To manage Arranged
More informationAudit Report. The Prince s Trust. 27 September 2017
Audit Report The Prince s Trust 27 September 2017 Contents 1 Background 1 1.1 Scope 1 1.2 Audit Report and Action Plan Timescales 2 1.3 Summary of Audit Issues and Recommendations 3 1.4 Risk Rating of
More informationCIP Cyber Security Incident Reporting and Response Planning
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationCIP Cyber Security Security Management Controls. Standard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationSSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services
SSAE 18 & new SOC approach to compliance Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services Agenda 1. SSAE 18 overview 2. SOC 2 + 3. 2017 Trust Services Criteria SSAE 18
More informationNERC Staff Organization Chart Budget 2019
NERC Staff Organization Chart Budget 2019 President and CEO Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Senior Vice President, General Counsel and Corporate
More informationInternal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit
Internal Audit Follow-Up Report Multiple Use Agreements TxDOT Office of Internal Audit Objective Assess the status of corrective actions for high risk Management Action Plans (MAPs) previously communicated
More informationChartered Member Assessment
Chartered Member Assessment CANDIDATE HANDBOOK 2015 CANDIDATE HANDBOOK 2015 2 Chartered Member Assessment Candidate Handbook 2015 The Chartered Member Assessment is a key criterion for entry to the category
More informationNERC Staff Organization Chart Budget 2018
NERC Staff Organization Chart Budget 2018 President and CEO Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Senior Vice President, General Counsel and Corporate
More informationArticle II - Standards Section V - Continuing Education Requirements
Article II - Standards Section V - Continuing Education Requirements 2.5.1 CONTINUING PROFESSIONAL EDUCATION Internal auditors are responsible for maintaining their knowledge and skills. They should update
More informationRegistration & Certification Update
Registration & Certification Update Processes, Procedures and Responsibilities September 9, 2011 Topics Purpose and Background Organization Certification New Entity Provisional Certification Change/Expanding
More informationProject Posting 8 Frequently Asked Questions Guide
Project 2007-02 Posting 8 Frequently Asked Questions Guide General Questions 1. What were the inputs that drove the development of posting 8 of Project 2007-02? The NERC Board of Trustees November 7 th,
More informationCompliance Exception and Self-Logging Report Q4 2014
Agenda Item 5 Board of Trustees Compliance Committee Open Session February 11, 2015 Compliance Exception and Self-Logging Report Q4 2014 Action Information Introduction Beginning in November 2013, NERC
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION Cyber Security Incident Reporting Reliability Standards ) ) Docket Nos. RM18-2-000 AD17-9-000 COMMENTS OF THE NORTH AMERICAN ELECTRIC
More informationEXIN BCS SIAM Foundation. Sample Exam. Edition
EXIN BCS SIAM Foundation Sample Exam Edition 201704 Copyright EXIN Holding B.V. and BCS, 2017. All rights reserved. EXIN is a registered trademark. SIAM is a registered trademark. ITIL is a registered
More informationNERC Staff Organization Chart Budget 2017
NERC Staff Organization Chart Budget 2017 President and CEO Administrative Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Senior Vice President, General Counsel
More informationBryan Carr PMP, CISA Compliance Auditor Cyber Security. Audit Evidence & Attachment G CIP 101 Salt Lake City, UT September 25, 2013
Bryan Carr PMP, CISA Compliance Auditor Cyber Security Audit Evidence & Attachment G CIP 101 Salt Lake City, UT September 25, 2013 About Me Joined WECC in August 2012 Before WECC CIP Compliance Program
More informationConvergence of BCM and Information Security at Direct Energy
Convergence of BCM and Information Security at Direct Energy Karen Kemp Direct Energy Session ID: GRC-403 Session Classification: Advanced About Direct Energy Direct Energy was acquired by Centrica Plc
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015
Federal Energy Regulatory Commission Order No. 791 January 23, 2015 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently
More informationChecklist According to ISO IEC 17065:2012 for bodies certifying products, process and services
Name of Certifying Body Address of Certifying Body Case number Date of assessment With several locations Yes No Assessed locations: (Name)/Address: (Name)/Address: (Name)/Address: Assessed area (technical
More informationLesson Learned Initiatives to Address and Reduce Misoperations
Lesson Learned Initiatives to Address and Reduce Misoperations Primary Interest Groups Transmission Owners (TOs) Generator Owners (GOs) Problem Statement A registered entity experienced a high rate of
More informationMinimum Requirements For The Operation of Management System Certification Bodies
ETHIOPIAN NATIONAL ACCREDITATION OFFICE Minimum Requirements For The Operation of Management System Certification Bodies April 2011 Page 1 of 11 No. Content Page 1. Introduction 2 2. Scope 2 3. Definitions
More informationSCO Monitoring Process Overview Revised December No narration, music playing. Course Number:
No narration, music playing. 1 This webcast includes spoken narration. To adjust the volume, use the controls at the bottom of the screen. While viewing this webcast, there is a pause and reverse button
More informationAlberta Reliability Standards Compliance Monitoring Program. Version 1.1
Version 1.1 Effective: January 14, 2011 Table of Contents 1. Introduction... 1 2. Purpose... 1 3. Applicability... 1 4. Definitions... 1 5. Compliance Monitoring Overview... 2 6. Monitoring Tools... 1
More informationStandard CIP 005 4a Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-4a 3. Purpose: Standard CIP-005-4a requires the identification and protection of the Electronic Security Perimeter(s)
More informationDRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1
DRAFT Cyber Security Communications between Control Centers Technical Rationale and Justification for Reliability Standard CIP-012-1 March May 2018 NERC Report Title Report Date I Table of Contents Preface...
