Convergence of BCM and Information Security at Direct Energy

Similar documents
ISO/ IEC (ITSM) Certification Roadmap

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

INTELLIGENCE DRIVEN GRC FOR SECURITY

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Public Safety Canada. Audit of the Business Continuity Planning Program

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Position Description IT Auditor

Turning Risk into Advantage

Enterprise GRC Implementation

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Appendix 3 Disaster Recovery Plan

IT Progress Report. Presented by: Owen Brady Director of Information Technology. Board. 19 th March 2015

ServiceNow knowledge 2016

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Business Continuity An Integral Part of Risk Management At Constellation Energy

TSC Business Continuity & Disaster Recovery Session

TX CIO Leadership Journey Texas CIOs Bowden Hight Texas Health and Human Services Commission Tim Jennings Texas Department of Transportation Mark

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Canada Life Cyber Security Statement 2018

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Certified Information Security Manager (CISM) Course Overview

OVERVIEW BROCHURE GRC. When you have to be right

Cyber Resilience. Think18. Felicity March IBM Corporation

BHConsulting. Your trusted cybersecurity partner

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Risk Advisory Academy Training Brochure

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Security Director - VisionFund International

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Run the business. Not the risks.

Country Focus: USA +2.2% $43 5.7% Trillion 21.7% of the total global GDP 1 Government Spending on Infrastructure. 80% of GDP. 3% of GDP.

M&A Cyber Security Due Diligence

Accelerate Your Enterprise Private Cloud Initiative

CISM Certified Information Security Manager

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

Avanade s Approach to Client Data Protection

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

STRATEGY STATEMENT OF QUALIFICATIONS

How Cisco IT Improved Development Processes with a New Operating Model

NOW IS THE TIME. to secure our future

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

The Business Value of including Cybersecurity and Vendor Risk in ERM

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

ISACA Greater Kansas City Chapter

Green Governance Growth

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Global Security Consulting Services, compliancy and risk asessment services

Dell helps you simplify IT

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

TRANSCANADA S AUDIT FOUNDATION FOR THE EXPANSION OF BUSINESS OPERATIONS

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

No More Security Empires The CISO as an Individual Contributor

Mid-Market Data Center Purchasing Drivers, Priorities and Barriers

IT123: SABSA Foundation Training

Symantec Data Center Transformation

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

REPORT 2015/010 INTERNAL AUDIT DIVISION

Building a BC/DR Control Library and Regulatory Response Program

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

,000+ What is the BCI Corporate Partnership? What are the benefits of becoming a Corporate Partner? Levels of Partnership

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

Implementing ITIL v3 Service Lifecycle

2 The IBM Data Governance Unified Process

Our key considerations include:

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Demystifying GRC. Abstract

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Eastern standard time

HCL GRC IT AUDIT & ASSURANCE SERVICES

Cyber Secure Dashboard Cyber Insurance Portfolio Analysis of Risk (CIPAR) Cyber insurance Legal Analytics Database (CLAD)

Leveraging COBIT to Implement Information Security

BHConsulting. Your trusted cybersecurity partner

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Why you should adopt the NIST Cybersecurity Framework

Achieving effective risk management and continuous compliance with Deloitte and SAP

Sungard Availability Services Information Availability... Delivers

What is ISO/IEC 20000?

Memorandum APPENDIX 2. April 3, Audit Committee

Data Governance Quick Start

Manchester Metropolitan University Information Security Strategy

Driving Global Resilience

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Improve Internal Controls with Governance, Risk, and Compliance Solutions

New Zealand Government IBM Infrastructure as a Service

Transcription:

Convergence of BCM and Information Security at Direct Energy Karen Kemp Direct Energy Session ID: GRC-403 Session Classification: Advanced

About Direct Energy Direct Energy was acquired by Centrica Plc in 2000 In ten years Direct Energy has grown into a large multinational organization over 6 million customer relationships more than 70 facilities across North America over 6000 employees Winner of the 2008 Disaster Recovery Institute Canada (DRIC) Award of Excellence in 2008 for large organizations in Business Continuity Management 2

A History of Growth 3

Marketplace

Early Days 5

Early Business Model Direct Energy Canada East Canada West US South Growth Markets Gas Electricity Services Upstream Gas Gas Electricity Services Gas Electricity Services Generation Gas Electricity

Lets add BCM! 2002 IBM Commissioned to conduct a Business Impact Analysis 2003 Permanent BCM position added 2003 BCM Policy issued Q3 2003 Q1 2004 Business Impact Analysis activities in earnest across North America Mandate to achieve was directly linked to the CEO s performance objectives

Implementation of BCM 8

BCM Matures in DE.. Cultural Integration was critical to BCM Success The execution of the Business Continuity Program supports DE s brand promise to be a resilient and responsible service provider The program was well started and achieving success as evident in the 2005 Platinum Award for the execution of plans during Hurricane Rita in Texas

Data Centre Recovery Risk = Single Data Centre Risk factors: Atria III Located along two of the largest busiest highways in Canada Located on the glide path of Pearson and Buttonville Airports Close proximity to major rail lines Largest single risk to the company

Recovery Data Centre Design Dual data centre design Split processing to minimize impact of any potential event Loss limited due to distributed nature of applications and hardware Resilience in power sources (two separate grids) Fit for purpose site building in a building design

Networking Resilience The team implemented an advanced high capacity, self healing communications network connecting our data centers and key business locations. This ring network significantly increased network redundancy

Fibre Ring Approach Removed single points of failure throughout the GTA, and provide enhanced redundancy for many others: 7 critical buildings throughout the GTA 1x wireless network (circa 2005) MPLS connections to Stamford, Houston and Calgary The network was implemented at less than the cost of a traditional point-to-point network and can carry 100 times the capacity.

