METROPOLITAN EDISON COMPANY - Pennsylvania Public Utility ...

More documents

Recommendations

Info

Companies, the working inventory turnover rates at December 31, 2009 appear to bereasonable. As shown in Exhibit IX-3, the combined total inventory reduction for theFE-PA Companies was approximately $7.4 million (i.e., $1,839,000 for Met-Ed,$5,409,000 for Penelec, and $130,000 for Penn Power) from 2006 to 2009. Assuming aconservative average annual carrying cost of approximately 10%, the FE-PACompanies combined inventory reduction from 2006 to 2009 has resulted in anassociated reduction in annual inventory carrying costs of approximately $738,000 (i.e.,$184,000 for Met-Ed, $541,000 for Penelec, and $13,000 for Penn Power).Staff’s Follow-up Recommendation – None.Prior Recommendation – FirstEnergy should develop and implement formal accesscontrol procedures that include a formal consolidated Access Authorization Form.Security and access control review should include an examination and verification of theinitial access authorized for selected users.Prior Situation – BWG concluded that FirstEnergy’s access control processes andprocedures were not adequate. FirstEnergy did not have a formal process or a formalAccess Authorization Form to administer the critical function of access control over theirapproximately 40 applications. Virtual Private Network (VPN) and Network AccessAgreements had been developed to address these areas but there were other criticalsystems and applications such as software from SAP that were without a formalprocess for documenting access. Moreover, FirstEnergy had not deployed anautomated tool for security monitoring and analysis of access control within itsInformation Technology (IT) enterprise. FirstEnergy’s IT Department was performingsecurity analysis manually.Follow-up Finding and Conclusion No. IX-2 – FirstEnergy has developed andimplemented formal access control procedures which include an examinationand verification of the initial access authorized for selected users.FirstEnergy uses Active Directory (AD) to enforce access control policies onemployees that use IT infrastructure. AD was initially implemented in August 2001. ADis comprised of user and service accounts, machine accounts, printers and securitygroups. Beginning in early 2009, to acquire access for a user, a request must besubmitted to the IT service desk which creates a ticket for the Central SecurityAdministration (CSA) group who in turn create a user account in AD. The entireprovisioning process is documented within FirstEnergy’s Lotus Notes system and isupdated when a change to the process occurs. The CSA group requires the SAPidentification and application owners’ approval before they can grant user access.Beginning in 2008, critical and sensitive systems and critical applications, suchas SAP, had a formal process for documenting access which is documented andavailable for periodic reviews for internal and external auditors. Access controlprocedures are crucial when dealing with IT applications, especially those ascomprehensive as SAP. Also, in 2008, security monitoring and analysis of such access- 58 -
controls were automated. Moreover, annual security analysis is performed to reviewprocesses for documenting access from initial user access to account termination andall changes in between.Critical Infrastructure Protection (CIP) reviews are performed on a quarterly basisand CIP Access Request Database (CARD) reviews are performed annually. TheCARD reviews include asset approver identification and verification, granting andrevoking access, and regular review of asset procedures which are performed manually.In order to automate the CARD review process, FirstEnergy is committed toimplementing Agiliance RiskVision (RiskVision) in January 2011 with configuration,testing and preparations to be performed prior to that date. RiskVision is an enterpriseGovernance, Risk and Compliance (GRC) software package that will be utilized forcompliance purposes for FirstEnergy’s CIP program. RiskVision can monitor CIPcompliance status of assets, automate periodic review requirements, and report on thecompliance status of the business units.Staff’s Follow-up Recommendation – None.Prior Recommendation – FirstEnergy should improve its security awareness andtraining programs to include computer based training (CBT) or other mandatory formalclassroom training for IT and departmental personnel. A refresher course should beconducted annually.Prior Situation – Of the 654 IT Department employees, approximately 269 employees,or less than 50% of the IT staff, completed training activities/courses/conferences in2005. FirstEnergy was conducting security awareness training every two years in theform of posters, broadcast e-mails, and newsletters. However, FirstEnergy was notregularly conducting any formal classroom or CBT security awareness training, exceptfor small groups of IT personnel.Follow-up Finding and Conclusion No. IX-3 – FirstEnergy has implemented aprogram to educate its employees regarding IT security issues via computerbased training, but is not ensuring that employees complete this trainingannually.In 2007, FirstEnergy partnered with a consultant, Global Learning Systems, toimplement CBT. CBT was implemented in June 2007 and cost FirstEnergyapproximately $80,000 to implement across all of its subsidiaries. FirstEnergy uses asoftware application called the “Learning Management Solution” to administer,document, track and report on the CBT program, including:• Number of employees that took the test• Number of employees that completed the test• Completion percentage, etc.- 59 -
Page 5:
METROPOLITAN EDISON COMPANYPENNSYLV
Page 8 and 9:
• Support Services• Human Resou
Page 10 and 11:
• Developed and implemented forma
Page 12 and 13:
FIRSTENERGY PENNSYLVANIA COMPANIESM
Page 14 and 15: FIRSTENERGY PENNSYLVANIA COMPANIESM
Page 24 and 25: III. AFFILIATE INTERESTSBackground
Page 26 and 27: In addition, subsidiary or related
Page 28 and 29: BWG recommended that a detailed, wr
Page 30 and 31: management. Other potential uses of
Page 32 and 33: IV. CORPORATE GOVERNANCEBackground
Page 34 and 35: V. FINANCIAL MANAGEMENTBackground -
Page 36 and 37: the internal audit was to determine
Page 38 and 39: Committee citing the internal contr
Page 40 and 41: VI. ELECTRIC RELIABILITYBackground
Page 42: Exhibit VI-1Metropolitan Edison Com
Page 45 and 46: provide additional details to the C
Page 47 and 48: Exhibit VI-6FirstEnergy Pennsylvani
Page 49 and 50: All three FE-PA Companies have had
Page 51 and 52: FirstEnergy is following the right
Page 53 and 54: Company, and The Toledo Edison Comp
Page 55 and 56: technicians. These strategies are u
Page 57 and 58: VIII. EMERGENCY PREPAREDNESSBackgro
Page 59 and 60: Routine periodic updating of the em
Page 61 and 62: Follow-up Finding and Conclusion No
Page 63: old excess inventory. Spare invento
Page 67 and 68: Exhibit IX-6FE-PA CompaniesPercenta
Page 69 and 70: FE-PA Companies were unable to iden
Page 71 and 72: Staff’s Follow-up Recommendation
Page 73 and 74: Exhibit X-6Metropolitan Edison Comp
Page 75 and 76: Prior Recommendation - Develop a co
Page 77 and 78: Therefore, BWG suggested that First
Page 79 and 80: XI. CUSTOMER SERVICEBackground - Th
Page 81 and 82: Exhibit XI-2FE-PA CompaniesPercenta
Page 83 and 84: Exhibit XI-5FE-PA Companies Compare
Page 85 and 86: Exhibit XI-7FE-PA Companies Compare
Page 87 and 88: Follow-up Finding and Conclusion No
Page 89 and 90: uilding, in an effort to protect re
Page 91 and 92: Companies would submit a supplement
Page 93 and 94: 3. The "four-fifths" rule (underuti
Page 95 and 96: Met-Ed has female underutilization
Page 97 and 98: Exhibit XII-4Page 1 of 2FirstEnergy
Page 99 and 100: The number of years that FirstEnerg
Page 101 and 102: FE-PA Companies do track purchases
show all

METROPOLITAN EDISON COMPANY - Pennsylvania Public Utility ...

Create successful ePaper yourself

Delete template?

Save as template?