MISO CIP Process
Improvement
Program
August 2013
MISO Overview
•
•
•
•
•
•
Independent
Non-profit
2001 – Reliability Coordinator
2005 – Energy Markets
2009 – Ancillary Services
2012 – Independent Coordinator
of Transmission for Entergy
Region
• Large Footprint – Midwest and
Southern Regions
MISO Reliability Coordination Area, June 2013
2
Current Scope of Operations
as of June 1, 2013
• Generation Capacity
– 131,522 MW (market - Midwest)
– 205,759 MW (reliability – Midwest + Southern regions)
• Historic Peak Load (Midwest Region)
(July 23, 2012)
– 98,576 MW (market)
– 133,368 MW (reliability)
• 65,250 miles of transmission (Midwest Region)
–
–
15,752 Southern Region
49,528 Midwest Region
• Midwest Region: 11 states, 1 Canadian province
• Southern Region: 4 states (AR, LA, MS, TX)
(reliability only until Southern Region market integration in December 2013)
3
Speaker
• Chris Unton
– Currently: Sr. Manager, IT Compliance
– Past roles include:
•
•
•
•
Identity & Access Management
Disaster Recovery & Problem Management
Enterprise Systems Management / Network Operations Center
Data Networking
– Education
• BS Computer Science – Rose-Hulman Institute of Technology
• MBA – Indiana University Kelley School of Business
4
Disclaimer
• Any views and opinions represented are those of Chris
Unton and do not necessarily reflect those of MISO
• Many of the activities described are in-flight rather than
complete. Your mileage may vary.
5
Agenda
•
•
•
•
•
•
Process Driven Approach to Compliance
Ownership
Six Sigma
Program Structure
Process Improvement Tools
Governance and Execution
6
Traditional Model / “Audit Hamster Wheel”
7
Process Driven Approach
• Traditional Model does not drive behavior towards:
– Real-time compliance
– Security driven compliance
– Harmonization of approach across regulatory needs (NERC,
FERC, SSAE 16, SOx)
• Process Based approach drives behavior towards:
–
–
–
–
Baking in compliance evidence as a natural part of the process
Ownership of the necessary activities
Documentation of control objectives & activities
Metrics to assess performance
8
Ownership Detail (Visual)
•
65 processes which support
CIP compliance
Executive Oversight
•
Majority (34 of 65) of the
processes have more than
three teams (or more than one
division) involved in the core
execution of the process
Requirement
Owner
Process Owner
•
Clearly defined roles &
responsibilities of ownership
are critical to success
–
Process ownership in particular
Activity (Control) Owner
9
CIP ROLES
(Arrows denote evidence flow)
IT Compliance
•
•
•
•
•
Accountable for
oversight to MISO’s
compliance with CIP
requirements.
Supports the
Requirement Owner
by assisting with
MISO’s interpretation
of the CIP
requirements.
Validates that the
processes under the
Requirement Owner
do meet compliance
with the standard.
Communicates
changes/updates/
guidance to standards
and requirements to
the Requirement
Owners.
Validates sufficiency
of supporting
evidence to
demonstrate
compliance.
• Drives MISO’s
CIP Compliance
Program
Requirement Owner
•
Accountable for assuring MISO’s compliance
with that particular requirement.
•
Interprets what the requirement truly means to MISO
and devises MISO’s response to support compliance
with that requirement (with assistance of support
teams).
Identifies the processes needed to support
compliance and gathers the appropriate people
(process owners) together to ensure an end-to-end
solution with no gaps. The requirement owner likely
is also a process owner or manages process owners.
Looks forward to ensure MISO adapts to changing
regulations appropriately, while also designing
solutions that support the objective of the regulation.
Gathers evidence from process owners for selfassessments and audits, to make sure the evidence is
in line with the expectations of the requirement.
Drives the creation of RSAW narrative that describes
MISO’s compliance approach.
First person to be interviewed by auditors who are
evaluating MISO’s compliance with that requirement.
If compliance issues arise, the requirement owner is
accountable (coordinating with Compliance Services
and other support staff) for the content of self-reports
and mitigation plans to restore compliance with that
requirement.
•
•
•
•
•
•
Process Owner
•
•
•
•
•
Functional responsibility for the
operation of a process that
supports one or more compliance
requirements.
Activity / Control
Owner
• Responsible for
a particular
component of an
overall process.
Designs solid, robust
processes that support
operational excellence and
•
security/compliance needs.
Recognizes inputs (upstream •
impacts) and outputs
(downstream impacts) of the
•
process.
Responds to self-assessments
and provides evidence (upon
request) to the requirement owner
demonstrating effective process
operation.
•
Identifies key activities (controls)
within the process and assigns
personnel to execute those control
activities.
Subject matter expert in his/her
area of responsibility. This person
uses multiple sources (compliance
support staff, internal peers,
industry counterparts,
conferences, and training) to
continually improve the process
he/she owns.
