How To Prepare For A CIP Audit

Scott BarkerCISSP, CISACIP Compliance WorkshopBaltimore, MDAugust 19-20, 2009

CIP Audit Goals & Objectives

Thoroughly comply with the requirements of the cyber security standards & enhance the protection of the bulk electric system

Be “prepared” to successfully pass a CIP audit with No audit findings and No financial penalties1. Establish a “Culture of Compliance” in your

company2. Be aware of the CIP auditor’s operations activities3. Know how to interact with auditors4. Consider software to automate compliance5. Conduct pre-audit walk-thru exercises

2

Exhibit and instill a “Culture of Compliance”

3

• Establish a strong regulatory compliance program that is supported by the CEO and the Senior Leaders

• A regulatory compliance program should have direct reports to the CEO or even the Board of Directors

• Compliance should be a part of employees goals & objectives

3

The mission of an internal regulatory compliance program is to:

Insure that adequate resources are dedicated to compliance with NERC reliability standards

Monitor regulatory compliance through the internal Working Groups

Review and approve policies that give direction and oversight to the Working Groups

How To Prepare For A CIP Audit

4

5

XYZ Compliance Structure

Be Aware NERC Compliance Monitoring Methods

Periodic reporting

Self-Certifications

Exception reporting

Compliance Violation Investigations

Random spot checks or audits

Compliance Audits (On Site and Off Site)

Self Reporting

6

Be Aware of Your Audit Cycles

Mandatory audits every 3 years for TO’s & TOP’s

Mandatory audits every 6 years for GO’s & GOP’s

Cyber Security audits will be separate from Reliability Compliance audits but will follow the same cycle

7

Be Aware of Violation Statistics

8

Interaction With CIP Auditors

All initial contacts with CIP auditors should be coordinated with the Administrator of CIP Compliance

Request sufficient advanced notification to ensure: Proper persons are on hand Relevant records are gathered

together in a timely manner The audit is scheduled to

minimize disruption

9

Administrator of CIP Compliance

Keep the audit focused & facilitate the audit

Keep in constant communication with the CIP auditor

Resolve audit issues as soon as they are identified

Keep all parties informed on the progress of the audit

Accompany staff members during interviews when deemed appropriate

10

Entrance Conference

Demonstrate a positive attitude

Clarify the audit objective and scope (areas to be tested and period covered by the audit)

Understand the audit process

Understand the reporting process and determine who will receive audit reports

Determine space requirements

Know contacts in the CIP auditor's office

Consider giving the auditor a tour of your facilities

11

Interaction With CIP Auditors During the Audit

All requests for specific information or interviews should be coordinated through the Administrator of CIP Compliance

The CIP auditor should keep the Administrator of CIP Compliance informed of any mistakes, discrepancies, or audit questions or concerns that arise during the audit process

The purpose of such contact is to expedite the audit and to provide additional information or clarify any questions

12

CIP Records

• Provide access in a timely manner

• Make copies of documents as necessary, do not permit the original documents out of the office

• Do not provide records that are not relevant

• If a request seems unnecessary, ask the CIP auditor for the purpose of reviewing the document. Recommend alternatives that would achieve the same purpose

• Communicate the reasons for any significant delays in providing records

• Maintain a list of records provided to the auditor. Ensure all records are returned at the completion of audit fieldwork

13

Exit Conference

The purpose of the exit conference is to inform CIP representatives of the audit findings

At this time, any misunderstandings are clarified

Minutes of the exit conference should be taken and made available to the CIP auditors and appropriate internal regulatory compliance representatives

14

Useful Preparation Tips

Compliance Software AssurX – CATSWeb Symantec – Control Compliance Suite

Pre-Audits / Mock Audits Use Reliability Standards Audit Worksheets

(RSAW’s) as Guidance Documents Internal Auditors External Auditors (DYONYX, KEMA, etc.)

Attend regional meeting & workshops

15

Do’s

Be honest and open

Understand the purpose of each meeting and review related records prior to interviews

Listen carefully and understand each question before answering. Be sure responses are complete and accurate

Respond only to the question asked—keep answers simple and direct

Weigh answers carefully, being certain you have the facts to back them up

Limit comments to areas where you have "first hand" knowledge

16

Do not speculate or answer hypothetical questions

Do not agree or disagree with opinions

Do not "ramble" or provide irrelevant information (office gossip)

Do not get offended by WHY questions

Don’ts

17

Questions ?

18

Contact Information

Scott Barker

CISSP, CISA

Manager, Information Planning & Security

Indianapolis Power & Light Company

(317) 261-8280

scott.barker@aes.com

Contact Information

Scott Barker

CISSP, CISA

Manager, Information Planning & Security

Indianapolis Power & Light Company

(317) 261-8280

scott.barker@aes.com