Mr. Lafferty is a Principal with the Advisory practice of KPMG LLP. Mr. Lafferty has 24 years of experience with technology environments including the security of corporate networks, Smart Grid and AMI networks, SCADA and PCN networks, computer operations, software evaluations, system development, and NERC CIP risk assessments and compliance audits.
Professional and Industry Experience
Smart Grid / AMI Assessment
Directed a security review of the communication and data flow from the Home meter, across communication networks to the Meter Data Management system.
We have provided clients detailed risk and vulnerability assessments with gap analysis reports, observations and recommendations to mitigate technology risks and improve the security posture.
Directed detailed security audits of SCADA equipment for a regional utility.
This included addressing areas such as policies & procedures, user administration, logical and physical security, and operations.
NERC Critical Infrastructure Protection Assessments
Directed Critical Infrastructure Protection readiness assessments and reviews. In the areas of Transmission and Generation Owners/Operators, we assessed the appropriateness of the approach, progress, and posture of the project in place to address government regulations NERC V3 and V5.
Provided key insight on several NERC CIP projects focused specifically on interpretation of existing requirements and the most recent guidance from NERC regarding CIP-009. This included performing gap analyses on existing client methodologies versus the suggested guidance.
IT Controls and Audit
Directed numerous risk based Information System audits on computer systems and application user departments to detect operational, system, or application control weaknesses. Directed multiple Financial systems Pre & Post Implementation control and business integration reviews of the Sales & Distribution, Purchasing, General Ledger, Cash Management and Financial Reporting business cycles.
Directed the ERP audit work programs, supervised day-to-day tasks and monitored the progress towards project milestones. ERP systems include SAP, Oracle Financials, PeopleSoft, HFM, Hyperion Enterprise, JD Edwards, Lawson, plus ETRM and GRC software’s.
Directed numerous risk based Information Protection reviews Corporate and PCN / DCS computer systems. Security Maturity Model Assessments aligned Company Board and Audit Committee expectations. Utilizing principals and standards from NIST 800, SAN 20 Critical Controls, Department of Homeland Security C2M2, NERC CIP, COSO, COBiT, and Forrester…