The Evolution of Regulatory Compliance An End-to-End Solution for Ensuring & Managing Regulatory Compliance by SAP August 2014
Nov 16, 2014
The Evolution of Regulatory ComplianceAn End-to-End Solution for Ensuring & Managing Regulatory Compliance by SAP
August 2014
© 2014 SAP AG. All rights reserved. 2
Agenda
Cybersecurity Landscape
Evolution of Compliance Solutions
Managing Access Violations (SOX)
Financial Impact of Access Risk
Continuous Control Monitoring (SoD & Critical Access)
Real-Time Cross Enterprise Control (Business Applications & IT Systems)
Managing Regulations (FERC, NERC, CIP, etc.)
Regulatory Change Management
Enterprise Control Management
Unified Regulatory Controls
© 2014 SAP AG. All rights reserved. 3
Agenda
Cybersecurity Landscape
Evolution of Compliance Solutions
Managing Access Violations (SOX)
Financial Impact of Access Risk
Continuous Control Monitoring (SoD & Critical Access)
Real-Time Cross Enterprise Control (Business Applications & IT Systems)
Managing Regulations (FERC, NERC, CIP, etc.)
Regulatory Change Management
Enterprise Control Management
Unified Regulatory Controls
© 2014 SAP AG. All rights reserved. 4
Security By The Numbers
2 billion Internet-enabled devices exist today
Trends suggest 7 billion+ in four years
68,000+ hacker tools available today
5.6M counterfeit computer chips seized
8 character passwords cracked in an hour
14 char alphanumeric cracked in <3 min
© 2014 SAP AG. All rights reserved. 5
Advantage: Adversaries
Intelligent, adaptive adversaries exist. They don’t follow the rules or compliance checklists. They have three things
you don’t: people, money and time.
© 2014 SAP AG. All rights reserved. 6
Cybersecurity Landscape
Research, espionage, organized crime, cyber/info warfare
Nation state quality defense is the new norm
Inference and Aggregation
Cyber-kinetic impacts
Engineering vs. Security
© 2014 SAP AG. All rights reserved. 7
No 100% Prevention
© 2014 SAP AG. All rights reserved. 8
Critical infrastructure is a high-value target; sufficient “MMO” exist for significant impacts to any size organization – no matter how big/small
Adversaries will easily outpace regulation, procurement and implementation cycles; hackers are faster than laws
Focus on people and process first, technology second; automating bad process/practice will only cause you to fail faster and more accurately
Beware of complexity, it can be the enemy of security; don’t forget that technology still requires care and feeding (read: people)
Continuous Monitoring is most mature state, always be working toward it
Balance prevention, detection and response; seek to achieve “singularity”
Strategic Security Outlook
© 2014 SAP AG. All rights reserved. 9
Most utilities have one or more security/operational tools in placeStand Alone “Point Solution” with a singular purpose.
Regulatory Compliance obligations have resulted in the exploration of compliance outputs from security/operational toolsets.
• These tool sets were never designed as singular compliance driven solutions
That is changing as compliance solutions are in high-demand at utilities and vendors see opportunity to address compliance
Evolution of Compliance Solutions- Point Solutions
© 2014 SAP AG. All rights reserved. 10
Typical Point SolutionsSecurity Incident and Event Management (SIEM)
•Security Logging
•Patch Management
•Configuration Management
Evolution of Compliance Solutions- Point Solutions
© 2014 SAP AG. All rights reserved. 11
Document Management •Compliance audits were documentation/evidence focused•still manually dependent population of the solution
• Sharepoint•Still manual but can incorporate calendar notifications and task management
•Easy to Deploy•Data Integrity Concerns•Non-sustainable
Evolution of Compliance Solutions- GRC
© 2014 SAP AG. All rights reserved. 12
Why GRC?Expanding granularity in regulatory requirements makes a manual approach non-sustainablePro-active vs Re-activeEnterprise layer to manage/integrate point solution outputsWorkflow automationSelf-Assessment functionality Detection and Mitigation automation through workflowsControls Testing and DesignForces consistency in data
Evolution of Compliance Solutions- GRC
© 2014 SAP AG. All rights reserved. 13
“I don’t have time to do this compliance stuff and my day job!”
