SlideShare une entreprise Scribd logo
1  sur  7
NERC Cyber Security
Compliance Consulting
Services
HCL Governance, Risk & Compliance Practice
Overview
The North American Electric Reliability                  electrical utilities and the newness of the
Corporation (NERC) is a nonprofit corporation            standards. Certainly, the remoteness of power
designed to ensure that the bulk electric system         generation and the wide coverage of electric
in North America is reliable, adequate and               transmission greatly complicate the job of
secure.” As the federally designated Electric            securing these assets from direct attack.
Reliability Organization (ERO) in North America,
NERC maintains comprehensive reliability                 HCL Governance, Risk & Compliance (GRC)
standards that define requirements for planning          consulting practice offers market leading services
and operating the collective bulk power system.          to organization seeking compliance support for
                                                         NERC CIP standards by improving their security &
Among these are the Critical Infrastructure              governance posture while reducing cost. Many of
Protection (CIP) Cyber Security Standards, which         our Managed Security Services and Professional
are intended to ensure the protection of the Critical    services align NERC CIP Cyber Security
Cyber Assets that control or effect the reliability of   Standards, allowing organizations to easily meet
North America’s bulk electric systems.                   and exceed the requirements they set forth.
                                                         Starting from compliance health-check HCL can
NERC CIP Standards seek to address the question          work with your organization to implement the
“How well protected is this critical infrastructure?”    recommendations       by    providing    technical,
Compliance with these standards can be both risky        documentation and project management.
and complicated given the differences between



Challenges Addressed
   Lack of confidence in organizational                    Lack of basic security mechanism in
  security posture and siloed approach for                 SCADA/EMS and DCS design when compared
  engineering, operations and IT department                to standard business information system
   Real-time systems make patch                            High cost of audit and compliance sustenance
  application, validation, and user
  authentication difficult                               HCL GRC focus is to offer end to end “Advisory” &
  Cyber Security requires a toolset and                  “Implementation” service to enable an organization
  knowledge base that is traditionally not located       in meeting the business objectives of their NERC
  within the same experience pool that                   Cyber Security Compliance initiative
  understands and manages the day-to-day
  operations of a power grid.
  Diversified risk-assessment approach




       2
Approach – NERC Cyber Security compliance




HCL GRC team can assist Responsible Entities by offering a comprehensive program of capabilities that enable the
achievement of NERC standards compliance in a cost effective and timely manner. The spectrum of HCL services
covers the complete gamut of standards CIP-002 through CIP-009 providing a robust solution to support robust and
reliable operations of bulk electric systems. The approach and key activities are detailed as below:

NERC Requirement                        HCL GRC Capability                         Deliverables
CIP-002-1 – Critical Cyber Asset            Automated Enterprise discovery of       Inventory of Critical Cyber
Identification                            Critical Assets                          Assets Risk library pertaining
                                            Identification of critical assets by   to cyber asset operations
                                          client and HCL SMEs who have              Annual Reviews
                                          qualified experience in Grid
                                          Analysis
                                            Risk based assessment, analysis &
                                          prioritization by application

CIP-003-1 – Management Control –            Policy evaluation & analysis              Enhanced Cyber Security
Cyber Security Policy                       Policy Documentation                   Policy for NERC Compliance
CIP-003-1 – Management Control –            Establishing of Security Program         Established governance for
Leadership & Exceptions                   Management           Office       for     NERC compliance management
                                          Compliance                                & reporting
CIP-003-1 – Management Control –           Catalogued             information        Information        classification
Information Protection                    classification for Critical Cyber         procedures
                                          Assets                                     Data      security    reference
                                            Defining access           controls,     architecture
                                          encryption & procedures for                System       Security   &   disaster

