mro sac hosted webinar
play

MRO SAC Hosted Webinar Information Risk Management Framework - PowerPoint PPT Presentation

Nov 06, 2022 •160 likes •375 views

MRO SAC Hosted Webinar Information Risk Management Framework Catherine Sherwood, Manager Information Security Risk, MISO David Day, Information Security Risk Analyst, MISO Joe Polen, Executive Director, Security Controls and Engagement

  1. MRO SAC Hosted Webinar “Information Risk Management Framework” Catherine Sherwood, Manager Information Security Risk, MISO David Day, Information Security Risk Analyst, MISO Joe Polen, Executive Director, Security Controls and Engagement Management, MISO/MRO SAC Sponsor July 8, 2020

  2. MRO SAC Upcoming Events • MRO SAC Hosted Virtual Security Training on July 15, 2020 • MRO SAC Hosted Security Risk Assessment Virtual Roundtable on July 30, 2020 • MRO SAC Hosted Domestic Extremists: A Rising Threat, presented by Brett Lawler, Sr. Threat Intelligence Analyst, Xcel Energy/MRO SACTF Chair Sponsor on August 12, 2020 • MRO SAC Hosted Webinar on Cyber Asset Management, presented by Justin Haar, MRO SAC Member on August 20, 2020 (Registration not open) • MRO Security Conference October 7, 2020 (Registration not open) • MRO Regional Security Risk Assessment will be in place of the MRO SAC Quarter 3 Meeting on October 8, 2020 • MRO SAC Quarter 4 Meeting on November 5, 2020

  3. Risk Management Program Catherine Sherwood Manager Information Security Risk csherwood@misoenergy.org

  4. Agenda Security Risk • Program Security Control • Framework IT Risk Register • Plan of Action & • Milestone 4

  5. Security Risk Management Program ERM Strategic Objectives – Enterprise Enterprise Risk IT Risks Inherent Risk - Risks at the IT Service Service Line Line. Controls Residual Risk - Controls mitigate the Process inherent risk at the IT Risk level. Assessments Effectiveness - Testing the Assurance effectiveness of the control. Plan of Action & Milestone Remediation - Remediate the gaps Gaps that were identified. Intake into the MISO Strategy 5 | Protected

  6. Security Control Framework

  7. Purpose SOC and NERC Best Practices Outcome One Streamlined Process Security Identify Identify what security At Scale Allow MISO to begin Gaps standards have not thinking about security at been implemented all levels of the company. Mature Mitigate Security Gaps Program Mitigate the identified gaps by prioritizing Mature MISO’s overall security posture the highest impact controls first. to the appropriate level of risk tolerance. 7 | Protected

  8. Framework Functions Categories Harmonize Standards • Asset Management • Risk Assessment • Risk Management Strategy • Business Identify Environment • Supply Chain Risk • NERC CIP Standards • Governance Management • Service Organization Controls (SOC) Implement Governance and Oversight • NIST 800-53 • DOE C2M2 • Identify Management • Information Protection Processes and Access Control Protect • Awareness & Training • Maintenance • Data Security • Protective Technology Develop appropriate safeguards • Anomalies & Events Detect • Security Continuous Monitoring • Detection Processes Establish continuous monitoring mechanisms • Response Planning • Mitigation Respond • Communications • Improvements • Analysis Business aligned escalation and notification agreements Unified Controls Across • Recovery Planning Recover the Organization • Improvements • Communications Sustain MISO reliability and availability 8 | Protected

  9. MISO’s Security controls framework Information Security Risk Management Training • Provide risk and controls training to managers and SMEs responsible for implementing MISO’s controls program Training Governance, Monitoring and Risk Assessment Reporting • Perform annual risk assessment • Implement governance structure, identifying high risk NIST sub- tools and templates categories Governance, Risk Monitoring Assessment • Implement ongoing QA/QC, • Determine ownership and schedule Reporting monitoring and reporting mechanisms of controls program implementation activities Continuous Improvement Control Design Gap Assessment + Remediation • Review process documentation, • Identify areas where controls do RSAWs, etc. not adequately address standards Gap Control and policies • Identify and document key Assessment + Design objectives, risks and controls for • Establish and implement action Remediation high risk NIST CSF categories plans to eliminate gaps Control Testing Control Testing • Develop testing requirements • Conduct test of one to assess key controls 9 | Protected

