MRO SAC Hosted Webinar Information Risk Management Framework - - PowerPoint PPT Presentation

mro sac hosted webinar
SMART_READER_LITE
LIVE PREVIEW

MRO SAC Hosted Webinar Information Risk Management Framework - - PowerPoint PPT Presentation

Nov 06, 2022 160 likes •375 views

MRO SAC Hosted Webinar Information Risk Management Framework Catherine Sherwood, Manager Information Security Risk, MISO David Day, Information Security Risk Analyst, MISO Joe Polen, Executive Director, Security Controls and Engagement

slide-1
SLIDE 1

MRO SAC Hosted Webinar

“Information Risk Management Framework”

Catherine Sherwood, Manager Information Security Risk, MISO David Day, Information Security Risk Analyst, MISO Joe Polen, Executive Director, Security Controls and Engagement Management, MISO/MRO SAC Sponsor

July 8, 2020

slide-2
SLIDE 2

MRO SAC Upcoming Events

  • MRO SAC Hosted Virtual Security Training on July 15, 2020
  • MRO SAC Hosted Security Risk Assessment Virtual Roundtable on July 30, 2020
  • MRO SAC Hosted Domestic Extremists: A Rising Threat, presented by Brett Lawler, Sr. Threat Intelligence

Analyst, Xcel Energy/MRO SACTF Chair Sponsor on August 12, 2020

  • MRO SAC Hosted Webinar on Cyber Asset Management, presented by Justin Haar, MRO SAC Member on

August 20, 2020 (Registration not open)

  • MRO Security Conference October 7, 2020 (Registration not open)
  • MRO Regional Security Risk Assessment will be in place of the MRO SAC Quarter 3 Meeting on October 8, 2020
  • MRO SAC Quarter 4 Meeting on November 5, 2020
slide-3
SLIDE 3

Risk Management Program

Catherine Sherwood Manager Information Security Risk csherwood@misoenergy.org

slide-4
SLIDE 4
  • Security Risk

Program

  • Security Control

Framework

  • IT Risk Register
  • Plan of Action &

Milestone

4

Agenda

slide-5
SLIDE 5

5 | Protected

Security Risk Management Program

Strategic Objectives – Enterprise

Risk

Inherent Risk - Risks at the IT Service

Line.

Residual Risk - Controls mitigate the

inherent risk at the IT Risk level.

Effectiveness - Testing the

effectiveness of the control.

Remediation - Remediate the gaps

that were identified.

ERM IT Risks Controls Assessments Plan of Action & Milestone

Process Assurance Gaps

Intake into the MISO Strategy

Service Line Enterprise

slide-6
SLIDE 6

Security Control Framework

slide-7
SLIDE 7

Identify what security standards have not been implemented Mitigate the identified gaps by prioritizing the highest impact controls first. Mature MISO’s overall security posture to the appropriate level of risk tolerance. Allow MISO to begin thinking about security at all levels of the company.

One Streamlined Process

Identify Gaps Mitigate Gaps Mature Security Program Security At Scale

NERC SOC

Best Practices

Purpose and Outcome

7 | Protected

slide-8
SLIDE 8
  • Anomalies & Events
  • Security Continuous Monitoring
  • Detection Processes

Identify Protect Detect Respond Recover

Functions Categories

Implement Governance and Oversight Develop appropriate safeguards Establish continuous monitoring mechanisms Business aligned escalation and notification agreements Sustain MISO reliability and availability

Harmonize Standards

  • NERC CIP Standards
  • Service Organization Controls (SOC)
  • NIST 800-53
  • DOE C2M2
  • Risk Assessment
  • Risk Management Strategy
  • Supply Chain Risk

Management

  • Asset Management
  • Business

Environment

  • Governance
  • Information Protection

Processes

  • Maintenance
  • Protective Technology
  • Identify Management

and Access Control

  • Awareness & Training
  • Data Security
  • Mitigation
  • Improvements
  • Response Planning
  • Communications
  • Analysis
  • Recovery Planning
  • Improvements
  • Communications

Unified Controls Across the Organization

8 | Protected

Framework

slide-9
SLIDE 9

MISO’s Security controls framework

Continuous Improvement Training

  • Provide risk and controls training to managers and SMEs

responsible for implementing MISO’s controls program Risk Assessment

  • Perform annual risk assessment

identifying high risk NIST sub- categories

  • Determine ownership and schedule
  • f controls program implementation

activities Control Design

  • Review process documentation,

RSAWs, etc.