       3
disposal, printing and other tasks     recovery plan
CIP-003-1 – Management Control –       Modeling for role based access          Access control policies
Access Controls                       control for internet facing systems    & procedures
                                      and critical backend solutions
CIP-003-1 – Management Control –        Establishing change management        Change      Management      &
Change Management                     procedures                             Control Process
                                        Conducting impact analysis of         Back-out procedures
                                      changes (includes configuration)        Security Enforcement Policy
                                       Enabling functional testing for
                                      changes
                                        Review of corporate & process
                                      control networks (SCADA)
CIP-004-1 – Personnel & Training –     Conduct       security awareness       Security awareness report
Awareness                             evaluations & employee assertion        Training roadmap
                                      program
                                       Security awareness training plan
                                      development
CIP-004-1 – Personnel & Training –      Identification & deployment of        Specific procedural training
Training                              role based trainings                   modules
CIP-004-1 – Personnel & Training –      Development       of      personal    Background check policy
Personnel Risk Assessment             background check policies &
                                      procedures
CIP-005-1- Electronic Security          Identification of control points,     Vulnerability & Penetration
Parameter(s) – Electronic Security    ports and services                     assessment report
Parameter                               Conduct vulnerability assessments     Remediation report
                                      & penetration testing                   Firewall        implementation
                                                                             procedures
CIP-005-1- Electronic Security          Development of authentication         Authentication procedures
Parameter(s) – Electronic Access      procedures                              Audit Reports
Controls                                Firewall audits                       Log review & reporting
                                        Log management & review               Threat analysis report
                                        Real time threat analysis through
                                      SOC (includes NIPS & HIPS)
CIP-005-1- Electronic Security          Documentation of all systems in       Documentation     of   network
Parameter(s) – Documentation          electronic security parameters         changes
Review & Maintenance                    Quarterly review        of     all
                                      documentation
CIP-006-1-    Physical     Security    Assessment of facilities physical      Physical security assessment
Program                               security                               report
                                       Assessment of        organization      Log retention & governance
                                      physical security plan                 policies
                                        Development of log & DVR
                                      retention policies
                                        Physical security audits
CIP-007-1 –     System    Security      Test procedures evaluation for        Malicious software prevention
Management                            patch       management, device         policy
                                      management, anti-virus policies         Test procedures and controls
                                        Documentation for non-critical       for device management
                                      cyber asset policy                      Password policy
                                       Creating inventory of non-critical     Asset disposal policy
                                      cyber assets                            Identity management process


      4
Policy documentation for malware     Security incident management
                                       and malicious software prevention process
                                         Documentation and enforcement       Documentation lifecycle process
                                       of password management policy
                                         Policy creation for disposal &
                                       redeployment of cyber assets
                                         Establishing governance and org.
                                       structure for documentation &
                                       policy review
CIP-008-1 – Incident Reporting &          Assessment of           Incident   Incident management procedures
Response Planning – Cyber Security     management procedures                 Business Continuity Plan
Incident Response plan                   Documentation      of    business   Business      Continuity   Test
                                       continuity plan                     Procedures
                                       Testing of business continuity plan
                                       Process for retention of incident
                                       logs
CIP-008-1 – Incident Reporting &         Process for retention of incident    Log retention policy
Response Planning – Cyber Security     logs
Incident Documentation
CIP-009-1 – Disaster Recovery –          Identification & definition      of    Disaster Recovery Plan
Recovery Plan, Backup & restore,       action        triggers, acceptable       Back-up procedures
Testing Media                          downtime service levels and              Test plan for backup storage
                                       acceptable data loss
                                         Development        of verification
                                       criteria & procedures
CIP-009-1 – Disaster Recovery –         Conducting DR drills                     DR test report
Exercises




Automated NERC Compliance Management – GRC Manager
Power and utility executives today are faced with           In order to mitigate these challenges & offer a
many challenges as they work to meet their                  streamlined sustenance for compliance, HCL has
compliance requirements. Some of the most                   partners with various GRC platform vendors and help
pervasive and difficult of these obstacles include:         Energy & Utilities organizations establish an
                                                            automated solution for optimal blend of centralization,
• Multiple regulatory bodies and requirements               monitoring & reporting for effective oversight. The
• High cost of defining controls                            GRC platform can also be used for implementing
• High cost of demonstrating compliance                     governance initiatives, such as programs for
• Budget impacts of NERC and other regulatory               Standards of Conduct and Environmental Health and
efforts on the business                                     Safety (EH&S) through document control, compliance
• Allocation of resources away from key                     training and ongoing auditing, as well as recording
business initiatives                                        and reporting of Federal Energy Regulatory
• Difficulty with ongoing sustainability of ad-hoc          Commission (FERC)-related violations or process
compliance projects                                         nonconformance and the resulting corrective actions.