Utilities should never have to hear this complaint again if:– Sound Operational/Security-driven Processes and Controls are in place that “Bake
In” Compliance– GRC technology is being leveraged to sustain and enforce controls and processes
Evolution of Compliance Solutions- GRC
© 2014 SAP AG. All rights reserved. 14
Agenda
Cybersecurity Landscape
Evolution of Compliance Solutions
Managing Access Violations (SOX)
Financial Impact of Access Risk
Continuous Control Monitoring (SoD & Critical Access)
Real-Time Cross Enterprise Control (Business Applications & IT Systems)
Managing Regulations (FERC, NERC, CIP, etc.)
Regulatory Change Management
Enterprise Control Management
Unified Regulatory Controls
© 2014 SAP AG. All rights reserved. 15
Current GRC situation
Access governance processes continue to be manually intensive
and operate in silos across the enterprise
Lack of visibility into the financial exposure resulting from access
risk violations
© 2014 SAP AG. All rights reserved. 16
Today’s Approach
Assess the financial exposure of access risk
Summarize the dollar value of actual access violations
Clearly articulate financial exposure that broad user access has on the business
Drive change where impact exceeds materiality threshold
Enable exception based monitoring
Automate identification and review of actual access violations
Alert business owners only when exceptions occur, reducing manual control efforts and eliminating false positives
Comprehensive library of automated SoD controls across business processes
Centralized tracking, investigation and resolution of access violations
Reduce enterprise-wide access governance
costs
Extend the capabilities of SAP Access Control across enterprise systems
Enable business ownership of access governance and remediation activities
$ ¥ € £
© 2014 SAP AG. All rights reserved. 17
SOXAccess Risk Analysis,
User Access Management,Emergency Access Management,
Business Role Management
Real-Time Cross Enterprise ControlDiscovery, Aggregation, Correlation and Normalization
Continuous MonitoringUser, Role and Risk Modeling,
Accelerated Remediation,Automated Mitigating Controls
Financial Exposure of Access RiskBottom-line Dollar Value
Cloud& SaaS
BusinessApplications
Core ERP Legacy/CustomSolutions
Other ERP
SAP Access Violation ManagementManage user access based on business impact
© 2014 SAP AG. All rights reserved. 18
SAP Access ControlManage access risk and prevent fraud
Monitor emergency access and transaction usage
Certify access assignments are still warranted
Define and maintain roles in business terms
Automate access assignments across enterprise systems
Find and remediate SoD and critical access violations
SAP_ALL
X
Legacy
Oracle
© 2014 SAP AG. All rights reserved. 19
Access Violation ManagementReduce enterprise-wide access governance costs
Authorization models for all business applications are correlated and normalized which enables SOD rules to be maintained in one location – Access Control
© 2014 SAP AG. All rights reserved. 20
Access Violation ManagementReduce enterprise-wide access governance costs
Access risk analysis, simulation, mitigation, and access requests are the same for the end user across all business applications
© 2014 SAP AG. All rights reserved. 21
Access Violation Management Detective
Segregation of Duties Preventative
Prevent potential risk & detect actual violations
SoD Rules
Reviewing user access rights and
monitoring application security
tables
Visibility into users and roles with the capability to perform high risk transactions
Mitigation Rules
Leveraging SoD rule sets =+
Reviewing transaction meta
data and monitoring usage
in transaction tables
Visibility into actual usage and violations executed against high risk transactions in conflict with policy
Leveraging analytics rule sets =+
© 2014 SAP AG. All rights reserved. 22
© 2014 SAP AG. All rights reserved. 23
© 2014 SAP AG. All rights reserved. 24
© 2014 SAP AG. All rights reserved. 25
© 2014 SAP AG. All rights reserved. 26
© 2014 SAP AG. All rights reserved. 27
© 2014 SAP AG. All rights reserved. 28
Customer Value
Gain a clear understanding of cost of access violations and impact on the organization
Reduce manual control efforts and eliminate false positives
Centrally track investigation and resolution of access violations
Give business users ownership of remediation activities
Alert business owners only when exceptions occur
Extend the investment in & functionality of GRC
© 2014 SAP AG. All rights reserved. 29
Agenda
Cybersecurity Landscape
Evolution of Compliance Solutions
Managing Access Violations (SOX)
Financial Impact of Access Risk
Continuous Control Monitoring (SoD & Critical Access)
Real-Time Cross Enterprise Control (Business Applications & IT Systems)
Managing Regulations (FERC, NERC, CIP, etc.)