Executes an activity
according to procedure.
Understands how
activity execution fits
into the larger process.
Generates evidence as
part of the activity
execution, or assures
that automated
activities produce the
expected output.
Provides the evidence
to downstream
activities. During selfassessments or audit
preparation, the control
owner provides
evidence to the
process owner if it
cannot be directly
queried by the process
owner.
10
Six Sigma
•
Six Sigma is a fact–based, data–driven philosophy of quality
improvement that values defect prevention over defect detection. It
drives customer satisfaction and bottom-line results by reducing variation
and waste, thereby promoting a competitive advantage. It applies
anywhere variation and waste exist, and every employee should be
involved.
•
In simple terms, Six Sigma quality performance means no more than 3.4
defects per million opportunities.
•
Methodology that takes an objective view of current performance and
structured approach to measurably improve performance
11
DMAIC
12
Program Structure
• Techniques (Comprehensive Review)
1. Identify/validate current requirement owners
2. Map requirements to processes
3. Identify/validate process owners
4. Identify areas that need improvement (health check)
•
•
Attributes: ownership, documentation, monitoring, complexity, automation
Mechanisms: survey, past performance, expert assessment
5. Analysis and Improvement
•
Kaizen events: Process (re)design, RACI, Policy and Procedures, Evidence, Automation / Tool Integration
opportunities
6. Control – structure for on-going self-assessment and measurement
• Training
1. End-to-end requirement & process awareness
2. Effective self-assessment (control design & execution)
3. Process improvement
• Technology Integration
1. Utilize available tools
2. Schedule process improvement activities to coincide with tool deployment where appropriate
• Team
1. Concerted effort from a diverse skillset (projecting ~6000 hours of internal effort over 16 months)
2. Some consistent program support personnel, some subject matter experts as needed
13
Process Improvement Tools
•
•
•
•
•
•
•
Kaizen Events
Process Mapping
SIPOC
Data Analysis
Piloting
Workflow
Automation
14
Kaizen Events
•
Cross-functional team makes improvements in a methodological way
– Led by process owner
– Supported by a Six Sigma black belt
•
Short duration (weeks), high intensity mini-project
•
Focuses on the Analyze & Improve phases of the
DMAIC cycle
•
Produces evidence that can be used for the
Control phase going forward
– Business Process Diagrams, procedures, RACI
matrix
15
Process Mapping
• Visualize current &
future processes
• Gain common
understanding
• Identify pain points
• Speeds
training/adoption
16
SIPOC
17
Data Analysis
• Asset based
– How many CIP cyber assets do we have?
– How many backup types?
– How many baseline configurations?
• Process based
– How many server commissions do we execute each year?
– How many firewall rule updates?
– How many significant changes?
• Reduce Complexity
• Align effort with volume
Piloting
• Take the new process through a trial run on real data
during the Kaizen event
• Demonstrates operational as well as compliance benefits
• Provides a chance to change or tweak a process
• Offers insight into the time and training required for a full
roll-out
Workflow
• Many of the CIP processes require a sequence of steps to
be executed (including multiple teams)
– Ex: Security Controls Testing
1)
2)
3)
Determine if the change is significant
Test the security impact of the change
Link the production work to the pre-production testing
• Remedy ticketing system has been our workflow engine
of choice
• Other options exist
– Sharepoint
– Lombardi Teamworks
– Calendar reminders
Automation
• Philosophy: process first, automation second
• Sometimes, automation is essential to achieve a robust,
efficient process
• Process areas we’ve explored or are planning for
automation:
–
–
–
–
Compliance training at onboarding
Quarterly entitlement reviews
Change monitoring
Cyber Security event log review
Training / Awareness
• Online Learning Management System
–
–
–
–
Quick, 10-15 minute slide decks with voice over
Wide reach (some 200 person audiences)
Employees familiar with the system already
Repository that future employees can access
• Face to face sessions at team meetings
– In-depth knowledge transfer
– Interactive
– Time intensive
• “Plugged In” Communications
– News items, short story features
22
Program Governance
Ongoing MISO Governance Committees
Steering Committee
Executive Sponsors
Program
Lead
23
Processes deliver Six Sigma quality
Workflow automation
Proactive adoption
of future standards
Compliance is a by-product of security
Controls documented
Processes optimized for efficiency
Capability
Processes
comprehensive
Internal self assessments are audit comprehensive
Manage to metrics
Processes mapped
Process orientation for compliance
Evidence mapped to requirements
Interpretations documented
Named requirement owners
TIME
MATURITY
Immature
Highly Mature
Execution
• Ensure process has trackable metrics built in
– Quantity
– Timeliness
– Completeness
• Maintain a robust internal assessment process
• Don’t forget to update QRSAW narratives – these should
be living and breathing as the process changes
25