SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and Regulation Management - Part 2

The Evolution of Regulatory ComplianceAn End-to-End Solution for Ensuring & Managing Regulatory Compliance by SAP

August 2014

© 2014 SAP AG. All rights reserved. 2

Agenda

Cybersecurity Landscape

Evolution of Compliance Solutions

Managing Access Violations (SOX)

Financial Impact of Access Risk

Continuous Control Monitoring (SoD & Critical Access)

Real-Time Cross Enterprise Control (Business Applications & IT Systems)

Managing Regulations (FERC, NERC, CIP, etc.)

Regulatory Change Management

Enterprise Control Management

Unified Regulatory Controls


Agenda












Security By The Numbers

2 billion Internet-enabled devices exist today

Trends suggest 7 billion+ in four years

68,000+ hacker tools available today

5.6M counterfeit computer chips seized

8 character passwords cracked in an hour

14 char alphanumeric cracked in <3 min


Advantage: Adversaries

Intelligent, adaptive adversaries exist. They don’t follow the rules or compliance checklists. They have three things

you don’t: people, money and time.



Research, espionage, organized crime, cyber/info warfare

Nation state quality defense is the new norm

Inference and Aggregation

Cyber-kinetic impacts

Engineering vs. Security


No 100% Prevention


Critical infrastructure is a high-value target; sufficient “MMO” exist for significant impacts to any size organization – no matter how big/small

Adversaries will easily outpace regulation, procurement and implementation cycles; hackers are faster than laws

Focus on people and process first, technology second; automating bad process/practice will only cause you to fail faster and more accurately

Beware of complexity, it can be the enemy of security; don’t forget that technology still requires care and feeding (read: people)

Continuous Monitoring is most mature state, always be working toward it

Balance prevention, detection and response; seek to achieve “singularity”

Strategic Security Outlook


Most utilities have one or more security/operational tools in placeStand Alone “Point Solution” with a singular purpose.

Regulatory Compliance obligations have resulted in the exploration of compliance outputs from security/operational toolsets.

• These tool sets were never designed as singular compliance driven solutions

That is changing as compliance solutions are in high-demand at utilities and vendors see opportunity to address compliance

Evolution of Compliance Solutions- Point Solutions


Typical Point SolutionsSecurity Incident and Event Management (SIEM)

•Security Logging

•Patch Management

•Configuration Management

Evolution of Compliance Solutions- Point Solutions


Document Management •Compliance audits were documentation/evidence focused•still manually dependent population of the solution

• Sharepoint•Still manual but can incorporate calendar notifications and task management

•Easy to Deploy•Data Integrity Concerns•Non-sustainable

Evolution of Compliance Solutions- GRC


Why GRC?Expanding granularity in regulatory requirements makes a manual approach non-sustainablePro-active vs Re-activeEnterprise layer to manage/integrate point solution outputsWorkflow automationSelf-Assessment functionality Detection and Mitigation automation through workflowsControls Testing and DesignForces consistency in data



“I don’t have time to do this compliance stuff and my day job!”

Utilities should never have to hear this complaint again if:– Sound Operational/Security-driven Processes and Controls are in place that “Bake

In” Compliance– GRC technology is being leveraged to sustain and enforce controls and processes



Agenda












Current GRC situation

Access governance processes continue to be manually intensive

and operate in silos across the enterprise

Lack of visibility into the financial exposure resulting from access

risk violations


Today’s Approach

Assess the financial exposure of access risk

Summarize the dollar value of actual access violations

Clearly articulate financial exposure that broad user access has on the business

Drive change where impact exceeds materiality threshold

Enable exception based monitoring

Automate identification and review of actual access violations

Alert business owners only when exceptions occur, reducing manual control efforts and eliminating false positives

Comprehensive library of automated SoD controls across business processes

Centralized tracking, investigation and resolution of access violations

Reduce enterprise-wide access governance

costs

Extend the capabilities of SAP Access Control across enterprise systems

Enable business ownership of access governance and remediation activities

$ ¥ € £


SOXAccess Risk Analysis,

User Access Management,Emergency Access Management,

Business Role Management

Real-Time Cross Enterprise ControlDiscovery, Aggregation, Correlation and Normalization

Continuous MonitoringUser, Role and Risk Modeling,

Accelerated Remediation,Automated Mitigating Controls

Financial Exposure of Access RiskBottom-line Dollar Value

Cloud& SaaS

BusinessApplications

Core ERP Legacy/CustomSolutions

Other ERP

SAP Access Violation ManagementManage user access based on business impact


SAP Access ControlManage access risk and prevent fraud

Monitor emergency access and transaction usage

Certify access assignments are still warranted

Define and maintain roles in business terms

Automate access assignments across enterprise systems

Find and remediate SoD and critical access violations

SAP_ALL

X

Legacy

Oracle


Access Violation ManagementReduce enterprise-wide access governance costs

Authorization models for all business applications are correlated and normalized which enables SOD rules to be maintained in one location – Access Control


Access Violation ManagementReduce enterprise-wide access governance costs

Access risk analysis, simulation, mitigation, and access requests are the same for the end user across all business applications