  10. 3-lines of Assurance Board Oversight MISO Management 1 st 2 nd 3 rd External Audit Line of Assurance Line of Assurance Line of Assurance Line of Defense Line of Defense Line of Defense Enterprise Risk Management Standards and Internal Management Control Assurance Internal Audit Controls Measures Regulator IT Validation Information Security Risk Management 10 | Protected

  11. Risk Appetite Category Appetite Based on control categories, leadership establishes limits on risk in each area Utilizing Security Prioritize Resources Controls Allocate resources to address the most critical risks first Framework Vision, Mission, and Goals Allows appropriate acceptance of risk to move one step closer to our vision, mission, and goals

  12. Schedule 2019 2018 Ongoing 2020 2021 2022 IRM Tool implement a integrated risk management tool Monitor & Measure operational improvement Remediate and implement controls with risk-based prioritization Test & Assess the efficiency of those controls Design the harmonized controls Project End / Program Operational 12 | Protected

  13. IT Risk Register

  14. IT Risk Register Map Risks Link IT Risks to ERM Risks Risk Rating Low, Moderate, High, Critical Insight. Provides insight into risks in MISO’s IT Service Line 14 | Protected

  15. IT Risk Register RISK Inherent Risk Ratings by CSF Functions CSF Function Low Moderate High Critical Grand Total Identify 0 3 8 15 26 Protect 0 2 22 19 43 Detect 0 0 1 9 10 Respond 0 0 8 3 11 Recover 0 1 2 10 13 Grand Total 0 5 22 65 103 RISK Residual Risk Ratings by CSF Functions CSF Function Low Moderate High Critical Grand Total Identify 0 15 9 2 26 Protect 5 6 30 2 43 Detect 1 2 5 2 10 Respond 2 5 3 1 11 Recover 1 3 5 3 12 Grand Total 7 31 41 9 103 Overall Risk Inherent Risk Score 3.55 Residual Risk Score 2.20 Inherent Risk Rating Critical Residual Risk Rating Moderate 15

  16. Plan of Action and Milestones

  17. Plan of Action Information Security Risk and Milestones Management reviews/validates the risks and works with the owner to determine remediation approach, milestones and target dates. Remediation Milestones POAM Identified & Dates Identified POAMs are sourced from Information Security Risk Management assessments, Audits, and self identification of a gap. Monitoring & Implementation Information Security Risk Management works with the owner/POC to follow-up on milestone targets, progress and implementation validation for POAM closure. 17 | Protected

  18. 18 | Protected

  19. Plan of Action and Milestones 19

  20. Wrap-Up ERM Strategic Objectives Enterprise IT Risks Inherent Risk Service Line Controls Residual Risk Process Assessments Effectiveness Assurance Plan of Action & Milestone Risk-based Decisions In Remediation Gaps Order To Optimize Resources 20 | Protected

  21. Questions? csherwood@misoenergy.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WELCOME TO THE WEBINAR Hello and thank you for joining today's webinar hosted by the Public

WELCOME TO THE WEBINAR Hello and thank you for joining today's webinar hosted by the Public

WELCOME TO THE WEBINAR Hello and thank you for joining today's webinar hosted by the Public Health Law Center. We will be getting started shortly. All attendees are muted. Questions will be held until the designated Q&A section at

523 views • 48 slides
Hosted PBX What Is It? What Features Does It Have? How Will It Help My Business? Hosted

Hosted PBX What Is It? What Features Does It Have? How Will It Help My Business? Hosted

Hosted PBX What Is It? What Features Does It Have? How Will It Help My Business? Hosted PBX Hosted PBX delivers an enterprise-grade phone system to small and medium-sized businesses via the cloud. It lowers your costs , helps employees

779 views • 30 slides
Todays Webinar Presented By: Hosted By: Ed Edwards Doesnt anyone out there want my

Todays Webinar Presented By: Hosted By: Ed Edwards Doesnt anyone out there want my

Todays Webinar Presented By: Hosted By: Ed Edwards Doesnt anyone out there want my business? CHALLENGES IN ENGAGING SMBs AS SUPPLY CHAIN PARTNERS Ed Edwards Manager, Audience Outreach, THOMASNET.com 2015 TOP 10 SMB Business

582 views • 34 slides
The Impact of the 2014 Midterm Elections on Campus Sustainability Webinar Hosted By Johnson

The Impact of the 2014 Midterm Elections on Campus Sustainability Webinar Hosted By Johnson

