Date post: | 18-Jul-2015 |
Category: |
Software |
Upload: | 360factors |
View: | 378 times |
Download: | 3 times |
Regulatory Change Management
Ed Sattar, CEO,
Page 2Regulatory Change Management
SPEAKER: ED SATTAR
Ed Sattar is the CEO of 360factors For more than a decade, Ed has made
significant professional contributions to the regulatory compliance space across
multiple industries. His experiences include extensive research and consulting to
regulatory compliance consulting firms, training providers as well as state and federal
regulatory agencies. During his tenure in the regulatory compliance workflow
automation and eTraining space, he has identified key criteria and compliance
standards that are currently being published and implemented.
Ed Sattar has been nominated for the Ernst & Young Entrepreneur of the Year award
three times and was among the top seven finalists in 2009. 360training.com, the
parent company of 360factors, has appeared on the Deloitte Fast 50 as the 6th
fastest growing company in Texas. It has also been listed in Inc 5000 several times as
one of the fastest growing companies.
Ed studied Electrical Engineering and Finance at the University of Texas at Austin.
Page 3Regulatory Change Management
Profit
PeoplePlanet
EFFECTIVE OPERATIONAL RISK MANAGEMENT & THREE P’S
Page 4Regulatory Change Management
Outline
Cyber Security Trends in Oil and Gas
Why Implement an IT GRC Management System
IT Governance , Risk and Compliance
Management Model & Methodology
How to Implement an IT Governance , Risk and
Compliance Management System
Regulatory Change Management
CYBER SECURITY RISK TRENDS
Page 6Regulatory Change Management
RISING REGULATIONS AND COST
Page 7Regulatory Change Management
RISING REGULATIONS AND COST
Page 8Regulatory Change Management
RISING REGULATIONS AND COST
The Transportation Security Administration (TSA) is authorized by federal statute to
promulgate pipeline physical security and cybersecurity regulations
On April 2011 White House proposal4 and the Cybersecurity Act of 2012 (S. 2105) both
would mandate the promulgation of cybersecurity regulations for pipelines, among other
privately-owned critical infrastructures sectors.
If you store any personal information, you have to have information security policy
In April 2011 White House proposal4 and the Cybersecurity Act of 2012 (S. 2105) both
would mandate the promulgation of cybersecurity regulations for pipelines, among other
privately-owned critical infrastructures sectors.
In the U.S., the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
received and responded to 198 cyber incidents in 2012 as reported by asset owners and
industry partners. Attacks against the energy sector represented 41 % of the total number
of incidents
Regulatory Change Management
WHY IMPLEMENT IT GRC MANAGEMENT SYSTEM
Page 10Regulatory Change Management
WHY IMPLEMENT IT GRC MANAGEMENT SYSTEM
Over 500,000 miles of high-volume pipeline gather and transport
natural gas, oil, and other hazardous liquids across the United
States.
In addition, nearly 900,000 miles of smaller distribution pipeline
deliver natural gas to businesses and homes.
While pipelines are an efficient and fundamentally safe means of
transport, many carry volatile, flammable, or toxic materials with the
potential to cause public injury and environmental damage
Page 11Regulatory Change Management
WHY IMPLEMENT IT GRC MANAGEMENT SYSTEM
Page 12Regulatory Change Management
WHY IMPLEMENT IT GRC MANAGEMENT SYSTEM
Page 13Regulatory Change Management
WHY IMPLEMENT IT GRC MANAGEMENT SYSTEM
Page 14Regulatory Change Management
WHY IMPLEMENT IT GRC MANAGEMENT SYSTEM
Understanding Regulations
Regulatory / Standards
Change Management
Internal Corporate standards
Day to Day Compliance
Tasking
Event-Driven Compliance
Tasking
Predictive Risk Analysis
Corrective and Preventive Actions
Policy and Procedure
Management
Risk Management Management
Training Management
Multiple Tools to address Reg.
Compliance
Other Industry Pain Points
Regulatory Change Management
1. Implement Security Standards that may be applicable to your
organization
1. ISA -99 / IEC -62443
2. NERC CIP
3. NIST S800 -82
4. ISO 27001 & 27002
2. Develop Cyber Security Framework and make it part of your over all
Enterprise Governance, Risk and Compliance Management
Framework
3. Oil & Gas EHS Risk Management Process
CYBER SECURITY BEST PRACTICES
Regulatory Change Management
IT GOVERNANCE, RISK & COMPLIANCE MANAGEMENT
MODEL
Regulatory Change Management
IT GRC MANAGEMENT MODEL
Regulatory Change Management
1. WHY = Standards/ Regulatory change management
2. WHAT = Risk and internal controls
3. HOW = Operational excellence and Processes
4. WHERE = Location / Assets
5. WHO = Defining & Mapping Roles / Key Management Functions
to Metrics & P&L
IT GRC MANAGEMENT MODEL – FIVE STEPS
Regulatory Change Management
IT GRC MANAGEMENT MODEL – FIVE STEPS
Regulatory Change
Management
Operational Excellence
and Workflow
Risks & Internal Controls
Organization – Roles and
Key Management
Functions
Location/
Assets
HOW
WHY
WHAT
WHO
WHERE
Regulatory Change Management
HOW TO IMPLEMENT AN IT
GOVERNANCE, RISK & COMPLIANCE
MANAGEMENT SYSTEM
Page 21Regulatory Change Management
Requirements Knowledge Based &
Taxonomy
Business Process
Risk and Internal Controls
Roles and Responsibilities
Locations and Assets
COMPONENTS OF REQUIREMENTS KNOWLEDGE BASE
1. Library - Regulations, Standards,
Requirements and Objectives
2. Translate standards or regulatory
requirements into action, evidence,
subject, frequency
3. Monitor regulatory change
4. Regulations in effect to proposed
5. Mapping- regulatory requirements
mapped to CAPA , policy procedures and
evidence, risks and audits
6. Regulation Applicability
Step 1- Requirements Knowledge
Base & Taxonomy
WHY
Page 22Regulatory Change Management
Step 2- Risk & Internal Controls1. What is impacted?
Environmental Risk
Financial Risk
Legal Risk
Cyber Security Risk
Operational Risk
2. Define internal controls
Process
Procedures
Risk Assessments
tasks
training
3. Define risk levels
Which details impacting
factors
Is based on a systematic
process allowing the
organization to prioritize more
efficiently
Effectively assesses issues
requiring immediate action.
Requirements Knowledge Based &
Taxonomy
Operational Excellence and
Workflow
Risk and Internal Controls
Reporting –Roles and Key management
Functions
Location/ Assets
WHAT
Page 23Regulatory Change Management
Step 2- Risk & Internal Controls
Requirements Knowledge Based &
Taxonomy
Roles and Responsibility
Risk and Internal Controls
Reporting
Regulatory Compliance
Software
Small Workforce Large Workforce
Hig
h R
isk
Lo
w R
isk
Page 24Regulatory Change Management
1. streamline cyber security
compliance routines, process,
incidents and procedures into a
coherent system
2. Defining your business
process and workflow should
lead you to Business Continuity
planning, incident response plan
and Cyber security Workforce
training and develop
for example, is about to plug a
USB device into a computer or OT
device, and by following procedure,
first scans the USB which then
detects a virus, this should be
recorded in a central log as a “near
miss
Step 3- Business Processes
Requirements Knowledge Based &
Taxonomy
Operational Excellence
and Business Processes
Risk and Internal Controls
Reporting
Regulatory Compliance
Software
HOW
Page 25Regulatory Change Management
1. Where is compliance
done.
2.Compliance done at the
site and asset level
Step 4. Location & Assets
Requirements Knowledge Based &
Taxonomy
Business Process
Risk and Internal Controls
Roles & Responsibility
Location / Assets
WHERE
Page 26Regulatory Change Management
1. Establish IT Governance
Structure- Roles,
Responsibilities, Functions
2 Process control security
program, Provide process
control security awareness,
training, policy, standards,
compliance monitoring
3. This last step ties all four
steps of the model
4. Is there a specific role and
responsibility structure or
can it vary from organization
and industries?
Step 5. Roles & Responsibility
Requirements Knowledge Based &
Taxonomy
Business Process
Risk and Internal Controls
Roles & Responsibility
Location / Assets
WHO
Page 27Regulatory Change Management
1. Key Roles and Structure
Example- Information Security Officer, Operations officer, CIO, CISO
2. Key Functions
Example- Safety, Risk, Engineering, IT, OT
3. Key Actions
Example: Compliance, Quality, Sustainability, Continuity & Response Capability, Training
4. Outcome / Results
COMPONENTS OF ROLES AND RESPONSIBILITES
Step 5. Roles & Responsibility
Requirements Knowledge Based &
Taxonomy
Business Process
Risk and Internal Controls
Roles & Responsibility
Location / Assets
Page 28Regulatory Change Management
Source: Global survey by KPMG, Inc
BENEFITS OF AN INTEGRATED MANAGEMENT SYSTEM
AUTOMATE REGULATORY COMPLIANCE THROUGH SOFTWARE
Regulatory Change Management
Predict360 REGULATORY COMPLIANCE ARCHITECTURE
Page 30Regulatory Change Management
OIL & GAS GOVERNANCE, RISK & COMPLIANCE
SolutionsCyber Security
Safety Management System
Dodd Frank
Competency and Training Mgmt
Asset Integrity Management
Plant Operations Management
Employee & Customer Compliant Management
Process Safety Management & SEMS
Environmental Information
Management
Page 31Regulatory Change Management