Internal Controls Evaluation (ICE) Processing

Similar documents
Internal Controls Procedure

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

Physical Security Reliability Standard Implementation

Risk-Based Compliance Monitoring & Enforcement Oversight Framework. FRCC Spring Compliance Workshop April 14 16, 2015

CIP Version 5 Evidence Request User Guide

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Standard CIP 004 3a Cyber Security Personnel and Training

Standard CIP 007 4a Cyber Security Systems Security Management

Misoperations Information Data Analysis System (MIDAS)

NERC Staff Organization Chart Budget 2019

Standard CIP 007 3a Cyber Security Systems Security Management

Cyber Security Incident Report

NERC Staff Organization Chart Budget 2018

Critical Infrastructure Protection Version 5

NERC Staff Organization Chart Budget 2017

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

NERC Staff Organization Chart Budget 2017

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

Standard CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Security Management Controls

ERO Enterprise Strategic Planning Redesign

Cyber Security Standards Drafting Team Update

Multi-Region Registered Entity Coordinated Oversight Program

Standard CIP Cyber Security Incident Reporting and Response Planning

Standard Development Timeline

Critical Cyber Asset Identification Security Management Controls

NERC Management Response to the Questions of the NERC Board of Trustees on Reliability Standard COM September 6, 2013

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

CIP Cyber Security Personnel & Training

Cyber Threats? How to Stop?

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Project Retirement of Reliability Standard Requirements

2018 MRO Regional Risk Assessment

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

CIP Cyber Security Personnel & Training

NERC Request for Data or Information: Protection System Misoperation Data Collection August 14, 2014

Threat and Vulnerability Assessment Tool

New Brunswick 2018 Annual Implementation Plan Version 1

Standard CIP-006-3c Cyber Security Physical Security

Standard CIP Cyber Security Critical Cyber Asset Identification

Unofficial Comment Form Project Operating Personnel Communications Protocols COM Operating Personnel Communications Protocols

Standard CIP Cyber Security Critical Cyber Asset Identification

NERC Overview and Compliance Update

Standard CIP Cyber Security Systems Security Management

National Policy On Classified Information Spillage

NERC Staff Organization Chart Budget

Standard CIP-006-4c Cyber Security Physical Security

NERC Staff Organization Chart Budget 2019

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

FRCC Disturbance Monitoring Equipment Outage Reporting

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

Standard Development Timeline

Board of Trustees Compliance Committee

Cybersecurity and Data Protection Developments

Project Posting 8 Frequently Asked Questions Guide

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

Reliability Standard Audit Worksheet 1

Certification Program

TOP-010-1(i) Real-time Reliability Monitoring and Analysis Capabilities

Reliability Standard Audit Worksheet 1

Standard Development Timeline

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

2017 MRO Performance Areas and an Update on Inherent Risk Assessments

FRCC Disturbance Reporting Processes and Procedures

ERO Certification and Review Procedure

A. Introduction. B. Requirements and Measures

Information Security Controls Policy

COM Operating Personnel Communications Protocols. October 31, 2013

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

Misoperation Information Data Analysis System

Information Technology Branch Organization of Cyber Security Technical Standard

Registration & Certification Update

CYBERSECURITY RISK ASSESSMENT

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Systems Security Management

Standards Authorization Request Form

Grid Security & NERC

November 9, Revisions to the Violation Risk Factors for Reliability Standards IRO and TOP

Summary of FERC Order No. 791

Violation Risk Factor and Violation Severity Level Justifications Project Modifications to CIP Standards

Unofficial Comment Form Project Operating Personnel Communications Protocols COM-002-4

Standard Development Timeline

Reliability Standard Audit Worksheet 1

Security and Privacy Breach Notification

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

External Supplier Control Obligations. Cyber Security

GridEx IV Initial Lessons Learned and Resilience Initiatives

MIS5206-Section Protecting Information Assets-Exam 1

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

151 FERC 61,066 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION ORDER DENYING REHEARING. (Issued April 23, 2015)