  • Identify and document key
  • bjectives, risks and controls for

high risk NIST CSF categories Governance, Monitoring and Reporting

  • Implement governance structure,

tools and templates

  • Implement ongoing QA/QC,

monitoring and reporting mechanisms Gap Assessment + Remediation

  • Identify areas where controls do

not adequately address standards and policies

  • Establish and implement action

plans to eliminate gaps Control Testing

  • Develop testing requirements
  • Conduct test of one to assess key controls

Information Security Risk Management Governance, Monitoring Reporting Training Risk Assessment Control Design Control Testing Gap Assessment + Remediation 9 | Protected

slide-10
SLIDE 10

3-lines of Assurance

Line of Defense

Management Controls

Line of Defense Internal Audit Line of Defense

Internal Control Measures

1st 2nd 3rd

Standards and Assurance IT Validation Information Security Risk Management External Audit Regulator Line of Assurance Line of Assurance Line of Assurance

10 | Protected

Board Oversight Enterprise Risk Management MISO Management

slide-11
SLIDE 11

Utilizing Security Controls Framework

Based on control categories, leadership establishes limits on risk in each area

Category Appetite

Allocate resources to address the most critical risks first

Prioritize Resources

Allows appropriate acceptance of risk to move one step closer to our vision, mission, and goals

Vision, Mission, and Goals

Risk Appetite

slide-12
SLIDE 12

Schedule

Design the harmonized controls

2018 Ongoing 2021 2020 2019 2022

Project End / Program Operational

Test & Assess the efficiency of those controls Remediate and implement controls with risk-based prioritization Monitor & Measure operational improvement

12 | Protected

IRM Tool implement a integrated risk management tool

slide-13
SLIDE 13

IT Risk Register

slide-14
SLIDE 14

IT Risk Register

Map Risks

Link IT Risks to ERM Risks

Risk Rating

Low, Moderate, High, Critical

Insight.

Provides insight into risks in MISO’s IT Service Line

14 | Protected

slide-15
SLIDE 15

IT Risk Register

15

RISK Inherent Risk Ratings by CSF Functions CSF Function Low Moderate High Critical Grand Total Identify 3 8 15 26 Protect 2 22 19 43 Detect 1 9 10 Respond 8 3 11 Recover 1 2 10 13 Grand Total 5 22 65 103 RISK Residual Risk Ratings by CSF Functions CSF Function Low Moderate High Critical Grand Total Identify 15 9 2 26 Protect 5 6 30 2 43 Detect 1 2 5 2 10 Respond 2 5 3 1 11 Recover 1 3 5 3 12 Grand Total 7 31 41 9 103 Overall Risk Inherent Risk Score 3.55 Residual Risk Score 2.20 Inherent Risk Rating Critical Residual Risk Rating Moderate

slide-16
SLIDE 16

Plan of Action and Milestones

slide-17
SLIDE 17

Plan of Action and Milestones

Information Security Risk Management reviews/validates the risks and works with the owner to determine remediation approach, milestones and target dates.

Remediation Milestones & Dates Identified

POAMs are sourced from Information Security Risk Management assessments, Audits, and self identification

  • f a gap.

POAM Identified

Information Security Risk Management works with the owner/POC to follow-up on milestone targets, progress and implementation validation for POAM closure.

Monitoring & Implementation

17 | Protected

slide-18
SLIDE 18

18 | Protected

slide-19
SLIDE 19

19

Plan of Action and Milestones

slide-20
SLIDE 20

Wrap-Up

Risk-based Decisions In Order To Optimize Resources

20 | Protected

Strategic Objectives Inherent Risk Residual Risk Effectiveness Remediation

ERM IT Risks Controls Assessments Plan of Action & Milestone

Process Assurance Gaps Service Line Enterprise

slide-21
SLIDE 21

Questions?

csherwood@misoenergy.org