The Impact of the 2014 Midterm Elections on Campus Sustainability Webinar Hosted By Johnson County Community College Speaker Dr. Sudeep Vyapari Associate Executive Director The National Council for Science and the Environment The Federal

390 views • 15 slides
National Charter Schools Conference 2018 Session Proposal Prep Webinar January 10, 2018 Hosted

National Charter Schools Conference 2018 Session Proposal Prep Webinar January 10, 2018 Hosted

National Charter Schools Conference 2018 Session Proposal Prep Webinar January 10, 2018 Hosted by Erin Leonard & Shaina Cook Presentation Managers presenterinfo@publiccharters.org Webinar Assumptions Youve visited the conference website

609 views • 32 slides
How Much Rehab Should You Do To Maximize Profits? A Free Webinar from BiggerPockets.com Hosted

How Much Rehab Should You Do To Maximize Profits? A Free Webinar from BiggerPockets.com Hosted

How Much Rehab Should You Do To Maximize Profits? A Free Webinar from BiggerPockets.com Hosted by J Scott & Tarl Yarber Have You Ever Felt this way Before? There are too many decisions to make on my rehab!!! Im not sure how

1.27k views • 71 slides
Recruiting, training and retaining your volunteers Webinar hosted by Alison Macklin supported by

Recruiting, training and retaining your volunteers Webinar hosted by Alison Macklin supported by

Recruiting, training and retaining your volunteers Webinar hosted by Alison Macklin supported by The Princes Countryside Fund We have advisors we can allocate to provide support on this or other topics. If you need help and advice or

572 views • 55 slides
How to Update Building Codes: A Primer and Resources for Cities in Need Webinar co-hosted by

How to Update Building Codes: A Primer and Resources for Cities in Need Webinar co-hosted by

How to Update Building Codes: A Primer and Resources for Cities in Need Webinar co-hosted by Carolyn Horner, AICP Senior Environment & Development Planner NCTCOG Jason Vandever Energy Code Program Manager SPEER NCTCOG Regional Building

518 views • 17 slides
CERCLA Section 108(b) Financial Responsibility A public webinar hosted by the United States

CERCLA Section 108(b) Financial Responsibility A public webinar hosted by the United States

CERCLA Section 108(b) Financial Responsibility A public webinar hosted by the United States Environmental Protection Agency January 10, 2017 Presentation Outline u Background u Submitting Public Comment on the Proposed Hardrock Mining Rule u

505 views • 27 slides
Risk Assessment Webinar hosted by Alison Macklin We have advisors we can allocate to provide

Risk Assessment Webinar hosted by Alison Macklin We have advisors we can allocate to provide

Risk Assessment Webinar hosted by Alison Macklin We have advisors we can allocate to provide support on this or other topics. If you need help and advice or have training needs with regards issues arising from Covid 19 or another aspect

785 views • 54 slides
Free Webinar Preview of The No B.S. Class On Freelance Writing Hosted by Jacob Jans Featuring

Free Webinar Preview of The No B.S. Class On Freelance Writing Hosted by Jacob Jans Featuring

Free Webinar Preview of The No B.S. Class On Freelance Writing Hosted by Jacob Jans Featuring Ian Chandler Todays Agenda Overcoming the fears of getting started Building a portfolio of real world samples Finding work that pays

310 views • 19 slides
State-Federal RPS Collaborative and ESTAP Webinar Californias Energy Storage Mandate Hosted by

State-Federal RPS Collaborative and ESTAP Webinar Californias Energy Storage Mandate Hosted by

State-Federal RPS Collaborative and ESTAP Webinar Californias Energy Storage Mandate Hosted by Warren Leon, Executive Director, CESA November 19, 2013 Housekeeping All participants will be in listen-only mode throughout the broadcast.

812 views • 26 slides
RPS Cost Containment Options State-Federal RPS Collaborative Webinar Hosted by Clean Energy

RPS Cost Containment Options State-Federal RPS Collaborative Webinar Hosted by Clean Energy

RPS Cost Containment Options State-Federal RPS Collaborative Webinar Hosted by Clean Energy States Alliance April 24, 2012 Housekeeping All participants will be in listen-only mode throughout the broadcast. You can connect to the audio

686 views • 27 slides
What you need to know about testing electronic data transfer modernizations Webinar hosted by the

What you need to know about testing electronic data transfer modernizations Webinar hosted by the

Modernizing voter registration What you need to know about testing electronic data transfer modernizations Webinar hosted by the Center for Technology and Civic Life with the Center for Civic Design and the Center for Secure and Modern Elections

