MRO SAC Hosted Webinar “Information Risk Management Framework” Catherine Sherwood, Manager Information Security Risk, MISO David Day, Information Security Risk Analyst, MISO Joe Polen, Executive Director, Security Controls and Engagement Management, MISO/MRO SAC Sponsor July 8, 2020
MRO SAC Upcoming Events • MRO SAC Hosted Virtual Security Training on July 15, 2020 • MRO SAC Hosted Security Risk Assessment Virtual Roundtable on July 30, 2020 • MRO SAC Hosted Domestic Extremists: A Rising Threat, presented by Brett Lawler, Sr. Threat Intelligence Analyst, Xcel Energy/MRO SACTF Chair Sponsor on August 12, 2020 • MRO SAC Hosted Webinar on Cyber Asset Management, presented by Justin Haar, MRO SAC Member on August 20, 2020 (Registration not open) • MRO Security Conference October 7, 2020 (Registration not open) • MRO Regional Security Risk Assessment will be in place of the MRO SAC Quarter 3 Meeting on October 8, 2020 • MRO SAC Quarter 4 Meeting on November 5, 2020
Risk Management Program Catherine Sherwood Manager Information Security Risk csherwood@misoenergy.org
Agenda Security Risk • Program Security Control • Framework IT Risk Register • Plan of Action & • Milestone 4
Security Risk Management Program ERM Strategic Objectives – Enterprise Enterprise Risk IT Risks Inherent Risk - Risks at the IT Service Service Line Line. Controls Residual Risk - Controls mitigate the Process inherent risk at the IT Risk level. Assessments Effectiveness - Testing the Assurance effectiveness of the control. Plan of Action & Milestone Remediation - Remediate the gaps Gaps that were identified. Intake into the MISO Strategy 5 | Protected
Security Control Framework
Purpose SOC and NERC Best Practices Outcome One Streamlined Process Security Identify Identify what security At Scale Allow MISO to begin Gaps standards have not thinking about security at been implemented all levels of the company. Mature Mitigate Security Gaps Program Mitigate the identified gaps by prioritizing Mature MISO’s overall security posture the highest impact controls first. to the appropriate level of risk tolerance. 7 | Protected
Framework Functions Categories Harmonize Standards • Asset Management • Risk Assessment • Risk Management Strategy • Business Identify Environment • Supply Chain Risk • NERC CIP Standards • Governance Management • Service Organization Controls (SOC) Implement Governance and Oversight • NIST 800-53 • DOE C2M2 • Identify Management • Information Protection Processes and Access Control Protect • Awareness & Training • Maintenance • Data Security • Protective Technology Develop appropriate safeguards • Anomalies & Events Detect • Security Continuous Monitoring • Detection Processes Establish continuous monitoring mechanisms • Response Planning • Mitigation Respond • Communications • Improvements • Analysis Business aligned escalation and notification agreements Unified Controls Across • Recovery Planning Recover the Organization • Improvements • Communications Sustain MISO reliability and availability 8 | Protected
MISO’s Security controls framework Information Security Risk Management Training • Provide risk and controls training to managers and SMEs responsible for implementing MISO’s controls program Training Governance, Monitoring and Risk Assessment Reporting • Perform annual risk assessment • Implement governance structure, identifying high risk NIST sub- tools and templates categories Governance, Risk Monitoring Assessment • Implement ongoing QA/QC, • Determine ownership and schedule Reporting monitoring and reporting mechanisms of controls program implementation activities Continuous Improvement Control Design Gap Assessment + Remediation • Review process documentation, • Identify areas where controls do RSAWs, etc. not adequately address standards Gap Control and policies • Identify and document key Assessment + Design objectives, risks and controls for • Establish and implement action Remediation high risk NIST CSF categories plans to eliminate gaps Control Testing Control Testing • Develop testing requirements • Conduct test of one to assess key controls 9 | Protected
3-lines of Assurance Board Oversight MISO Management 1 st 2 nd 3 rd External Audit Line of Assurance Line of Assurance Line of Assurance Line of Defense Line of Defense Line of Defense Enterprise Risk Management Standards and Internal Management Control Assurance Internal Audit Controls Measures Regulator IT Validation Information Security Risk Management 10 | Protected
Risk Appetite Category Appetite Based on control categories, leadership establishes limits on risk in each area Utilizing Security Prioritize Resources Controls Allocate resources to address the most critical risks first Framework Vision, Mission, and Goals Allows appropriate acceptance of risk to move one step closer to our vision, mission, and goals
Schedule 2019 2018 Ongoing 2020 2021 2022 IRM Tool implement a integrated risk management tool Monitor & Measure operational improvement Remediate and implement controls with risk-based prioritization Test & Assess the efficiency of those controls Design the harmonized controls Project End / Program Operational 12 | Protected
IT Risk Register
IT Risk Register Map Risks Link IT Risks to ERM Risks Risk Rating Low, Moderate, High, Critical Insight. Provides insight into risks in MISO’s IT Service Line 14 | Protected
IT Risk Register RISK Inherent Risk Ratings by CSF Functions CSF Function Low Moderate High Critical Grand Total Identify 0 3 8 15 26 Protect 0 2 22 19 43 Detect 0 0 1 9 10 Respond 0 0 8 3 11 Recover 0 1 2 10 13 Grand Total 0 5 22 65 103 RISK Residual Risk Ratings by CSF Functions CSF Function Low Moderate High Critical Grand Total Identify 0 15 9 2 26 Protect 5 6 30 2 43 Detect 1 2 5 2 10 Respond 2 5 3 1 11 Recover 1 3 5 3 12 Grand Total 7 31 41 9 103 Overall Risk Inherent Risk Score 3.55 Residual Risk Score 2.20 Inherent Risk Rating Critical Residual Risk Rating Moderate 15
Plan of Action and Milestones
Plan of Action Information Security Risk and Milestones Management reviews/validates the risks and works with the owner to determine remediation approach, milestones and target dates. Remediation Milestones POAM Identified & Dates Identified POAMs are sourced from Information Security Risk Management assessments, Audits, and self identification of a gap. Monitoring & Implementation Information Security Risk Management works with the owner/POC to follow-up on milestone targets, progress and implementation validation for POAM closure. 17 | Protected
18 | Protected
Plan of Action and Milestones 19
Wrap-Up ERM Strategic Objectives Enterprise IT Risks Inherent Risk Service Line Controls Residual Risk Process Assessments Effectiveness Assurance Plan of Action & Milestone Risk-based Decisions In Remediation Gaps Order To Optimize Resources 20 | Protected
Questions? csherwood@misoenergy.org
Recommend
More recommend