Regulatory Change Management
Enterprise Control Management
Unified Regulatory Controls
© 2014 SAP AG. All rights reserved. 30
Utility Dive “State of the Electric Utility” Report
Do you anticipate your utility’s regulatory model to change over the next 10 years?
95% anticipate their regulatory model will change over the next 10 years
57% believe regulations will change significantly
What are the three most pressing challenges for your utility?
1.Old Infrastructure (48%)2.Current Regulatory Model (32%)3.Aging Workforce (31%)…12.Cybersecurity (11%)
http://app.assetdl.com/landingpage/siemens-2014-electric-utility-survey/
© 2014 SAP AG. All rights reserved. 31
Challenges in Managing Regulatory Change
IT ComplianceBusiness Audit Legal
Requirements RequirementsRequirements
ControlControl Control
Requirements
Control
© 2014 SAP AG. All rights reserved. 32
Unified Regulatory Change Management
Unified Control
IT ComplianceBusiness Audit Legal
Regulatory Change Management
Requirements RequirementsRequirements Requirements
© 2014 SAP AG. All rights reserved. 33
Customer challengeQuickly assess and accommodate new and changed regulations
Customers need the ability to:
– Establish accountability and unify regulatory requirements across key stakeholders
– Align regulatory requirements with internal control activities and operations
– Automate execution and testing of controls across enterprise systems
© 2014 SAP AG. All rights reserved. 34
Regulation Management ProcessRegulatory Intake, Collaboration & Execution
1 Regulatory Citations Capture, intake and reporting of
regulations
Leverage content from UCF,
LexisNexis, Thomson Reuters, etc.
Regulatory alerts and monitoring
2 Requirements Version control and gap
analysis
Delta change management
Pre-built reports for regulatory
requirements
3
Collaboration Central repository for regulatory
content, requirement and reporting
Comment and interact from start to finish
Share and review best practices
Workflow Dynamic, multi-threaded
workflow capabilities
Review all or part of citations,
requirements or controls at any
time
Control Definition Best practice control mapping &
content creation
Unified control framework for all
regulatory agencies
Map controls back to citations
4 Controls Management Manage, monitor and test controls
against production systems
Control Automation Automatically execute control tests
and import results
Reporting and Documentation Capture, store and report results
Manage and maintain findings
IT ComplianceBusiness Audit Legal
© 2014 SAP AG. All rights reserved. 35
Regulatory Change Management – Example
Regulatory Requirements
NERC CIP-002 Critical Asset Identification
SANS Top 20 Critical Controls (NIST) Control 1: Inventory of Authorized Devices Control 2: Inventory of Authorized and Unauthorized Software
ISO 27002 Section 7 Responsibility of Assets Ownership and Accountability
Sarbanes-Oxley (SOX) Risk Assessment Objective Setting Event Identification
Universal Control
Asset Identification that includes ownership and accountability to the asset
Instead of 4 controls that are compliance driven, now you have one control that is operations
driven where compliance is a natural byproduct
© 2014 SAP AG. All rights reserved. 36
Unified Regulatory Control Framework – ExampleNERC CIP Version 3 NERC CIP Version 5 SANS Top 20
CIP-002-3 Critical Cyber Asset Identification CIP-002-5 BES Cyber System Categorization
R1: Risk-Based Assessment Methodology (RBAM) to id Critical Assets (CA)
R1: Attachment 1 CIP-002-5 Incorporates the “Bright Line Criteria” to classify BES Assets as Low, Medium, or High. Called BES Cyber Systems consolidating CAs and CCAs