       5
Some of the basic features of the automated                 Integrated Program Resource Management
GRC platform are as under:                                  capabilities to manage Control Remediation.
  Capturing, Compiling & Reporting Compliance               Integration with Enterprise business systems
 Information                                                for audit evidence collection
 Dynamic Real time analysis of Risk & Controls
 Single Global Repository for Risk & Controls
                                                        A sample snapshot from automated GRC
 Integrated Industry Standard Framework for
 Control Optimization                                   platform is shown below
 Role based dashboards that streamline
 decision making




    Figure 1. Governance Risk and Compliance Platform

                                                        •    Expertise across all micro verticals in Electric,
                                                             Gas distribution, Water & Water Waste/

Why choose HCL                                          •
                                                             Recycling Utilities.
                                                             First in APAC and amongst only 9 companies
                                                             in the world to receive Cisco’s Master Security
•     One stop shop for all your information
      security & compliance needs                            Certification.
•     Matured     consulting     framework    with      •    Accredited by Govt. of India CERT as providers
                                                             of Information Security Assessment Services.
      integrated     solution       implementation
      methodology to reduce compliance cost             •    Recognized by Gartner & NASSCOM for its
                                                             Information Security Strengths.
•     Strong engineering with R&D practice with         •    First Indian Company to provide PCI ASV
      focus on Energy & Utilities vertical                   Vulnerability Management Services.

          6
•    HCL is ranked as the No. 1 Security Services     • Technology labs in Identity and Access
       provider by Dataquest, V&D and Frost & Sullivan     Management, Software Security, Security
   •   Experienced consultants with certifications         Testing, Networks and Systems.
       like CEH, GWAS, CISSP, CISA, CBCP, BS
       25999 and ISO27001
   •   Partnership with leading security product
       and service vendors




For further information on HCL GRC Consulting Services or to have a HCL representative contact you, mail
at CFS- GRC-PMG@hcl.in or visit http://www.hclisd.com/Governance-Risk-Compliance-Consulting.aspx




          7

Contenu connexe

Plus de HCL Technologies

A novel approach towards a Smarter DSLR Camera
A novel approach towards a Smarter DSLR CameraA novel approach towards a Smarter DSLR Camera
A novel approach towards a Smarter DSLR CameraHCL Technologies
 
Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devicesHCL Technologies
 
Connected Cars - Use Cases for Indian Scenario
Connected Cars - Use Cases for Indian ScenarioConnected Cars - Use Cases for Indian Scenario
Connected Cars - Use Cases for Indian ScenarioHCL Technologies
 
A Sigh of Relief for Patients with Chronic Diseases
A Sigh of Relief for Patients with Chronic DiseasesA Sigh of Relief for Patients with Chronic Diseases
A Sigh of Relief for Patients with Chronic DiseasesHCL Technologies
 
Painting a Social & Mobile Picture in Real Time
Painting a Social & Mobile Picture in Real TimePainting a Social & Mobile Picture in Real Time
Painting a Social & Mobile Picture in Real TimeHCL Technologies
 
A Novel Design Approach for Electronic Equipment - FEA Based Methodology
A Novel Design Approach for Electronic Equipment - FEA Based MethodologyA Novel Design Approach for Electronic Equipment - FEA Based Methodology
A Novel Design Approach for Electronic Equipment - FEA Based MethodologyHCL Technologies
 
Intrusion Detection System (IDS)
Intrusion Detection System (IDS)Intrusion Detection System (IDS)
Intrusion Detection System (IDS)HCL Technologies
 
Manufacturing Automation and Digitization
Manufacturing Automation and DigitizationManufacturing Automation and Digitization
Manufacturing Automation and DigitizationHCL Technologies
 
Managing Customer Care in Digital
Managing Customer Care in DigitalManaging Customer Care in Digital
Managing Customer Care in DigitalHCL Technologies
 
Digital Customer Care Solutions, Smart Customer Care Solutions, Next Gen Cust...
Digital Customer Care Solutions, Smart Customer Care Solutions, Next Gen Cust...Digital Customer Care Solutions, Smart Customer Care Solutions, Next Gen Cust...
Digital Customer Care Solutions, Smart Customer Care Solutions, Next Gen Cust...HCL Technologies
 
