Development of NERC CIP Program
The owner-operator of a portfolio of clean, efficient, and responsive power needed to develop a NERC CIP program with a six-month implementation time frame.
Strive oversaw the rebuild of existing networks and the implementation of all cybersecurity controls required by NERC CIP to meet compliance requirements.
With a regulatory deadline quickly approaching, the owner-operator of a portfolio of clean, efficient, and responsive power had a new NERC CIP compliance program in place which lacked maturity and wasn’t sure to pass inspection. Their uncertainty was compounded by an outdated network architecture that would not support the NERC CIP controls needed to be compliant. Further, they sorely lacked subject matter expertise in-house regarding NERC CIP compliance.
Strive was able to quickly and efficiently review all of our client’s NERC CIP policies and procedures to identify deficiencies and close compliance gaps. We then helped redesign, rebuild, and test their network while causing minimal impact to the production environment. The implementation featured multiple security, compliance and reporting systems needed to meet NERC CIP objectives, including EAP, IDS, SIEM, and configuration management tools enabling checks to validate continuous compliance posture.
A physical security plan was implemented for protection of BES Cyber Systems, a cyber vulnerability assessment was conducted to identify risk, and a mitigation strategy was implemented. Finally, we rolled out of a comprehensive NERC CIP strategy throughout the organization.
- Strive created a state-of-art sustainable NERC CIP compliant production environment that also met security objectives.
- These well thought out policies and procedures not only met audit expectations, but resulted in an audit-validated NERC CIP compliance program.
Building A Custom Analytics Platform
The client needed to develop the next generation version of their flagship analytics product. They had endured two previous failed attempts and needed to successfully build and deploy the next generation product to meet the company’s business retention and business development goals.
Strive assessed the current state “legacy” product, and mobilized a team to address the architecture, development, and QA of the next generation product and successfully delivered an MVP version of the product on time with exceedingly positive feedback from both internal stakeholders and pilot customers.
Since the MVP release, the Strive delivery team has completed four subsequent product releases, iteratively delivering meaningful features to end users.
Data Quality Assessment, Strategy & Implementation
The client is an international pharmaceutical company that is consistently ranked in the top 30 of all biotech companies with $12B in revenue annually. They develop and market pharmaceuticals ranging from over the counter to cancer treatment and interacts with a multitude of health care providers and standalone clinics.
Strive’s primary objectives for engaging with the client was to:
- Strive preformed a strategic assessment that focused on understanding the purpose of the manual data validations and gaps present within their existing data management platform.
- As part of this approach, Strive conducted a half-day workshop bringing together the business & IT organizations to highlight the purpose of the validations so that sustainable, automated solutions could be implemented further upstream.
As a result of this engagement, Strive provided greater transparency and awareness of data quality issues along with implementing the processes to identify and resolve future data related challenges
- Provided greater confidence in the data being used by their users in the field
- Automated various manual processes to increase the efficiency of the data delivery and reduce errors encountered by users
- Enabled business users with greater transparency into the data processing procedures to help build a better internal partnership amongst teams.
- Developed a process to monitor the ongoing progress of the Data Quality initiative and prioritize requests.
Cybersecurity Gap Analysis
A leading energy company wanted an independent assessment of their CIP-010-3 processes to assess and remediate any compliance gaps within their policies, procedures, and processes.
Requirements were to assess deficiencies within their change management, configurating monitoring, vulnerability assessment methodology, handling of Transient Cyber Assets and Removable Media processes, policies, and procedures.
The utility had questions about deficiencies in their CIP-010-3 processes. First, they wanted to focus on improving their primary requirement: managing their configuration processes. A secondary focus was on identifying deficiencies in their Annual Vulnerability Assessments (AVA). Finally, they wanted to review new ways for handling Transient Cyber Assets (TCA) and Removable Media.
Strive reviewed all NERC CIP policies and procedures concerned with CIP-010-3 with a deep dive into the plans focused on baselines and configuration change management. We provided detailed comments within procedures and recommendations on how to improve processes for baselining applicable systems and the handling of change management as an organization.
Strive Subject Matter Experts additionally reviewed the AVA process to ensure that the plans in place met requirements. We provided the client with recommendations on how to improve processes and present artifacts of evidence for easy review during an audit.
Our experts also reviewed new requirements and processes to address TCAs and RM and made recommendations to improve processes and presentation of evidence.
- Strive was able to identify key areas of the program, that may have caused areas of concern during an audit.
- Our utility client was able to remediate areas of concern, thereby reducing their risk exposure of being found non-compliant.
- And, through the implementation of the outlined recommendations, the utility is fostering a better compliance and cybersecurity culture.
Sustainable NERC CIP Compliance Program
During preparation for a NERC CIP audit, deficiencies were identified within the compliance program of a West coast power generating utility.
The client faced a lack of resources and defined processes to adequately maintain compliance and was burdened with mitigation plans from ongoing open enforcement items.
Strive’s client, a West coast power generating owner operator, struggled with a lack of resources to enact the changes necessary to meet NERC CIP compliance goals, leaving them with multiple open enforcement items. Chief among their issues were deficiencies within policies and procedures that did not reflect actual processes. They also lacked the proper tools for monitoring and reporting functionality to assess compliance and security posture. And, were unable to stay current with NERC CIP standards, requirements, and pending effective enforcement dates.
Strive reviewed all NERC CIP policies and procedures to identify deficiencies and close compliance gaps. We also integrated new SIEM and configuration management tools to meet security objectives and ongoing compliance stance assessments. The client now has situational awareness of BES Cyber Systems and associated assets. Further, we partnered on the implementation of NERC CIP low impact facility policies and security controls (effective date, 1/1/20) as well as the implementation of a NERC CIP supply chain risk management program (effective date, 10/1/20).
We instituted a GRC platform integration for automation of manual processes and revamped their NERC CIP-008-6 incident response plan to meet new requirements (effective date, 1/1/21). Finally, we implemented a Transient Cyber Asset (TCA) and Removable Media (RM) program for low and medium impact BES systems.
- Over a three-and-a-half-year period, there was substantial growth in the maturity of the compliance program resulting in the client receiving zero possible violations during a 2020 audit.
- Additionally, this power system now has a comprehensive and sustainable NERC CIP compliance program.
MDM & Change Management Strategy Implementation
The client is an international insurance brokerage that employs more than 10,000 employees responsible for providing an array of insurance/wealth management products and services.
The client sought a strategic partner to address severe data issues and to restructure their MDM practices. The organization was unable to meet the reporting needs required to support their top 200 accounts. Additionally, client segmentation, retention, marketing, and organic growth efforts were stifled by the absence of reporting capabilities.
Strive’s primary objectives for engaging with the client were to provide:
- Data and Strategy Assessments – Conducted comprehensive data analysis, obtained feedback from stakeholders on various data usage challenges. Provided a strategy to improve the data quality and usage.
- Integrated Road Mapping and Planning – Developed four-phased, three-year improvement strategy road map, and conducted a competitive analysis of potential MDM tooling vendors.
- Change Management – Led cross-functional change management strategy to help manage organization, process, and role changes. Assisted in the MDM vendor selection and tooling implementation.
Strive successfully partnered with the client to conduct a data assessment and create a new data strategy for the organization.
Additional outcomes included:
- Deployed new MDM structure and governance process.
- Led change management efforts associated to introducing new MDM tooling and governance processes.
- Led MDM platform integration.
- Partnered with first project team post MDM platform integration to ensure compliance and understanding.
- Provided guidance for change champions and metrics for adoption measurement.
Product Lifecycle Management Process (PLMP)
The PLMP project was commissioned to create a better technology-based process to bring the client’s health products to market. The initial scope for the team was to configure and deploy health insurance products for the client in the Small Group and Retail portfolio. The team was selected to organize, configure and deploy insurance products using Pegasystems’ PCS (product composer system) tool. The ask behind Strive’s engagement was to instill solid leadership and direction to drive the program and project to completion, while managing several vendor teams.
Strive successfully engaged a team of 3 project & program Managers to manage the various consulting firms involved in the program, provided leadership and guidance to the overall team, and successfully execute the delivery of PLMP.
The following improvements were delivered:
- Release Management Process
- Change Management Process
- Gap Analysis of current state progress and project goals
- Budget and Financial Analysis
- Transparent Communication to leadership
- Creation of end-to-end work plan
- Creation of PLMP Governance Model
- Brought 2017 QHP products to market for the client’s Small Group and Retail market segments.
- Stood up the product infrastructure tool – Pegasystems’ PCS – to decrease product deployment time to market by >30% compared to past years.
- Actively managed 5 vendors across various work streams in order to drive the above results.
- Established standardized processes and rigor that were used throughout the project and will continued to be used moving forward.
- Key Deliverables:
- Integrated Roadmap (cross-program, dependency driven)
PMO Improvements (Governance Model, Resource/Financial Model, Change Management Process, Status reporting
Level-funded Product Implementation
- A national health insurance payers’ implementation of a level-funded product was complex and required delicate cross-functional engagement elapsing over three years to bring to market within an ever-changing Affordability of Care Act (ACA) landscape.
- Delivering new product capabilities and operational system enhancements was necessary to retain existing business and grow new accounts within their highly competitive small group / middle market segment.
- Facing challenges with implementation on legacy platforms and navigating many senior leaders across a transformational enterprise, the health insurance payer needed strong leadership within their project management office (PMO) to define a plan and manage stakeholder expectations.
Strive Consulting was hired to gain a handle on schedule, scope, costs, and manage the ebb and flow of delivery risks and issues, while helping the insurance payer’s PMO to elevate their respective peers, design and tailor templates, and implement organizational process improvements.
- Strive leveraged industry PMO best practices to compartmentalize multiple work streams and subprojects to enable the client to quickly see and drive a critical path leading up to the new product go-live (‘plan effective date’ in the insurance world).
- Seeing a gap in collaboration, Strive instituted an executive level steering committee meeting to effectively bring necessary decision points, escalate roadblocks, and bring awareness for both tactical and strategic management decisions to reduce project delivery disturbances.
- Having such high visibility and expanse across the enterprise, the program became a model example for various financial forecasting exercises, cost/benefit analysis decisions, critical path management, and executive level status reporting to be leveraged with other PMO leaders across the department.
Change Management Strategy Assessment
The client is a large financial services provider that uses unique data, innovative analytics, technology, and industry expertise to power organizations around the world by transforming knowledge into insights that help make more informed business and personal decision. The client has offices in 24 countries and over 10,400 employees worldwide.
The client sought a strategic partner to conduct an organizational strategy assessment and to provide expertise in change and risk management related to a platform and process transformation program.
Strive’s primary objectives for engaging with the client were to provide:
- IT/Organizational Assessment – Conducted stakeholder interviews, reviewed existing processes/materials and discovery activities. Developed report of key findings. Produced recommendations for long-term and quick win opportunities for process and IT improvements.
- Capability Recommendations – Defined recommended organizational structure to support business process changes, identified staffing gaps leading to lag in digital efforts, recommended value assessment of legacy features, and introduced a Knowledge Transfer system.
Strive presented a current state finding report that challenged long-held assumptions of overengineering by IT, and also surfaced the need for an Organizational Change work stream to support the transformation efforts within business/planning.
Additional deliverables included:
- Produced business value matrix
- Produced integrated road map with recommended sequencing
- Defined recommended organizational structure to support change implementation
- Identified staffing gaps leading to lag in digital efforts
- Recommended value assessment of legacy features
- Introduction of Knowledge Transfer system
Data Quality Assessment & Implementation
The client was looking for a partner to deliver actionable solutions in automating the manual data quality checks that are occurring today within internal downstream systems. Data quality is of the utmost concern for the client and without these identified automated processes in place, data quality issues could make it to their customers.
Strive preformed a strategic assessment that focused on understanding the purpose of the manual data validations and gaps present within their existing data management platform.
As part of this approach, Strive conducted a half day workshop bringing together the business & IT organizations to highlight the purpose of the validations, so that sustainable, automated solutions could be implemented further upstream.
As a result of this engagement, Strive provided greater transparency and awareness of data quality issues along with implementing the processes to identify and resolve future data related challenges.