Access Violation Management Detective

Segregation of Duties Preventative

Prevent potential risk & detect actual violations

SoD Rules

Reviewing user access rights and

monitoring application security

tables

Visibility into users and roles with the capability to perform high risk transactions

Mitigation Rules

Leveraging SoD rule sets =+

Reviewing transaction meta

data and monitoring usage

in transaction tables

Visibility into actual usage and violations executed against high risk transactions in conflict with policy

Leveraging analytics rule sets =+








Customer Value

Gain a clear understanding of cost of access violations and impact on the organization

Reduce manual control efforts and eliminate false positives

Centrally track investigation and resolution of access violations

Give business users ownership of remediation activities

Alert business owners only when exceptions occur

Extend the investment in & functionality of GRC


Agenda












Utility Dive “State of the Electric Utility” Report

Do you anticipate your utility’s regulatory model to change over the next 10 years?

95% anticipate their regulatory model will change over the next 10 years

57% believe regulations will change significantly

What are the three most pressing challenges for your utility?

1.Old Infrastructure (48%)2.Current Regulatory Model (32%)3.Aging Workforce (31%)…12.Cybersecurity (11%)

http://app.assetdl.com/landingpage/siemens-2014-electric-utility-survey/


Challenges in Managing Regulatory Change

IT ComplianceBusiness Audit Legal

Requirements RequirementsRequirements

ControlControl Control

Requirements

Control


Unified Regulatory Change Management

Unified Control



Requirements RequirementsRequirements Requirements


Customer challengeQuickly assess and accommodate new and changed regulations

Customers need the ability to:

– Establish accountability and unify regulatory requirements across key stakeholders

– Align regulatory requirements with internal control activities and operations

– Automate execution and testing of controls across enterprise systems


Regulation Management ProcessRegulatory Intake, Collaboration & Execution

1 Regulatory Citations Capture, intake and reporting of

regulations

Leverage content from UCF,

LexisNexis, Thomson Reuters, etc.

Regulatory alerts and monitoring

2 Requirements Version control and gap

analysis

Delta change management

Pre-built reports for regulatory

requirements

3

Collaboration Central repository for regulatory

content, requirement and reporting

Comment and interact from start to finish

Share and review best practices

Workflow Dynamic, multi-threaded

workflow capabilities

Review all or part of citations,

requirements or controls at any

time

Control Definition Best practice control mapping &

content creation

Unified control framework for all

regulatory agencies

Map controls back to citations

4 Controls Management Manage, monitor and test controls

against production systems

Control Automation Automatically execute control tests

and import results

Reporting and Documentation Capture, store and report results

Manage and maintain findings



Regulatory Change Management – Example

Regulatory Requirements

NERC CIP-002 Critical Asset Identification

SANS Top 20 Critical Controls (NIST) Control 1: Inventory of Authorized Devices Control 2: Inventory of Authorized and Unauthorized Software

ISO 27002 Section 7 Responsibility of Assets Ownership and Accountability

Sarbanes-Oxley (SOX) Risk Assessment Objective Setting Event Identification

Universal Control

Asset Identification that includes ownership and accountability to the asset

Instead of 4 controls that are compliance driven, now you have one control that is operations

driven where compliance is a natural byproduct


Unified Regulatory Control Framework – ExampleNERC CIP Version 3 NERC CIP Version 5 SANS Top 20

CIP-002-3 Critical Cyber Asset Identification CIP-002-5 BES Cyber System Categorization

R1: Risk-Based Assessment Methodology (RBAM) to id Critical Assets (CA)

R1: Attachment 1 CIP-002-5 Incorporates the “Bright Line Criteria” to classify BES Assets as Low, Medium, or High. Called BES Cyber Systems consolidating CAs and CCAs

Control 1: Inventory of Authorized and Unauthorized DeviceControl 2: Inventory of Authorized and Unauthorized SoftwareControl 4: Continuous Vulnerability Assessment and Remediation

R2: Apply RBAM to ID Critical Assets R2: BES Cyber System Lists must be reviewed and approved every 15 calendar months

R3: Identify Critical Cyber Assets (CCA)

R4: Annual Approval of RBAM, CA list, CCA List

CIP-004-3 Personnel and Training CIP-004-5 Personnel and Training

R1: Awareness: Security Awareness Program R1: Security Awareness Program- reference Table 1: Security Awareness Program Criteria in standard

Critical Control 15: Controlled Access based on need to knowCritical Control 9: Security Skills Assessment and appropriate training to fill gaps

R2: Training: Cyber Security Training Program R2: Training Program- reference Table R2 Cyber Security Training Program in standard

R3: Personnel Risk Assessment R3: PRA Program- reference Table R3 PRA Program in standard

R4: Access R4: Access Management Program- Reference Table R4 Access Management Program in standard for required program criteria

R5: Access Revocation Program- Reference Table R5 Access Revocation for required program criteria

CIP-005-3 Electronic Security Perimeter(s) CIP-005-5 Electronic Security Perimeter(s)