The Internet of Things. Wharton Guest Lecture by Sandeep Kishore – Corporate ...
The Internet of Things. Wharton Guest Lecture by Sandeep Kishore – Corporate ...The Internet of Things. Wharton Guest Lecture by Sandeep Kishore – Corporate ...
The Internet of Things. Wharton Guest Lecture by Sandeep Kishore – Corporate ...HCL Technologies
 
Be Digital or Be Extinct. Wharton Guest Lecture by Sandeep Kishore – Corporat...
Be Digital or Be Extinct. Wharton Guest Lecture by Sandeep Kishore – Corporat...Be Digital or Be Extinct. Wharton Guest Lecture by Sandeep Kishore – Corporat...
Be Digital or Be Extinct. Wharton Guest Lecture by Sandeep Kishore – Corporat...HCL Technologies
 
Transform and Modernize -UK's leading specialists in Pension and Employee Ben...
Transform and Modernize -UK's leading specialists in Pension and Employee Ben...Transform and Modernize -UK's leading specialists in Pension and Employee Ben...
Transform and Modernize -UK's leading specialists in Pension and Employee Ben...HCL Technologies
 
"Cost Savings Enabled for European Financial Services company "
"Cost Savings Enabled for European Financial Services company ""Cost Savings Enabled for European Financial Services company "
"Cost Savings Enabled for European Financial Services company "HCL Technologies
 
Transforming the Product Portfolio
Transforming the Product PortfolioTransforming the Product Portfolio
Transforming the Product PortfolioHCL Technologies
 
Improved Underwriting Capabilities for Life Insurance Provider
Improved Underwriting Capabilities for Life Insurance ProviderImproved Underwriting Capabilities for Life Insurance Provider
Improved Underwriting Capabilities for Life Insurance ProviderHCL Technologies
 
HCL's transformation services for Europe's largest Global Life and Annuity In...
HCL's transformation services for Europe's largest Global Life and Annuity In...HCL's transformation services for Europe's largest Global Life and Annuity In...
HCL's transformation services for Europe's largest Global Life and Annuity In...HCL Technologies
 
Driving Underwriting Efficiency for a US based Integrated Financial Service P...
Driving Underwriting Efficiency for a US based Integrated Financial Service P...Driving Underwriting Efficiency for a US based Integrated Financial Service P...
Driving Underwriting Efficiency for a US based Integrated Financial Service P...HCL Technologies
 
Improving Operational Efficiencies through HCL solution
Improving Operational Efficiencies through HCL solutionImproving Operational Efficiencies through HCL solution
Improving Operational Efficiencies through HCL solutionHCL Technologies
 
How Ideapreneurs take Relationships Beyond the Contract
How Ideapreneurs take Relationships Beyond the ContractHow Ideapreneurs take Relationships Beyond the Contract
How Ideapreneurs take Relationships Beyond the ContractHCL Technologies
 

Plus de HCL Technologies (20)

A novel approach towards a Smarter DSLR Camera
A novel approach towards a Smarter DSLR CameraA novel approach towards a Smarter DSLR Camera
A novel approach towards a Smarter DSLR Camera
 
Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devices
 
Connected Cars - Use Cases for Indian Scenario
Connected Cars - Use Cases for Indian ScenarioConnected Cars - Use Cases for Indian Scenario
Connected Cars - Use Cases for Indian Scenario
 
A Sigh of Relief for Patients with Chronic Diseases
A Sigh of Relief for Patients with Chronic DiseasesA Sigh of Relief for Patients with Chronic Diseases
A Sigh of Relief for Patients with Chronic Diseases
 
Painting a Social & Mobile Picture in Real Time
Painting a Social & Mobile Picture in Real TimePainting a Social & Mobile Picture in Real Time
Painting a Social & Mobile Picture in Real Time
 
A Novel Design Approach for Electronic Equipment - FEA Based Methodology
A Novel Design Approach for Electronic Equipment - FEA Based MethodologyA Novel Design Approach for Electronic Equipment - FEA Based Methodology
A Novel Design Approach for Electronic Equipment - FEA Based Methodology
 
Intrusion Detection System (IDS)
Intrusion Detection System (IDS)Intrusion Detection System (IDS)
Intrusion Detection System (IDS)
 