Control 1: Inventory of Authorized and Unauthorized DeviceControl 2: Inventory of Authorized and Unauthorized SoftwareControl 4: Continuous Vulnerability Assessment and Remediation
R2: Apply RBAM to ID Critical Assets R2: BES Cyber System Lists must be reviewed and approved every 15 calendar months
R3: Identify Critical Cyber Assets (CCA)
R4: Annual Approval of RBAM, CA list, CCA List
CIP-004-3 Personnel and Training CIP-004-5 Personnel and Training
R1: Awareness: Security Awareness Program R1: Security Awareness Program- reference Table 1: Security Awareness Program Criteria in standard
Critical Control 15: Controlled Access based on need to knowCritical Control 9: Security Skills Assessment and appropriate training to fill gaps
R2: Training: Cyber Security Training Program R2: Training Program- reference Table R2 Cyber Security Training Program in standard
R3: Personnel Risk Assessment R3: PRA Program- reference Table R3 PRA Program in standard
R4: Access R4: Access Management Program- Reference Table R4 Access Management Program in standard for required program criteria
R5: Access Revocation Program- Reference Table R5 Access Revocation for required program criteria
CIP-005-3 Electronic Security Perimeter(s) CIP-005-5 Electronic Security Perimeter(s)
R1: Electronic Security Perimeters: All CCAs must reside within an ESP
R1: Electronic Security Perimeters- reference Table R1 Electronic Security Perimeterfor required criteria
Control 1: Inventory of Authorized and Unauthorized DevicesControl 2: Inventory of Authorized and Unauthorized SoftwareControl 4: Continuous Vulnerability Assessment/RemediationCritical Control 13: Boundary Defense
R2: Electronic Access Controls R2: Interactive Remote Access Management Table R2
Control 1: Inventory of Authorized and Unauthorized DevicesControl 2: Inventory of Authorized and Unauthorized SoftwareControl 4: Continuous Vulnerability Assessment/Remediation Critical Control 13: Boundary Defense CriticalControl 16: Account Monitoring and Control
R3: Monitoring Electronic Access
R4: Cyber Vulnerability Assessment
R5: Documentation Review and Maintenance
© 2014 SAP AG. All rights reserved. 37
Unified Regulatory Control Framework – Example #2ISO 17799 2005 Cobit 4.0 SOX PCI NERC CIP SANS TOP 20
Section 1: Risk Assessment
1.1 Assessing Security Risks Identify, quantify, and prioritize risks against criteria for risk acceptance relevant to the organization
Plan and Organize:• PO9 Assess and Manage IT RisksMonitor and Evaluate:• ME3 Ensure Regulatory Compliance• ME4 Provide IT Governance
• Risk Assessment• Objective Setting• Event Identification
N/A • 002 – Critical Cyber Asset Identification
Control 1: Inventory of Authorized and Unauthorized Devices Control 2: Inventory of Authorized and Unauthorized SoftwareControl 4: Continuous Vulnerability Assessment and Remediation
1.2 Treating Security RisksDetermine risk treatment options: Apply appropriate controls, accept risks, avoid risks or transfer risk to other parties
Plan and Organize:• PO9 Assess and Manage IT RisksMonitor and Evaluate:• ME1 Monitor and Evaluate IT Performance• ME2 Monitor and Evaluate Internal Control
• Risk Response• Event Identification
N/A • 002 – Critical Cyber Asset Identification• 007 – Systems SecurityManagement• 008 – Incident Report and Response Planning
Control 1: Inventory of Authorized and Unauthorized Devices Control 2: Inventory of Authorized & Unauthorized Software Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers , and Switches Critical Control 18: Incident Response and Management
Section 2: Security Policy