R1: Electronic Security Perimeters: All CCAs must reside within an ESP

R1: Electronic Security Perimeters- reference Table R1 Electronic Security Perimeterfor required criteria

Control 1: Inventory of Authorized and Unauthorized DevicesControl 2: Inventory of Authorized and Unauthorized SoftwareControl 4: Continuous Vulnerability Assessment/RemediationCritical Control 13: Boundary Defense

R2: Electronic Access Controls R2: Interactive Remote Access Management Table R2

Control 1: Inventory of Authorized and Unauthorized DevicesControl 2: Inventory of Authorized and Unauthorized SoftwareControl 4: Continuous Vulnerability Assessment/Remediation Critical Control 13: Boundary Defense CriticalControl 16: Account Monitoring and Control

R3: Monitoring Electronic Access

R4: Cyber Vulnerability Assessment

R5: Documentation Review and Maintenance


Unified Regulatory Control Framework – Example #2ISO 17799 2005 Cobit 4.0 SOX PCI NERC CIP SANS TOP 20

Section 1: Risk Assessment

1.1 Assessing Security Risks Identify, quantify, and prioritize risks against criteria for risk acceptance relevant to the organization

Plan and Organize:• PO9 Assess and Manage IT RisksMonitor and Evaluate:• ME3 Ensure Regulatory Compliance• ME4 Provide IT Governance

• Risk Assessment• Objective Setting• Event Identification

N/A • 002 – Critical Cyber Asset Identification

Control 1: Inventory of Authorized and Unauthorized Devices Control 2: Inventory of Authorized and Unauthorized SoftwareControl 4: Continuous Vulnerability Assessment and Remediation

1.2 Treating Security RisksDetermine risk treatment options: Apply appropriate controls, accept risks, avoid risks or transfer risk to other parties

Plan and Organize:• PO9 Assess and Manage IT RisksMonitor and Evaluate:• ME1 Monitor and Evaluate IT Performance• ME2 Monitor and Evaluate Internal Control

• Risk Response• Event Identification

N/A • 002 – Critical Cyber Asset Identification• 007 – Systems SecurityManagement• 008 – Incident Report and Response Planning

Control 1: Inventory of Authorized and Unauthorized Devices Control 2: Inventory of Authorized & Unauthorized Software Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers , and Switches Critical Control 18: Incident Response and Management

Section 2: Security Policy

2.1 Information Security PolicyAn information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. The information security policy should be reviewed at planned intervals

Plan and Organize:• PO1 Define a Strategic IT Plan• PO4 Define the IT Processes, Organizationand Relationships• PO6 Communicate Management Aims andDirection• PO7 Manage IT Human Resources

• Internal Environment• Objective Setting• Risk Assessment

Maintain an Information Security Policy:12. Maintain a policy that addresses information security

• 003 – Security ManagementControls

Critical Control 15: Controlled Access based on need to know

Section 3: Organization of Information Security

3.1 Internal OrganizationA management framework should be established to initiate and control the implementation of information security within the org

Deliver and Support:• DS5 Ensure Systems Security

• Internal Environment• Control Activities• Information and Communication


• 003 – Security ManagementControl

Critical Control 15: Controlled Access based on need to know

3.2 External PartiesTo maintain the security of information and information processing facilities that are accessed, processed, communicated to, or managed by external parties

Plan and Organize:• PO8 Manage QualityDeliver and Support:• DS1 Define & ManageService Levels• DS2 Manage Third-Party Services• DS5 Ensure Systems Security

• Internal Environment• Risk Assessment• Control Activities• Information and Communication• Monitoring


N/A










Enterprise Control Management – Example

Enterprise Control Automation

HR termination / position based revocation of user access

Enterprise de-provisioning

Audit reporting

Regulatory Requirements

NERC CIP, NIST, etc.

24 / 48 hour de-provisioning to critical infrastructure

Sarbanes-Oxley (SOX) User access reviews

Universal Control

Regulatory compliance becomes a byproduct of enterprise control automation

One control to satisfy operational security, compliance regulations and audit requirements


Automated De-Provisioning


Compliance Control




Customer value

Compliance “just happens”

•Centrally manage and report on regulatory and compliance requirements across the organization

•Enable auditability for enterprise regulatory compliance processes

•Reduce cost and risk of control redundancy


Pacific Gas & ElectricEliminate manual activities associated with SOD & critical access riskReduce FTE hours required to prepare SOD reports Provide compliance and business stakeholders visibility into the financial impact of risk to the organization

Southern California EdisonReduce costs of regulatory compliance & manual activitiesReduce audit related costs for key IT & business controls 100% visibility, monitoring & reporting of transactional activity

Florida Power & LightEnable enterprise SOD risk managementAutomate manual compliant user provisioning / de-provisioning

The EDF GroupEliminate manual security processesAutomate risk management between SAP & CashPooler

Example Utility Customer Profiles

SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and Regulation Management - Part 2

Technology

sap ag

regulations ferc

char alphanumeric cracked

counterfeit computer

character passwords

hacker tools available

internetenabled devices