Manufacturing Automation and Digitization
Manufacturing Automation and DigitizationManufacturing Automation and Digitization
Manufacturing Automation and Digitization
 
Managing Customer Care in Digital
Managing Customer Care in DigitalManaging Customer Care in Digital
Managing Customer Care in Digital
 
Digital Customer Care Solutions, Smart Customer Care Solutions, Next Gen Cust...
Digital Customer Care Solutions, Smart Customer Care Solutions, Next Gen Cust...Digital Customer Care Solutions, Smart Customer Care Solutions, Next Gen Cust...
Digital Customer Care Solutions, Smart Customer Care Solutions, Next Gen Cust...
 
The Internet of Things. Wharton Guest Lecture by Sandeep Kishore – Corporate ...
The Internet of Things. Wharton Guest Lecture by Sandeep Kishore – Corporate ...The Internet of Things. Wharton Guest Lecture by Sandeep Kishore – Corporate ...
The Internet of Things. Wharton Guest Lecture by Sandeep Kishore – Corporate ...
 
Be Digital or Be Extinct. Wharton Guest Lecture by Sandeep Kishore – Corporat...
Be Digital or Be Extinct. Wharton Guest Lecture by Sandeep Kishore – Corporat...Be Digital or Be Extinct. Wharton Guest Lecture by Sandeep Kishore – Corporat...
Be Digital or Be Extinct. Wharton Guest Lecture by Sandeep Kishore – Corporat...
 
Transform and Modernize -UK's leading specialists in Pension and Employee Ben...
Transform and Modernize -UK's leading specialists in Pension and Employee Ben...Transform and Modernize -UK's leading specialists in Pension and Employee Ben...
Transform and Modernize -UK's leading specialists in Pension and Employee Ben...
 
"Cost Savings Enabled for European Financial Services company "
"Cost Savings Enabled for European Financial Services company ""Cost Savings Enabled for European Financial Services company "
"Cost Savings Enabled for European Financial Services company "
 
Transforming the Product Portfolio
Transforming the Product PortfolioTransforming the Product Portfolio
Transforming the Product Portfolio
 
Improved Underwriting Capabilities for Life Insurance Provider
Improved Underwriting Capabilities for Life Insurance ProviderImproved Underwriting Capabilities for Life Insurance Provider
Improved Underwriting Capabilities for Life Insurance Provider
 
HCL's transformation services for Europe's largest Global Life and Annuity In...
HCL's transformation services for Europe's largest Global Life and Annuity In...HCL's transformation services for Europe's largest Global Life and Annuity In...
HCL's transformation services for Europe's largest Global Life and Annuity In...
 
Driving Underwriting Efficiency for a US based Integrated Financial Service P...
Driving Underwriting Efficiency for a US based Integrated Financial Service P...Driving Underwriting Efficiency for a US based Integrated Financial Service P...
Driving Underwriting Efficiency for a US based Integrated Financial Service P...
 
Improving Operational Efficiencies through HCL solution
Improving Operational Efficiencies through HCL solutionImproving Operational Efficiencies through HCL solution
Improving Operational Efficiencies through HCL solution
 
How Ideapreneurs take Relationships Beyond the Contract
How Ideapreneurs take Relationships Beyond the ContractHow Ideapreneurs take Relationships Beyond the Contract
How Ideapreneurs take Relationships Beyond the Contract
 

Dernier

The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003believeminhh
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfHajeJanKamps
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsP&CO
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsyasinnathani
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarNathanielSchmuck
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfChicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfSourav Sikder
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsWristbands Ireland
 
Tata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakTata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakEditores1
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...IMARC Group
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyHanna Klim
 
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John MeulemansBCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John MeulemansBBPMedia1
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...Khaled Al Awadi
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Winbusinessin
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Onlinelng ths
 

Dernier (20)

The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizations
 
Investment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV IndustriesInvestment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV Industries
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story points
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry Webinar
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfChicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and Festivals
 
Tata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakTata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerak
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agency
 
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John MeulemansBCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Online
 

HCLT Brochure: NERC Cyber Security Consulting Services

  • 1. NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice
  • 2. Overview The North American Electric Reliability electrical utilities and the newness of the Corporation (NERC) is a nonprofit corporation standards. Certainly, the remoteness of power designed to ensure that the bulk electric system generation and the wide coverage of electric in North America is reliable, adequate and transmission greatly complicate the job of secure.” As the federally designated Electric securing these assets from direct attack. Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability HCL Governance, Risk & Compliance (GRC) standards that define requirements for planning consulting practice offers market leading services and operating the collective bulk power system. to organization seeking compliance support for NERC CIP standards by improving their security & Among these are the Critical Infrastructure governance posture while reducing cost. Many of Protection (CIP) Cyber Security Standards, which our Managed Security Services and Professional are intended to ensure the protection of the Critical services align NERC CIP Cyber Security Cyber Assets that control or effect the reliability of Standards, allowing organizations to easily meet North America’s bulk electric systems. and exceed the requirements they set forth. Starting from compliance health-check HCL can NERC CIP Standards seek to address the question work with your organization to implement the “How well protected is this critical infrastructure?” recommendations by providing technical, Compliance with these standards can be both risky documentation and project management. and complicated given the differences between Challenges Addressed Lack of confidence in organizational Lack of basic security mechanism in security posture and siloed approach for SCADA/EMS and DCS design when compared engineering, operations and IT department to standard business information system Real-time systems make patch High cost of audit and compliance sustenance application, validation, and user authentication difficult HCL GRC focus is to offer end to end “Advisory” & Cyber Security requires a toolset and “Implementation” service to enable an organization knowledge base that is traditionally not located in meeting the business objectives of their NERC within the same experience pool that Cyber Security Compliance initiative understands and manages the day-to-day operations of a power grid. Diversified risk-assessment approach 2
  • 3. Approach – NERC Cyber Security compliance HCL GRC team can assist Responsible Entities by offering a comprehensive program of capabilities that enable the achievement of NERC standards compliance in a cost effective and timely manner. The spectrum of HCL services covers the complete gamut of standards CIP-002 through CIP-009 providing a robust solution to support robust and reliable operations of bulk electric systems. The approach and key activities are detailed as below: NERC Requirement HCL GRC Capability Deliverables CIP-002-1 – Critical Cyber Asset Automated Enterprise discovery of Inventory of Critical Cyber Identification Critical Assets Assets Risk library pertaining Identification of critical assets by to cyber asset operations client and HCL SMEs who have Annual Reviews qualified experience in Grid Analysis Risk based assessment, analysis & prioritization by application CIP-003-1 – Management Control – Policy evaluation & analysis Enhanced Cyber Security Cyber Security Policy Policy Documentation Policy for NERC Compliance CIP-003-1 – Management Control – Establishing of Security Program Established governance for Leadership & Exceptions Management Office for NERC compliance management Compliance & reporting CIP-003-1 – Management Control – Catalogued information Information classification Information Protection classification for Critical Cyber procedures Assets Data security reference Defining access controls, architecture encryption & procedures for System Security & disaster 3
  • 4. disposal, printing and other tasks recovery plan CIP-003-1 – Management Control – Modeling for role based access Access control policies Access Controls control for internet facing systems & procedures and critical backend solutions CIP-003-1 – Management Control – Establishing change management Change Management & Change Management procedures Control Process Conducting impact analysis of Back-out procedures changes (includes configuration) Security Enforcement Policy Enabling functional testing for changes Review of corporate & process control networks (SCADA) CIP-004-1 – Personnel & Training – Conduct security awareness Security awareness report Awareness evaluations & employee assertion Training roadmap program Security awareness training plan development CIP-004-1 – Personnel & Training – Identification & deployment of Specific procedural training Training role based trainings modules CIP-004-1 – Personnel & Training – Development of personal Background check policy Personnel Risk Assessment background check policies & procedures CIP-005-1- Electronic Security Identification of control points, Vulnerability & Penetration Parameter(s) – Electronic Security ports and services assessment report Parameter Conduct vulnerability assessments Remediation report & penetration testing Firewall implementation procedures CIP-005-1- Electronic Security Development of authentication Authentication