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Standard Development Timeline

Québec Reliability Standards Compliance Monitoring and Enforcement Program Implementation Plan Annual Implementation Plan

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

01.0 Policy Responsibilities and Oversight

Standard CIP Cyber Security Physical Security

Transcription:

Internal Controls Evaluation (ICE) September 28, 2017 RAM-102 3000 Bayport Drive, Suite 600 Tampa, Florida 33607-8411 (813) 289-5644 - Phone (813) 289-5646 Fax www.frcc.com

Table of Contents Page 3 of 8 Page 1.0 Purpose and Scope... 4 1.1 Purpose... 4 1.2 Scope... 4 2.0 Background... 4 2.1 Terms and Definitions... 4 3.0 Responsibilities... 5 3.1 Procedure Owner... 5 4.0 Procedure... 5 5.0 Reference Section... 7 Appendix A Using the Work of Others... 8 Overview... 8 Evaluation... 8

Page 4 of 8 1.0 Purpose and Scope 1.1 Purpose 1.2 Scope 2.0 Background This procedure provides the steps to be taken by FRCC Risk Assessment and Mitigation (RAM) Specialist(s) to perform an Internal Controls Evaluation (ICE) for a Registered Entity (entity). The ICE will be performed upon request from an entity. It will use the output of the Inherent Risk Assessment (IRA) to determine the potential standards and requirements for review. This document covers tools to be used. This procedure applies to the performance of Internal Controls Evaluations by the RAM team within FRCC. 2.1 Terms and Definitions 1 2.1.1 Preventive controls controls established as the first line of defense since they are designed to prevent the fault/error from occurring. This type of controls will prevent a determined consequence, issue, threat, loss, or harm from occurring. 2.1.2 Detective controls controls designed to detect the potential error condition or fault after it has occurred, or identify instances where practices or procedures were not followed. 2.1.3 Corrective controls controls designed to correct the error condition or fault after it has been detected. These controls restore the system or the process back to a stable state prior to the error condition. They fix the problem during, or immediately after, the issue has occurred minimizing the impact. 1 NERC ERO Enterprise Guide for Internal Controls Version 2

Page 5 of 8 3.0 Responsibilities 3.1 Procedure Owner 3.1.1 This procedure is the responsibility of the FRCC Manager of Risk Assessment and Mitigation to maintain as necessary to keep the procedure current with the latest North American Electric Reliability Corporation (NERC) Rules of Procedure - Compliance Monitoring and Enforcement Program Appendix 4C and established FRCC procedures. 3.1.2 The review of this procedure will be performed when changes to departmental or NERC Rules of Procedure occur and have a potential impact to this processing. In addition, a review will be performed at least once every three (3) years from the last update. The review shall be documented in the Review/Modification section of this document. 3.1.3 This procedure will be approved by the FRCC Manager of Risk Assessment and Mitigation, the FRCC Director of Enforcement, Risk Assessment and Mitigation, and the VP Compliance, Enforcement and Reliability Performance. 4.0 Procedure 4.1 Within thirty days of receipt of the request for ICE, the RAM Specialist will use the output from the IRA to review the list of Standards/Requirements identified as moderate or high-risk, and will collaborate with the entity to determine the Standards/Requirements to be included in the ICE. FRCC will only perform ICE for selected moderate and high-risk requirements as identified in the IRA. 4.2 When selection of the Standards/Requirements is complete, the RAM Specialist will notify the entity by sending an email with the Registered Entity Internal Controls by Standard worksheet (worksheet) and ICE Entity Guide (guide) attached. The guide provides the entity with instructions on completing the worksheet. The email is to contain instructions on returning the completed worksheet and any supporting materials within 15 days to the FRCC Secure Transfer site. 4.3 Within 15 days of receiving the worksheet the RAM Specialist will review the information provided to determine if any further information is required. If further