More informationNERC Staff Organization Chart Budget 2017
NERC Staff Organization Chart Budget 2017 President and CEO Administrative Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Senior Vice President, General Counsel
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for securing
More informationAboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.
Aboriginal Affairs and Northern Development Canada Internal Audit Report Summary Audit of Information Technology Security Prepared by: Audit and Assurance Services Branch April 2015 NCR#7367040 - NCR#7358318
More informationNERC Management Response to the Questions of the NERC Board of Trustees on Reliability Standard COM September 6, 2013
NERC Management Response to the Questions of the NERC Board of Trustees on Reliability Standard COM-003-1 September 6, 2013 At the August 14-15, 2013 meeting of the Board of Trustees ( Board ) of the North
More informationMike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS
Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS Can You Answer These Questions? 1 What s my company s exposure to the latest industrial cyber threat? Are my plants
More informationSAP Security Remediation: Three Steps for Success Using SAP GRC
SAP Security Remediation: Three Steps for Success Using SAP GRC All companies need strong application security environments as part of a successful overall risk management strategy. Strong risk-oriented
More informationPosition Description IT Auditor
Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership
More informationSummary of FERC Order No. 791
Summary of FERC Order No. 791 On November 22, 2013, the Federal Energy Regulatory Commission ( FERC or Commission ) issued Order No. 791 adopting a rule that approved Version 5 of the Critical Infrastructure
More informationReliability Standard Audit Worksheet 1
Reliability Standard Audit Worksheet 1 FAC-003-4 Transmission Vegetation Management. Registered Entity Name: Applicable Function(s): Applicable only for TO and GO Compliance Monitoring Method: RSAW Version:
More informationProject Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives
Project 2014-02 - Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives Violation Risk Factor and Justifications The tables
More informationStandard CIP Cyber Security Security Management Controls
A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-4 3. Purpose: Standard CIP-003-4 requires that Responsible Entities have minimum security management controls in
More informationMNsure Privacy Program Strategic Plan FY
MNsure Privacy Program Strategic Plan FY 2018-2019 July 2018 Table of Contents Introduction... 3 Privacy Program Mission... 4 Strategic Goals of the Privacy Office... 4 Short-Term Goals... 4 Long-Term
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft
More informationReviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.
Assistant Deputy Minister (Review Services) Reviewed by in accordance with the Access to Information Act. Information UNCLASSIFIED. Security Audits: Management Action Plan Follow-up December 2015 1850-3-003
More informationREPORT 2015/010 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/010 Audit of information and communications technology strategic planning, governance and management in the Investment Management Division of the United Nations Joint
More informationNERC Request for Data or Information: Protection System Misoperation Data Collection August 14, 2014
Request for Data or Information Protection System Misoperation Data Collection August 14, 2014 3353 Peachtree Road NE Suite 600, North Tower Atlanta, GA 30326 404-446-2560 www.nerc.com 1 of 15 Table of
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationStandards Authorization Request Form
Standards Authorization Request Form When completed, email this form to: sarcomm@nerc.com NERC welcomes suggestions to improve the reliability of the bulk power system through improved reliability standards.
More informationCIP Cyber Security Recovery Plans for BES Cyber Systems
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationCERTIFICATE SCHEME THE MATERIAL HEALTH CERTIFICATE PROGRAM. Version 1.1. April 2015
CERTIFICATE SCHEME For THE MATERIAL HEALTH CERTIFICATE PROGRAM Version 1.1 April 2015 Copyright Cradle to Cradle Products Innovation Institute, 2015 1 Purpose The intention of the Certificate Scheme is
More informationInternal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit
Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based
More informationCIP Cyber Security Recovery Plans for BES Cyber Systems
A. Introduction 1. Title: Cyber Security Recovery Plans for BES Cyber Systems 2. Number: CIP-009-6 3. Purpose: To recover reliability functions performed by BES Cyber Systems by specifying recovery plan
More informationChapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017
Chapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017 Copyright 2017 International Finance Corporation. All rights reserved. The material in this publication is copyrighted by International
More informationViolation Risk Factor and Violation Severity Level Justification Project Modifications to CIP-008 Cyber Security Incident Reporting
Violation Risk Factor and Justification Project 2018-02 Modifications to CIP-008 Cyber Security Incident Reporting This document provides the standard drafting team s (SDT s) justification for assignment
More informationRegistered Entity Self-Report and Mitigation Plan User Guide
Registered Entity Self-Report and Mitigation Plan User Guide June 2018 NERC Report Title Report Date I Table of Contents Preface...1 Disclaimer...2 Document Revisions...3 Introduction...4 Chapter 1: Description
More informationStandard COM Communication and Coordination
A. Introduction 1. Title: Communication and Coordination 2. Number: COM-002-3 3. Purpose: To ensure Emergency communications between operating personnel are effective. 4. Applicability 4.1. Reliability
More informationAmerican Association for Laboratory Accreditation
R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.
More informationEEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,
EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1, 2008 www.morganlewis.com Overview Reliability Standards Enforcement Framework Critical Infrastructure Protection (CIP)
More informationRecords Retention Policy
June 21, 2017 Table of Contents 1 Introduction...3 1.1 Purpose...3 1.2 Scope...3 1.3 Review Cycle...3 1.4 Document Owner...3 1.5 Definitions...3 2 Policy...4 2.1 Records and Record Storage...4 2.2 Applicable
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-1 3. Purpose: Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing
More informationInstructions for Participating in ASHRAE s. Commissioning Process Management Professional (CPMP) Certification Program
Instructions for Participating in ASHRAE s Commissioning Process Management Professional (CPMP) Certification Program Effective date: 10/06/2009 Related Resources Resources available to help prepare for
More information