962 views • 37 slides
and conflict-affected settings: from research to practice Webinar: Hosted by the HSG Thematic

and conflict-affected settings: from research to practice Webinar: Hosted by the HSG Thematic

Performance based financing in fragile and conflict-affected settings: from research to practice Webinar: Hosted by the HSG Thematic Working Group on Health Systems in Fragile and Conflict Affected States 31 st October 2018 Housekeeping rules

960 views • 62 slides
Responds to COVID-19 19 A webinar sponsored by Village Movement California and hosted by the

Responds to COVID-19 19 A webinar sponsored by Village Movement California and hosted by the

Californias Village Movement Responds to COVID-19 19 A webinar sponsored by Village Movement California and hosted by the California Collaborative for Long Term Services and Supports Friday, June 5 | 10 11 am Welcome! Mariya Kalina

320 views • 18 slides
Enterprise Risk Management Presented by Rotimi Okpaise B.Sc, ASA, FIA at the CIINs 2008

Enterprise Risk Management Presented by Rotimi Okpaise B.Sc, ASA, FIA at the CIINs 2008

Enterprise Risk Management Presented by Rotimi Okpaise B.Sc, ASA, FIA at the CIINs 2008 Professional Forum Index 1. Introduction Introduction 1. 2. Definition of Risk and ERM Definition of Risk and ERM 2. 3. Financial & Non Financial

844 views • 34 slides
Enterprise Risk Management and Culture Jai Ramaswamy Managing Vice President Enterprise Risk

Enterprise Risk Management and Culture Jai Ramaswamy Managing Vice President Enterprise Risk

Enterprise Risk Management and Culture Jai Ramaswamy Managing Vice President Enterprise Risk Management May 14, 2019 Agenda 1. Who am I? 2. How did we get here? 3. What is Enterprise Risk Management? 4. What is the

482 views • 20 slides
Learnability Beyond Uniform Convergence Shai Shalev-Shwartz School of CS and Engineering, The

Learnability Beyond Uniform Convergence Shai Shalev-Shwartz School of CS and Engineering, The

Learnability Beyond Uniform Convergence Shai Shalev-Shwartz School of CS and Engineering, The Hebrew University of Jerusalem Mathematical and Computational Foundations of Learning Theory, Dagstuhl 2011 Joint work with: N. Srebro, O.

591 views • 56 slides
Enterprise Risk Management: A Practical Approach Presented by: Ellen M. Labita, CPA, Partner,

Enterprise Risk Management: A Practical Approach Presented by: Ellen M. Labita, CPA, Partner,

Enterprise Risk Management: A Practical Approach Presented by: Ellen M. Labita, CPA, Partner, Not-for-Profit Services Baker Tilly Virchow Krause, LLP Ellen.Labita@bakertilly.com 631-719-3232 Agenda Overview of Enterprise Risk Management

522 views • 21 slides
Board of Visitors Audit, Compliance, and Risk Committee March 2, 2017 1 Audit Department

Board of Visitors Audit, Compliance, and Risk Committee March 2, 2017 1 Audit Department

Board of Visitors Audit, Compliance, and Risk Committee March 2, 2017 1 Audit Department Activities 2 Program Project Change People Process Technology Governance Management Management Future State Design & Executive Sponsorship

368 views • 15 slides
Cash and Vouchers - Risks and Mitigation Measures John Lamm, Food Security and Markets Advisor,

Cash and Vouchers - Risks and Mitigation Measures John Lamm, Food Security and Markets Advisor,

Cash and Vouchers - Risks and Mitigation Measures John Lamm, Food Security and Markets Advisor, Office of Food for Peace SENSITIVE BUT UNCLASSIFIED Context of FFP Programming SENSITIVE BUT UNCLASSIFIED Changes in USAIDs Approach to Risk

292 views • 12 slides
Your presentation submission has been received PRINT THIS PAGE Thank you for your interest in

Your presentation submission has been received PRINT THIS PAGE Thank you for your interest in

1/15/2019 Submission Completed Your presentation submission has been received PRINT THIS PAGE Thank you for your interest in presenting at Global Security Exchange (GSX) 2019! If you have any questions, please contact

555 views • 3 slides
Why Risk Assessment? Enterprise Risk Management is a process, effected by an entitys board

Why Risk Assessment? Enterprise Risk Management is a process, effected by an entitys board

Why Risk Assessment? Enterprise Risk Management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may

312 views • 4 slides

More recommend