Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Bryan Carr PMP, CISA Compliance Auditor – Cyber Security
Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT
September 25, 2013
2
• Joined WECC in August 2012 • Before WECC – CIP Compliance Program
Manager at PacifiCorp • Prior years experience in project and program
management
About Me
3
-Audit Period -Data Retention -Evidence & Other Documentation -Attachment G
Topics for Today
4
BES: Bulk Electric System ROP: NERC Rules of Procedure CMEP: Compliance Monitoring and Enforcement Program RSAW: Reliability Standard Audit Worksheet DR: Data Request
A.C.R.O.N.Y.M.S.
5
An audit is like an onion… o It stinks o Makes some people cry o Involves peeling back layers of evidence o An important ingredient in the stew of reliability o When prepared properly, it adds flavor o Improves the overall health of the BES
Metaphorically Speaking
6
• 3 year audit cycle - BA, TOP, RC • 6 year audit cycle - all other registrations • 3 year audit may include 6 year functions • Audit Period (monitoring period):
o Specified in Notice of Audit (90 day notice) § Starts day after completion of last audit § Ends on date of Notice of Audit (90 day notice)
o May be affected by self-report, self-certification, other enforcement activities
Audit Cycle & Audit Period
7
Section D Compliance – Subsection 1.4 Data Retention of each CIP Standard states:
“The Responsible Entity shall keep documentation required by Standard CIP-00X-3 from the previous full calendar year unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation.”
Data Retention
8
CMEP Section 3.1.4.2 Period Covered “The Registered Entity’s data and information must show compliance with the Reliability Standards that are the subject of the Compliance Audit for the entire period covered by the Compliance Audit…The Registered Entity will be expected to demonstrate compliance for the entire period described above. If a Reliability Standard specifies a document retention period that does not cover the entire period described above, the Registered Entity will not be found in noncompliance solely on the basis of the lack of specific information that has rightfully not been retained based on the retention period specified in the Reliability Standard. However, in such cases, the Compliance Enforcement Authority will require the Registered Entity to demonstrate compliance through other means.”
Audit Period vs. Data Retention
9
• Demonstrate compliance through other means o Must be as sufficient and appropriate as the
actual evidence that would have otherwise been provided.
• Strongly recommend maintaining actual evidence for the entire audit period
• Specific timeframes called out in Requirements are still valid (e.g. 90 days, 3 months, etc.)
Other Means?
10
The CMEP is which Appendix
to the NERC Rules of Procedure?
4C
11
• FAQ: “What examples can you give us for the best compliance documentation or evidence?” o Revision history/table w/sufficient detail o Purpose statement (context) o Tie content back to Requirement(s) o Approvals & reviews (where applicable) o Definitions of uncommon or undefined terms o Less concerned about layout, look & feel o Provide additional context/explanation in RSAW
Audit Documentation & Evidence
12
• Don’t o Rename documents to fit different Standards &
Requirements o Extract approval page(s) from original documents
and provide as separate document • Do
o Remember Auditor Speak vs. Entity Speak o Provide context for exports, reports, spreadsheets o Create searchable PDFs, use Acrobat Portfolio o Encrypt all evidence prior to submittal
Documentation & Evidence Pointers
13
• Completely revised for 2014 • A guide to help you prepare, organize, and
submit evidence prior to audit • Tailored to the scope of your audit • Does not preclude additional Data Requests • Generally follows language of each
Requirement • Does contain a few detailed and specific
requests • Due 30 days prior to audit
Attachment G
14
Attachment G Snapshots
15
Attachment G Snapshots
16
Attachment G Snapshots
17
Attachment G Snapshots
18
Attachment G Snapshots
19
Attachment G Snapshots
20
The Northeast blackout occurred on what
date?
August 14, 2003
21
• Attachment G is only a guide • Provide sufficient and appropriate evidence
to demonstrate compliance • If evidence is missing or incomplete,
auditors will send additional Data Requests • For complicated documents or
organizational structures, use RSAW to tell the story
Attachment G Recap
22
• Just a phone call away
• Always willing to provide our “audit approach”
At Your Service
Bryan Carr, PMP, CISA Compliance Auditor, Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT 84103 (801) 819-7691 [email protected]
Questions?