Change management is on top of mind for most compliance managers in Operational Technology (OT) driven industries. The following are Top 10 practical recommendations that have worked with our customers’ compliance managers who are trying to push technologies and processes around change management.
10. Start with Large Breadth of Use Cases on a Small Depth of Hosts
The Compliance Manager should start with the complete breadth of technical and business use cases he wants to cover as part of the program. NERC CIP V5 brings in ports & services, software and patches as part of the program, but configuration items such as users and system settings are very important as well and should be included in the program. The Compliance Manager should also consider various business use cases such as what aspects of the technologies and processes he wants to manage vs. out source. The Compliance Manager should also try to start with the smallest and least critical of the production systems (such as a QAS) system to start testing the technologies and socializing the processes.
9. Focus on Continuous Compliance
The Compliance Manager should establish operations keeping in mind that compliance is not a onetime event. Operations becomes much better when there is continuous compliance, continuous base lining, continuous logging, continuous review of FW rules and users, and continuous documentation..
The audit then becomes simply an event which uses the documentation. Continuous compliance enables an “always audit-ready” program. Operations will be easier if compliance and documentation is part of the general day-to-day security process, as opposed to a stressful and painful audit process.
8. Do Not Push Change when there is Too Much Change
Compliance managers should not introduce new change when there is an audit coming up in the next few weeks. Introducing change when there is an on-going event hinders the progress on establishing a new program. Instead, the Compliance Manager should use the lessons learned from the most recent audit to build the new program.
7. Start with a Long Term Goal and Strategy
Compliance managers should start the change management program with an identified long term goal such as “we want to use the technologies for the next audit”. That will gear the team towards a goal. This will also set up clear goals for what needs to be accomplished. The compliance manager should also establish specific individuals responsible for each compliance area.
6. Develop a Business Case for the Change Management Plan
All the use cases for Change Management such as collection of the actual configuration items (patches, software, users), developing the base lines for each of those items, and evaluating the actuals against the base lines are resource intensive work and therefore should have their own business cases developed to support them. The business case and the corresponding justification of the spend will make the process of introducing change management functionality relatively smooth.
5. Take a Services View of the Change Management Program
Compliance activities is resource intensive.. Tools, technologies and processes will not help without budgeting for corresponding resources. Compliance managers should therefore think about the long term viability of the program with respect to the services (possibly external) required. Such services include event monitoring, base line management, maintaining evidence repositories etc.
4. Focus on the Top 80% of the Pain Points
Compliance managers should focus on the biggest pain points and frequently asked questions for compliance and audit. The top 80% pain points are:
- Documentation of Critical Cyber Assets (CCAs), Cyber Assets, Electronic Access Points
- Documentation of ESP (Electronic Security Perimeter) s and PSP (Physical Security Perimeter) s
- Documentation of enabled ports and services, software, users and corresponding reports on each of the CCAs
- Documentation of base lines on each of the CCAs
- List of changes and corresponding documentation on the CCAs
3. Train the Employees, Bring in Operational People
The Compliance Manger should involve operational people (people who operate the technologies that get deployed) right from the beginning. Otherwise the tools will be useless. The operational people are the people who will use the technologies regularly.
2. Act fast Before it’s Too Late
IT is fast pacing towards a general trend of outsourcing. The more time the OT Compliance Manager waits to take action, the chances increase that OT compliance will be outsourced as part of overall outsourcing initiatives within the company. OT compliance managers should therefore take proactive action to improve efficiency and performance before IT decides to handle it themselves, possible with outsourced resources.
1. IT and Operations are Your Friends
IT is starved for resources and when compliance managers takes a proactive lead setting up tools, processes and services for compliance, IT is generally happy that somebody else is taking up the work. The Compliance Manager should make sure that IT is in loop, may be level 3 support, so IT believes they are in loop of what’s going on. Operational people and SMEs are the key for success for a compliance management program and the compliance managers should make it a win-win program since IT and Operations are happy to have compliance responsibility handled elsewhere. They do not want to deal with compliance.