How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August...
-
Upload
cleopatra-mills -
Category
Documents
-
view
217 -
download
1
Transcript of How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August...
How To Prepare For A CIP Audit
Scott BarkerCISSP, CISACIP Compliance WorkshopBaltimore, MDAugust 19-20, 2009
CIP Audit Goals & Objectives
Thoroughly comply with the requirements of the cyber security standards & enhance the protection of the bulk electric system
Be “prepared” to successfully pass a CIP audit with No audit findings and No financial penalties1. Establish a “Culture of Compliance” in your
company2. Be aware of the CIP auditor’s operations activities3. Know how to interact with auditors4. Consider software to automate compliance5. Conduct pre-audit walk-thru exercises
2
Exhibit and instill a “Culture of Compliance”
3
• Establish a strong regulatory compliance program that is supported by the CEO and the Senior Leaders
• A regulatory compliance program should have direct reports to the CEO or even the Board of Directors
• Compliance should be a part of employees goals & objectives
3
The mission of an internal regulatory compliance program is to:
Insure that adequate resources are dedicated to compliance with NERC reliability standards
Monitor regulatory compliance through the internal Working Groups
Review and approve policies that give direction and oversight to the Working Groups
How To Prepare For A CIP Audit
4
5
XYZ Compliance Structure
Be Aware NERC Compliance Monitoring Methods
Periodic reporting
Self-Certifications
Exception reporting
Compliance Violation Investigations
Random spot checks or audits
Compliance Audits (On Site and Off Site)
Self Reporting
6
Be Aware of Your Audit Cycles
Mandatory audits every 3 years for TO’s & TOP’s
Mandatory audits every 6 years for GO’s & GOP’s
Cyber Security audits will be separate from Reliability Compliance audits but will follow the same cycle
7
Be Aware of Violation Statistics
8
Interaction With CIP Auditors
All initial contacts with CIP auditors should be coordinated with the Administrator of CIP Compliance
Request sufficient advanced notification to ensure: Proper persons are on hand Relevant records are gathered
together in a timely manner The audit is scheduled to
minimize disruption
9
Administrator of CIP Compliance
Keep the audit focused & facilitate the audit
Keep in constant communication with the CIP auditor
Resolve audit issues as soon as they are identified
Keep all parties informed on the progress of the audit
Accompany staff members during interviews when deemed appropriate
10
Entrance Conference
Demonstrate a positive attitude
Clarify the audit objective and scope (areas to be tested and period covered by the audit)
Understand the audit process
Understand the reporting process and determine who will receive audit reports
Determine space requirements
Know contacts in the CIP auditor's office
Consider giving the auditor a tour of your facilities
11
Interaction With CIP Auditors During the Audit
All requests for specific information or interviews should be coordinated through the Administrator of CIP Compliance
The CIP auditor should keep the Administrator of CIP Compliance informed of any mistakes, discrepancies, or audit questions or concerns that arise during the audit process
The purpose of such contact is to expedite the audit and to provide additional information or clarify any questions
12
CIP Records
• Provide access in a timely manner
• Make copies of documents as necessary, do not permit the original documents out of the office
• Do not provide records that are not relevant
• If a request seems unnecessary, ask the CIP auditor for the purpose of reviewing the document. Recommend alternatives that would achieve the same purpose
• Communicate the reasons for any significant delays in providing records
• Maintain a list of records provided to the auditor. Ensure all records are returned at the completion of audit fieldwork
13
Exit Conference
The purpose of the exit conference is to inform CIP representatives of the audit findings
At this time, any misunderstandings are clarified
Minutes of the exit conference should be taken and made available to the CIP auditors and appropriate internal regulatory compliance representatives
14
Useful Preparation Tips
Compliance Software AssurX – CATSWeb Symantec – Control Compliance Suite
Pre-Audits / Mock Audits Use Reliability Standards Audit Worksheets
(RSAW’s) as Guidance Documents Internal Auditors External Auditors (DYONYX, KEMA, etc.)
Attend regional meeting & workshops
15
Do’s
Be honest and open
Understand the purpose of each meeting and review related records prior to interviews
Listen carefully and understand each question before answering. Be sure responses are complete and accurate
Respond only to the question asked—keep answers simple and direct
Weigh answers carefully, being certain you have the facts to back them up
Limit comments to areas where you have "first hand" knowledge
16
Do not speculate or answer hypothetical questions
Do not agree or disagree with opinions
Do not "ramble" or provide irrelevant information (office gossip)
Do not get offended by WHY questions
Don’ts
17
Questions ?
18
Contact Information
Scott Barker
CISSP, CISA
Manager, Information Planning & Security
Indianapolis Power & Light Company
(317) 261-8280
Contact Information
Scott Barker
CISSP, CISA
Manager, Information Planning & Security
Indianapolis Power & Light Company
(317) 261-8280