Page 6 of 8 information is required the RAM Specialist will issue the appropriate information request. 4.4 The entity may provide the work of others as a part of the response to provide evidence that internal controls are implemented and functioning as documented (see Appendix A - Using the Work of Others). 4.5 Within ninety days the RAM Specialist will perform an assessment of the entity s internal controls using the ICE Worksheet to determine the effectiveness of the controls. The assessment will include, but is not limited to, the following: Automation of the internal controls Compensating and supporting internal controls Entity identification of key controls Level of available internal controls documentation Peer review of key controls within the registered entity Feedback on controls design processes (are there reviews of the control design from others in the entity) Registered entity s internal review and testing of existing internal controls Frequency of execution Maturity of internal controls (length of time in use) 4.6 The RAM Specialist will assess and rate the quality of the preventative, detective, and corrective controls using one of the following options: Fully Implemented (FI): Controls are in effect 24x7 and will prevent, detect, or correct the determined consequence. Entity has implemented many controls that will directly prevent, detect, or correct the consequence. The Entity has provided evidence of implementation of these controls and based on the review the controls have been implemented. Entity s personnel are very well trained on these controls. Controls cannot be overridden without management notification/resolving issue. Largely Implemented (LI): Controls are in effect most of the time and could prevent, detect, or correct the determined consequence. Entity has implemented many controls that could directly prevent, detect, or correct the consequence. The review, either based on evidence provided by the Entity, based on a site visit or an interview with the Entity, has provided

Page 7 of 8 evidence of the implementation. Entity s personnel are generally trained on these controls. Partially Implemented (PI): Entity has implemented some controls but either they are not in effect at all times or the controls are weaker (i.e. they could indirectly impact the consequence). Some reasonable assurance has been identified to indicate that these controls have been implemented. Entity s personnel are aware of these controls. Not Implemented (NI): Entity has some controls defined, but there is no assurance identified to indicate they have been implemented. Not all Entity personnel are aware of the controls. Missing: Entity does not have any controls that could directly prevent the consequence. You strongly believe that no controls have been implemented. Entity s personnel are not aware of any controls. Not Applicable: Preventative controls are not applicable to this requirement. This is not a common choice. 4.7 The RAM Specialist will document the results of the ICE using the ICE worksheet. 4.8 Once the assessment has been completed the RAM Specialist will populate the ICE Summary Report and update the entity IRA worksheets. The report is then shared with the FRCC Monitoring representative to inform potential updates to the Compliance Oversight Plan (COP). 4.9 Upon completion of the Monitoring review, the RAM Specialist will call the entity and coordinate the method of delivery (face-to-face, WebEx, etc.) of the ICE Summary Report to the entity within 15 days of completion and supply the entity with a written copy of the results. 5.0 Reference Section 5.1 NERC ERO Enterprise Inherent Risk Assessment Guide, October 2014 5.2 NERC ERO Enterprise Internal Control Evaluation Guide, October 2014 5.3 NERC ERO Enterprise Guide for Internal Controls Version 2, September 2017

Page 8 of 8 Appendix A Using the Work of Others Overview Many entities employ an independent team to assess compliance with their risk management strategy that includes adherence to NERC Reliability Standards. An independent internal control evaluation may be conducted by a specialist, government entity (such as the Government Accountability Office or Nuclear Regulatory Commission), a contractor who has been commissioned by the entity as a disinterested third party, or by an internal department within the entity that is independent of the department performing reliability standards operations. Evaluation If a registered entity seeks to have the RAM Specialist rely on the work of others, the RAM Specialist may review the independence, capabilities, and competencies of the individuals performing the review and any relevant documentation related to the assessment itself for consideration as part of the ICE assessment. In addition, the RAM Specialist will review the work of others including analysis, reports, etc. to determine its impact on the assessment. The information regarding an entity s independent review will be gathered when the entity supplies the ICE - entity Internal Controls by Standard worksheet response. Any additional information requests necessary will be sent to the entity, as necessary.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback