Cyber Security IT GRC Management Model and Methodology

Regulatory Change Management

Ed Sattar, CEO,

Page 2Regulatory Change Management

SPEAKER: ED SATTAR

Ed Sattar is the CEO of 360factors For more than a decade, Ed has made

significant professional contributions to the regulatory compliance space across

multiple industries. His experiences include extensive research and consulting to

regulatory compliance consulting firms, training providers as well as state and federal

regulatory agencies. During his tenure in the regulatory compliance workflow

automation and eTraining space, he has identified key criteria and compliance

standards that are currently being published and implemented.

Ed Sattar has been nominated for the Ernst & Young Entrepreneur of the Year award

three times and was among the top seven finalists in 2009. 360training.com, the

parent company of 360factors, has appeared on the Deloitte Fast 50 as the 6th

fastest growing company in Texas. It has also been listed in Inc 5000 several times as

one of the fastest growing companies.

Ed studied Electrical Engineering and Finance at the University of Texas at Austin.


Profit

PeoplePlanet

EFFECTIVE OPERATIONAL RISK MANAGEMENT & THREE P’S


Outline

Cyber Security Trends in Oil and Gas

Why Implement an IT GRC Management System

IT Governance , Risk and Compliance

Management Model & Methodology

How to Implement an IT Governance , Risk and

Compliance Management System


CYBER SECURITY RISK TRENDS


RISING REGULATIONS AND COST





The Transportation Security Administration (TSA) is authorized by federal statute to

promulgate pipeline physical security and cybersecurity regulations

On April 2011 White House proposal4 and the Cybersecurity Act of 2012 (S. 2105) both

would mandate the promulgation of cybersecurity regulations for pipelines, among other

privately-owned critical infrastructures sectors.

If you store any personal information, you have to have information security policy

In April 2011 White House proposal4 and the Cybersecurity Act of 2012 (S. 2105) both

would mandate the promulgation of cybersecurity regulations for pipelines, among other

privately-owned critical infrastructures sectors.

In the U.S., the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

received and responded to 198 cyber incidents in 2012 as reported by asset owners and

industry partners. Attacks against the energy sector represented 41 % of the total number

of incidents


WHY IMPLEMENT IT GRC MANAGEMENT SYSTEM



Over 500,000 miles of high-volume pipeline gather and transport

natural gas, oil, and other hazardous liquids across the United

States.

In addition, nearly 900,000 miles of smaller distribution pipeline

deliver natural gas to businesses and homes.

While pipelines are an efficient and fundamentally safe means of

transport, many carry volatile, flammable, or toxic materials with the

potential to cause public injury and environmental damage









Understanding Regulations

Regulatory / Standards

Change Management

Internal Corporate standards

Day to Day Compliance

Tasking

Event-Driven Compliance

Tasking

Predictive Risk Analysis

Corrective and Preventive Actions

Policy and Procedure

Management

Risk Management Management

Training Management

Multiple Tools to address Reg.

Compliance

Other Industry Pain Points


1. Implement Security Standards that may be applicable to your

organization

1. ISA -99 / IEC -62443

2. NERC CIP

3. NIST S800 -82

4. ISO 27001 & 27002

2. Develop Cyber Security Framework and make it part of your over all

Enterprise Governance, Risk and Compliance Management

Framework

3. Oil & Gas EHS Risk Management Process

CYBER SECURITY BEST PRACTICES


IT GOVERNANCE, RISK & COMPLIANCE MANAGEMENT

MODEL


IT GRC MANAGEMENT MODEL


1. WHY = Standards/ Regulatory change management

2. WHAT = Risk and internal controls

3. HOW = Operational excellence and Processes

4. WHERE = Location / Assets

5. WHO = Defining & Mapping Roles / Key Management Functions

to Metrics & P&L

IT GRC MANAGEMENT MODEL – FIVE STEPS


IT GRC MANAGEMENT MODEL – FIVE STEPS

Regulatory Change

Management

Operational Excellence

and Workflow

Risks & Internal Controls

Organization – Roles and

Key Management

Functions

Location/

Assets

HOW

WHY

WHAT

WHO

WHERE


HOW TO IMPLEMENT AN IT

GOVERNANCE, RISK & COMPLIANCE

MANAGEMENT SYSTEM


Requirements Knowledge Based &

Taxonomy

Business Process

Risk and Internal Controls

Roles and Responsibilities

Locations and Assets

COMPONENTS OF REQUIREMENTS KNOWLEDGE BASE

1. Library - Regulations, Standards,

Requirements and Objectives

2. Translate standards or regulatory

requirements into action, evidence,

subject, frequency

3. Monitor regulatory change

4. Regulations in effect to proposed

5. Mapping- regulatory requirements

mapped to CAPA , policy procedures and

evidence, risks and audits

6. Regulation Applicability

Step 1- Requirements Knowledge

Base & Taxonomy

WHY


Step 2- Risk & Internal Controls1. What is impacted?

Environmental Risk

Financial Risk

Legal Risk

Cyber Security Risk

Operational Risk

2. Define internal controls

Process

Procedures

Risk Assessments

tasks

training

3. Define risk levels

Which details impacting

factors

Is based on a systematic

process allowing the

organization to prioritize more

efficiently

Effectively assesses issues

requiring immediate action.


Taxonomy

Operational Excellence and

Workflow


Reporting –Roles and Key management

Functions

Location/ Assets

WHAT


Step 2- Risk & Internal Controls


Taxonomy

Roles and Responsibility


Reporting

Regulatory Compliance

Software

Small Workforce Large Workforce

Hig

h R

isk

Lo

w R

isk


1. streamline cyber security

compliance routines, process,

incidents and procedures into a

coherent system

2. Defining your business

process and workflow should

lead you to Business Continuity

planning, incident response plan

and Cyber security Workforce

training and develop

for example, is about to plug a

USB device into a computer or OT

device, and by following procedure,

first scans the USB which then

detects a virus, this should be

recorded in a central log as a “near

miss

Step 3- Business Processes


Taxonomy

Operational Excellence

and Business Processes


Reporting

Regulatory Compliance

Software

HOW


1. Where is compliance

done.

2.Compliance done at the

site and asset level

Step 4. Location & Assets


Taxonomy

Business Process


Roles & Responsibility

Location / Assets

WHERE


1. Establish IT Governance

Structure- Roles,

Responsibilities, Functions

2 Process control security

program, Provide process

control security awareness,

training, policy, standards,

compliance monitoring

3. This last step ties all four

steps of the model

4. Is there a specific role and

responsibility structure or

can it vary from organization

and industries?

Step 5. Roles & Responsibility


Taxonomy

Business Process



Location / Assets

WHO


1. Key Roles and Structure

Example- Information Security Officer, Operations officer, CIO, CISO

2. Key Functions

Example- Safety, Risk, Engineering, IT, OT

3. Key Actions

Example: Compliance, Quality, Sustainability, Continuity & Response Capability, Training

4. Outcome / Results

COMPONENTS OF ROLES AND RESPONSIBILITES

Step 5. Roles & Responsibility


Taxonomy

Business Process



Location / Assets


Source: Global survey by KPMG, Inc

BENEFITS OF AN INTEGRATED MANAGEMENT SYSTEM

AUTOMATE REGULATORY COMPLIANCE THROUGH SOFTWARE


Predict360 REGULATORY COMPLIANCE ARCHITECTURE


OIL & GAS GOVERNANCE, RISK & COMPLIANCE

SolutionsCyber Security

Safety Management System

Dodd Frank

Competency and Training Mgmt

Asset Integrity Management

Plant Operations Management

Employee & Customer Compliant Management

Process Safety Management & SEMS

Environmental Information

Management