procedures Parameter(s) – Electronic Access procedures Audit Reports Controls Firewall audits Log review & reporting Log management & review Threat analysis report Real time threat analysis through SOC (includes NIPS & HIPS) CIP-005-1- Electronic Security Documentation of all systems in Documentation of network Parameter(s) – Documentation electronic security parameters changes Review & Maintenance Quarterly review of all documentation CIP-006-1- Physical Security Assessment of facilities physical Physical security assessment Program security report Assessment of organization Log retention & governance physical security plan policies Development of log & DVR retention policies Physical security audits CIP-007-1 – System Security Test procedures evaluation for Malicious software prevention Management patch management, device policy management, anti-virus policies Test procedures and controls Documentation for non-critical for device management cyber asset policy Password policy Creating inventory of non-critical Asset disposal policy cyber assets Identity management process 4
  • 5. Policy documentation for malware Security incident management and malicious software prevention process Documentation and enforcement Documentation lifecycle process of password management policy Policy creation for disposal & redeployment of cyber assets Establishing governance and org. structure for documentation & policy review CIP-008-1 – Incident Reporting & Assessment of Incident Incident management procedures Response Planning – Cyber Security management procedures Business Continuity Plan Incident Response plan Documentation of business Business Continuity Test continuity plan Procedures Testing of business continuity plan Process for retention of incident logs CIP-008-1 – Incident Reporting & Process for retention of incident Log retention policy Response Planning – Cyber Security logs Incident Documentation CIP-009-1 – Disaster Recovery – Identification & definition of Disaster Recovery Plan Recovery Plan, Backup & restore, action triggers, acceptable Back-up procedures Testing Media downtime service levels and Test plan for backup storage acceptable data loss Development of verification criteria & procedures CIP-009-1 – Disaster Recovery – Conducting DR drills DR test report Exercises Automated NERC Compliance Management – GRC Manager Power and utility executives today are faced with In order to mitigate these challenges & offer a many challenges as they work to meet their streamlined sustenance for compliance, HCL has compliance requirements. Some of the most partners with various GRC platform vendors and help pervasive and difficult of these obstacles include: Energy & Utilities organizations establish an automated solution for optimal blend of centralization, • Multiple regulatory bodies and requirements monitoring & reporting for effective oversight. The • High cost of defining controls GRC platform can also be used for implementing • High cost of demonstrating compliance governance initiatives, such as programs for • Budget impacts of NERC and other regulatory Standards of Conduct and Environmental Health and efforts on the business Safety (EH&S) through document control, compliance • Allocation of resources away from key training and ongoing auditing, as well as recording business initiatives and reporting of Federal Energy Regulatory • Difficulty with ongoing sustainability of ad-hoc Commission (FERC)-related violations or process compliance projects nonconformance and the resulting corrective actions. 5
  • 6. Some of the basic features of the automated Integrated Program Resource Management GRC platform are as under: capabilities to manage Control Remediation. Capturing, Compiling & Reporting Compliance Integration with Enterprise business systems Information for audit evidence collection Dynamic Real time analysis of Risk & Controls Single Global Repository for Risk & Controls A sample snapshot from automated GRC Integrated Industry Standard Framework for Control Optimization platform is shown below Role based dashboards that streamline decision making Figure 1. Governance Risk and Compliance Platform • Expertise across all micro verticals in Electric, Gas distribution, Water & Water Waste/ Why choose HCL • Recycling Utilities. First in APAC and amongst only 9 companies in the world to receive Cisco’s Master Security • One stop shop for all your information security & compliance needs Certification. • Matured consulting framework with • Accredited by Govt. of India CERT as providers of Information Security Assessment Services. integrated solution implementation methodology to reduce compliance cost • Recognized by Gartner & NASSCOM for its Information Security Strengths. • Strong engineering with R&D practice with • First Indian Company to provide PCI ASV focus on Energy & Utilities vertical Vulnerability Management Services. 6
  • 7. •    HCL is ranked as the No. 1 Security Services • Technology labs in Identity and Access provider by Dataquest, V&D and Frost & Sullivan Management, Software Security, Security • Experienced consultants with certifications Testing, Networks and Systems. like CEH, GWAS, CISSP, CISA, CBCP, BS 25999 and ISO27001 • Partnership with leading security product and service vendors For further information on HCL GRC Consulting Services or to have a HCL representative contact you, mail at CFS- GRC-PMG@hcl.in or visit http://www.hclisd.com/Governance-Risk-Compliance-Consulting.aspx 7