2.1 Information Security PolicyAn information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. The information security policy should be reviewed at planned intervals
Plan and Organize:• PO1 Define a Strategic IT Plan• PO4 Define the IT Processes, Organizationand Relationships• PO6 Communicate Management Aims andDirection• PO7 Manage IT Human Resources
• Internal Environment• Objective Setting• Risk Assessment
Maintain an Information Security Policy:12. Maintain a policy that addresses information security
• 003 – Security ManagementControls
Critical Control 15: Controlled Access based on need to know
Section 3: Organization of Information Security
3.1 Internal OrganizationA management framework should be established to initiate and control the implementation of information security within the org
Deliver and Support:• DS5 Ensure Systems Security
• Internal Environment• Control Activities• Information and Communication
Maintain an Information Security Policy:12. Maintain a policy that addresses information security
• 003 – Security ManagementControl
Critical Control 15: Controlled Access based on need to know
3.2 External PartiesTo maintain the security of information and information processing facilities that are accessed, processed, communicated to, or managed by external parties
Plan and Organize:• PO8 Manage QualityDeliver and Support:• DS1 Define & ManageService Levels• DS2 Manage Third-Party Services• DS5 Ensure Systems Security
• Internal Environment• Risk Assessment• Control Activities• Information and Communication• Monitoring
Maintain an Information Security Policy:12. Maintain a policy that addresses information security
N/A
© 2014 SAP AG. All rights reserved. 38
© 2014 SAP AG. All rights reserved. 39
© 2014 SAP AG. All rights reserved. 40
© 2014 SAP AG. All rights reserved. 41
© 2014 SAP AG. All rights reserved. 42
© 2014 SAP AG. All rights reserved. 43
© 2014 SAP AG. All rights reserved. 44
© 2014 SAP AG. All rights reserved. 45
© 2014 SAP AG. All rights reserved. 46
Enterprise Control Management – Example
Enterprise Control Automation
HR termination / position based revocation of user access
Enterprise de-provisioning
Audit reporting
Regulatory Requirements
NERC CIP, NIST, etc.
24 / 48 hour de-provisioning to critical infrastructure
Sarbanes-Oxley (SOX) User access reviews
Universal Control
Regulatory compliance becomes a byproduct of enterprise control automation
One control to satisfy operational security, compliance regulations and audit requirements
© 2014 SAP AG. All rights reserved. 47
Automated De-Provisioning
© 2014 SAP AG. All rights reserved. 48
Compliance Control
© 2014 SAP AG. All rights reserved. 49
© 2014 SAP AG. All rights reserved. 50
© 2014 SAP AG. All rights reserved. 51
Customer value
Compliance “just happens”
•Centrally manage and report on regulatory and compliance requirements across the organization
•Enable auditability for enterprise regulatory compliance processes
•Reduce cost and risk of control redundancy
© 2014 SAP AG. All rights reserved. 52
Pacific Gas & ElectricEliminate manual activities associated with SOD & critical access riskReduce FTE hours required to prepare SOD reports Provide compliance and business stakeholders visibility into the financial impact of risk to the organization
Southern California EdisonReduce costs of regulatory compliance & manual activitiesReduce audit related costs for key IT & business controls 100% visibility, monitoring & reporting of transactional activity
Florida Power & LightEnable enterprise SOD risk managementAutomate manual compliant user provisioning / de-provisioning
The EDF GroupEliminate manual security processesAutomate risk management between SAP & CashPooler
Example Utility Customer Profiles