Bryan Carr PMP, CISA Compliance Auditor – Cyber Security

Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT

September 25, 2013

2

•  Joined WECC in August 2012 •  Before WECC – CIP Compliance Program

Manager at PacifiCorp •  Prior years experience in project and program

management

About Me

3

-Audit Period -Data Retention -Evidence & Other Documentation -Attachment G

Topics for Today

4

BES: Bulk Electric System ROP: NERC Rules of Procedure CMEP: Compliance Monitoring and Enforcement Program RSAW: Reliability Standard Audit Worksheet DR: Data Request

A.C.R.O.N.Y.M.S.

5

An audit is like an onion… o It stinks o Makes some people cry o Involves peeling back layers of evidence o An important ingredient in the stew of reliability o When prepared properly, it adds flavor o Improves the overall health of the BES

Metaphorically Speaking

6

•  3 year audit cycle - BA, TOP, RC •  6 year audit cycle - all other registrations •  3 year audit may include 6 year functions •  Audit Period (monitoring period):

o Specified in Notice of Audit (90 day notice) § Starts day after completion of last audit § Ends on date of Notice of Audit (90 day notice)

o May be affected by self-report, self-certification, other enforcement activities

Audit Cycle & Audit Period

7

Section D Compliance – Subsection 1.4 Data Retention of each CIP Standard states:

“The Responsible Entity shall keep documentation required by Standard CIP-00X-3 from the previous full calendar year unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation.”

Data Retention

8

CMEP Section 3.1.4.2 Period Covered “The Registered Entity’s data and information must show compliance with the Reliability Standards that are the subject of the Compliance Audit for the entire period covered by the Compliance Audit…The Registered Entity will be expected to demonstrate compliance for the entire period described above. If a Reliability Standard specifies a document retention period that does not cover the entire period described above, the Registered Entity will not be found in noncompliance solely on the basis of the lack of specific information that has rightfully not been retained based on the retention period specified in the Reliability Standard. However, in such cases, the Compliance Enforcement Authority will require the Registered Entity to demonstrate compliance through other means.”

Audit Period vs. Data Retention

9

•  Demonstrate compliance through other means o Must be as sufficient and appropriate as the

actual evidence that would have otherwise been provided.

•  Strongly recommend maintaining actual evidence for the entire audit period

•  Specific timeframes called out in Requirements are still valid (e.g. 90 days, 3 months, etc.)

Other Means?

10

The CMEP is which Appendix

to the NERC Rules of Procedure?

4C

11

•  FAQ: “What examples can you give us for the best compliance documentation or evidence?” o Revision history/table w/sufficient detail o Purpose statement (context) o Tie content back to Requirement(s) o Approvals & reviews (where applicable) o Definitions of uncommon or undefined terms o Less concerned about layout, look & feel o Provide additional context/explanation in RSAW

Audit Documentation & Evidence

12

•  Don’t o Rename documents to fit different Standards &

Requirements o Extract approval page(s) from original documents

and provide as separate document •  Do

o Remember Auditor Speak vs. Entity Speak o Provide context for exports, reports, spreadsheets o Create searchable PDFs, use Acrobat Portfolio o Encrypt all evidence prior to submittal

Documentation & Evidence Pointers

13

•  Completely revised for 2014 •  A guide to help you prepare, organize, and

submit evidence prior to audit •  Tailored to the scope of your audit •  Does not preclude additional Data Requests •  Generally follows language of each

Requirement •  Does contain a few detailed and specific

requests •  Due 30 days prior to audit

Attachment G

14

Attachment G Snapshots

15

Attachment G Snapshots

16

Attachment G Snapshots

17

Attachment G Snapshots

18

Attachment G Snapshots

19

Attachment G Snapshots

20

The Northeast blackout occurred on what

date?

August 14, 2003

21

•  Attachment G is only a guide •  Provide sufficient and appropriate evidence

to demonstrate compliance •  If evidence is missing or incomplete,

auditors will send additional Data Requests •  For complicated documents or

organizational structures, use RSAW to tell the story

Attachment G Recap

22

•  Just a phone call away

•  Always willing to provide our “audit approach”

At Your Service

Bryan Carr, PMP, CISA Compliance Auditor, Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT 84103 (801) 819-7691 bcarr@wecc.biz

Questions?