Bryan Carr PMP, CISA Compliance Auditor Cyber Security. Audit Evidence & Attachment G CIP 101 Salt Lake City, UT September 25, 2013

Size: px

Start display at page:

Download "Bryan Carr PMP, CISA Compliance Auditor Cyber Security. Audit Evidence & Attachment G CIP 101 Salt Lake City, UT September 25, 2013"

Cornelius Wheeler
5 years ago
Views:

1 Bryan Carr PMP, CISA Compliance Auditor Cyber Security Audit Evidence & Attachment G CIP 101 Salt Lake City, UT September 25, 2013

2 About Me Joined WECC in August 2012 Before WECC CIP Compliance Program Manager at PacifiCorp Prior years experience in project and program management 2

3 Topics for Today -Audit Period -Data Retention -Evidence & Other Documentation -Attachment G 3

4 A.C.R.O.N.Y.M.S. BES: Bulk Electric System ROP: NERC Rules of Procedure CMEP: Compliance Monitoring and Enforcement Program RSAW: Reliability Standard Audit Worksheet DR: Data Request 4

5 Metaphorically Speaking An audit is like an onion o It stinks o Makes some people cry o Involves peeling back layers of evidence o An important ingredient in the stew of reliability o When prepared properly, it adds flavor o Improves the overall health of the BES 5

6 Audit Cycle & Audit Period 3 year audit cycle - BA, TOP, RC 6 year audit cycle - all other registrations 3 year audit may include 6 year functions Audit Period (monitoring period): o Specified in Notice of Audit (90 day notice) Starts day after completion of last audit Ends on date of Notice of Audit (90 day notice) o May be affected by self-report, self-certification, other enforcement activities 6

7 Data Retention Section D Compliance Subsection 1.4 Data Retention of each CIP Standard states: The Responsible Entity shall keep documentation required by Standard CIP-00X-3 from the previous full calendar year unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation. 7

8 Audit Period vs. Data Retention 8 CMEP Section Period Covered The Registered Entity s data and information must show compliance with the Reliability Standards that are the subject of the Compliance Audit for the entire period covered by the Compliance Audit The Registered Entity will be expected to demonstrate compliance for the entire period described above. If a Reliability Standard specifies a document retention period that does not cover the entire period described above, the Registered Entity will not be found in noncompliance solely on the basis of the lack of specific information that has rightfully not been retained based on the retention period specified in the Reliability Standard. However, in such cases, the Compliance Enforcement Authority will require the Registered Entity to demonstrate compliance through other means.

9 Other Means? Demonstrate compliance through other means o Must be as sufficient and appropriate as the actual evidence that would have otherwise been provided. Strongly recommend maintaining actual evidence for the entire audit period Specific timeframes called out in Requirements are still valid (e.g. 90 days, 3 months, etc.) 9

10 The CMEP is which Appendix to the NERC Rules of Procedure? 4C 10

11 Audit Documentation & Evidence FAQ: What examples can you give us for the best compliance documentation or evidence? o Revision history/table w/sufficient detail o Purpose statement (context) o Tie content back to Requirement(s) o Approvals & reviews (where applicable) o Definitions of uncommon or undefined terms o Less concerned about layout, look & feel o Provide additional context/explanation in RSAW 11

12 Documentation & Evidence Pointers Don t o Rename documents to fit different Standards & Requirements o Extract approval page(s) from original documents and provide as separate document Do o Remember Auditor Speak vs. Entity Speak o Provide context for exports, reports, spreadsheets o Create searchable PDFs, use Acrobat Portfolio o Encrypt all evidence prior to submittal 12

13 Attachment G 13 Completely revised for 2014 A guide to help you prepare, organize, and submit evidence prior to audit Tailored to the scope of your audit Does not preclude additional Data Requests Generally follows language of each Requirement Does contain a few detailed and specific requests Due 30 days prior to audit

14 14 Attachment G Snapshots

15 15 Attachment G Snapshots

16 16 Attachment G Snapshots

17 17 Attachment G Snapshots

18 18 Attachment G Snapshots

19 19 Attachment G Snapshots

20 The Northeast blackout occurred on what date? August 14,

21 Attachment G Recap Attachment G is only a guide Provide sufficient and appropriate evidence to demonstrate compliance If evidence is missing or incomplete, auditors will send additional Data Requests For complicated documents or organizational structures, use RSAW to tell the story 21

22 At Your Service Just a phone call away Always willing to provide our audit approach 22

23 Questions? Bryan Carr, PMP, CISA Compliance Auditor, Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT (801)

Compliance: Evidence Requests for Low Impact Requirements

MIDWEST RELIABILITY ORGANIZATION Compliance: Evidence Requests for Low Impact Requirements Jess Syring, CIP Compliance Engineer MRO CIP Low Impact Workshop March 1, 2017 Improving RELIABILITY and mitigating