Data Centre Recovery Completed December 05 The project took over two years to complete The BCM team maintained close contact with all lines of business, third parties and the internal IT team Another outstanding achievement of this program is the cost of operation. This innovative and robust solution was designed so well that additional IS staffing levels are not required Mitigation of value at risk is never easily stated but conservative estimates place risk avoidance values in multimillion dollar range

Things Change 15

2005 Re-organization Central Operations is outsourced BCM function moved to IS New CIO hired in March 2005 New CIO reports to the CEO and is a member of the top team Promoted to IS Leadership Functional addition: IS Audit Liaison, Controls and Compliance

The beginning of convergence The addition of the Information Security governance role prompted a shift in thinking within the team What is our current level of security? An additional FTE was required

Complex Operating Landscape Multiple regulators Multiple legal jurisdictions Multiple market operators Multiple states and privacy/records regulations Multiple industry regulations (i.e. PCI)

Adding Controls 19

Integrated Control Framework Revision and reissue of the Information Security Policy from 124 pages down to 33 (2006) The framework is the glue that connects the team

Foundation for the Framework COBIT was selected as the blueprint or the Information Technology General Controls (ITGC) and the connection to the COSO financial framework ISO 27001 (formerly 17799) was selected to cover technical and application controls Once the base was established other regulations and/or standards such as PCI, NERC Cyber Infrastructure Protection Standards were mapped to the framework

Send in the consultants! An independent review of the control framework was commissioned A CobiT assessment and documentation project was executed by PWC

ICF Project Execution The project consisted of the following activities: Selection of key IT processes and control objectives. A high level understanding of the control activities with process owners. An overall maturity assessment for each IT process based on the control objectives selected. Identification of gaps that require remediation. Review and agree assessment results

ICF Project Scope The CobiT framework identifies 34 processes and 318 control objectives for measuring the effectiveness of IT management 23 of 34 processes were selected as applicable and high priority The directors and staff from Infrastructure Services, Operation Services, Corporate Systems, Operations Risk and Business Management were interviewed to evaluate the design effectiveness of the IT processes and key control activities

ICF Cobit Control Objectives

Improved Understanding Work on the control framework was underway Processes were documented and recorded with owners in the framework Engagement in the change management process (5 methods for 4 LOB and Core IS) Change was required to support the reorganization from the Information Security perspective

Things Change Again 27

2007 Reorganization Direct Energy Residential Business Services Upstream 28

Information Security within IS It appears that fragments of the governance and/or assurance for Information Security within projects is placed within the project delivery teams in IS Core The enterprise re-organization was the opportunity to make important changes and functional alignments

Areas for Improvement Synergies were obvious in the following areas: Placement of the Information Security function Change management process Automation of the integrated controls framework These areas required the participation of each team in order to ensure that we had the proper alignment across all functions

Operational Risk 2007/08 Director Operational Risk Manager BCM Manager Information Security Manager IS Audit and Controls 2 FTE 3 FTE 2 FTE 31

Change so many projects, so few resources Given the size of the team it was not possible to gain full engagement in the change process What was needed was a tool to prioritize the work using a risk based approach The team began work on the ORD Engagement model

Team Requirements BCM ensures updated BIAs, strategies and finally plans accommodate ongoing change Information Security ensures that the security levels for the project are consistent with our policies and other obligations (up front) In some, but not all, cases the Audit and Controls group would be required to conduct audits for project assurance

How to automate? 34

Tool requirements The involvement of all players within Direct Energy Defined a framework and process whereby Operational Risk Department can engage with Business Units, Core IS The ability to facilitate the implementation and monitoring of information risk processes

ICF Automation The control framework is built in Sharepoint largely by Operational Risk staff Small investments for internal development have enabled the team to extend and leverage the ICF across IS and enterprise to support and enable the financial RICF program

ICF Structure 37

Cost savings The team is able to leverage the ICF for: Automation of administrative functions such as email reminders for outstanding gaps Single repository for the IS control environment information including: Process details Design details Testing details

Conclusion 39

Staff Synergies Mergers and acquisition work can encompass both disciplines Third party audits can encompass both disciplines Change management oversight and insights shared amongst the teams Incident management teams can have cross trained members and leaders

The experiment continues.. Active career management with formal cross training requirements We have added a controls speciality to our team which will add BCM to a traditionally Information Security function More interaction with other risk disciplines (i.e. Internal Audit, RICF) Development of Enterprise Risk Management Capabilities

What can you do? Investigate the use of internal applications to support development of control frameworks rather than niche tools Stop talking about differences and try to seek synergies to provide more value to the business Actively manage risk/security/bcm staff. This creates more opportunities and cross functional employees to increase the resilience of your limited resources 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback