The value of a CMDB for a successful GRC program

Managing risk through enhanced insight for regulated industries

Prasanna Govindankutty

Prasanna Govindankutty

Principal, Advisory, Cyber Security Services, KPMG US

+1 212-954-2737

Jason Blick

Jason Blick

Director, Advisory, Cyber Security Services, KPMG US

+1 312-665-5412

Highly regulated industries such as power and utilities must manage a diverse set of information technology (IT) and operational technology (OT) cyber assets. As organizations adopt digital transformation, the need for automated management with direct intersections to governance, risk, and compliance (GRC) capabilities across processes and technology is required to manage compliance, mitigate risk, and stay cost-effective. Impacted organizations must seek innovative ways to address the governance of these cyber assets.

Using a phased and systematic approach to collect and centralize asset information is the first step to solving the mystery of identifying, mitigating, and reporting that is focused on cyber risk assets that deliver services to the enterprise.

Due to compliance initiatives such as NERC CIP, power and utility entities must identify transmission control centers, transmission substations, and generation station’s bulk electric system (BES) and maintain a list of the corresponding BES cyber assets (BCAs) and associated protected cyber assets (PCAs). This exercise places a heavy burden on compliance teams for maintaining, documenting, and demonstrating the known state of BCAs and PCAs collectively known as bulk cyber systems.

Additionally, IT/OT assets within the power and utility sector are an ever-changing landscape due to many factors, including:

  • Sales and acquisition of new assets
  • Renewable energy
  • Smart grid technology
  • Transformation of back office information systems
  • Centralization of business operations
  • Modernization of fleet assets

The end results typically lead to infrastructure sprawl, lack of required insight, lost data linkages, and ineffective GRC processes. It’s impossible to accurately manage risk and ensure compliance if the underlying cyber assets are unknown or constantly shifting without proper oversight and governance.

Read our paper to learn more about the importance of establishing a robust CMDB that will serve as a foundation for GRC programs and implementations.