CIP 43ReliabilityFirst Audit Observations
ReliabilityFirst CIP Webinar
Thursday, September 30, 2010Tony Purgar, Sr. Consultant - Compliance
Topics
BackgroundCIP 43 Audit ObservationsCIP 43 Next StepsQuestions
Background
ReliabilityFirst has started conducting CIP 43 Audits in 2010
A planned and coordinated approach is utilized to execute Pre-Audit, Onsite and Post-Audit activities• ReliabilityFirst continuously evaluates auditing
practices for improvements to help streamline the audit process for the auditors and the registered entity
Background
Scope: • 2010: ReliabilityFirst is evaluating CIP compliance for the review
period covering the previous full calendar year up through the end of audit date (based on Data Retention defined in the CIP Standards)
2010 audits cover 1/1/09 through end of audit
• 2011: ReliabilityFirst is evaluating CIP compliance for the review period of 10/1/10 through the end of audit date to coincide with the release of the CIP V3 standards.
2011 CMEP Implementation Plan and Actively Monitored List will define the “minimum list” of CIP requirements within scope.
Compliance is assessed against:• CIP V1 standards from 1/1/09 to 3/31/10• CIP V2 standards from 4/1/10 to 9/30/10• CIP V3 standards from 10/1/10 and on………
Background
ReliabilityFirst is sharing the following observations for entity awareness in preparation for an upcoming CIP 43 Audit
CIP 43 Audit Observations
CIP 43 vs. CIP 13:• 2 teams of 3 vs. 1 team of 3, including the Audit Team
Lead (ATL)Each team focused on specific CIP Standards
• CIP 43 Onsite review started ½ day earlier (Monday @ 1:00 pm vs. Tuesday @ 8:30 am)
• CIP 43 requires 2-3 wks of coordinated, web based pre-audit reviews by the two audit teamsCIP 13 usually required less with only one team
• Greater focus on final findings during pre-audit reviews
CIP 43 Audit Observations
Audit - completed in 1 wk onsite • ½ days: Monday (pm) & Friday (am)• 8-10 hr days: Tuesday through Thursday
Based on onsite progress, additional time would have been scheduled to complete onsite objectives, if necessary
While onsite, managing the hrs spent auditing allowed for daily recap and a fresh start the next day
CIP 43 Audit Observations
Audit team and Entity’s Primary Compliance Contact worked closely to manage the agenda and SME coordination between both audit teams• Entity SMEs split their time, as needed
Effective and timely coordination within the team and with the entity allowed for meeting the schedule demands
CIP 43 Audit Observations
Onsite data requests had an assigned due date prior to the pre-established deadline• Due dates were agreed to by the entity and flexibility
was granted where appropriate
CIP 43 Audit Observations
Evidence was voluminous but organized extremely well
Entity bookmarked all versions of policies, procedures, processes, programs and test results for entire audit review period
This resulted in efficient evidentiary reviews that supported the schedule demands
CIP 43 Audit Observations
Daily status reports were issued to keep the entity and audit team abreast of the overall audit status• The entity and audit team appreciated the value of the
daily status report
At the end of each day, audit team met to discuss status, results, questionable interpretations, problem areas, expectations and plans for the next day
CIP 43 Audit Observations
The audit team used the following tools and techniques to supplement evidentiary reviews:
CIP-002:• Entity presented its process for determining Critical
Assets and Critical Cyber Assets per its risk based assessment methodology
• Examined the meaning of “essential to the operation” with regard to remote cyber access
• Examined other systems that access Critical Assets and how the risks of those systems are addressed
CIP 43 Audit Observations
CIP-003: • Regionally developed “Cyber Security Policy”
checklist was used to confirm the entity’s cyber security policy addressed all CIP-002 thru CIP-009 requirements
CIP-004:• Regionally developed ”CIP-004” checklist was used to
evaluate training, PRA and physical / electronic access records for a designated sample size.
– Supporting evidence for each date, activity, record was cross-checked against the checklist
CIP 43 Audit Observations
CIP-006: • Conducted thorough walk thru of main control center,
backup control center and IT data centers• Checked drop ceilings, cages, raised floors, HVAC
and maintenance penetrations• Evaluated unauthorized access attempts (i.e. held
door). • Evaluated physical access controls (i.e. monitoring,
logging, alarming, security personnel activities)
CIP 43 Audit Observations
CIP-005 & CIP-007: • Strategic (haphazard) sampling was utilized
The audit team selected four applications representing major processes and walked through entity procedures associated with each requirement
• Evaluated firewall rule-sets and compared physical ESP device connections (i.e. ports) against diagrams and documentation
CIP 43 Audit Observations
CIP-008 & CIP-009:• Reviewed the meaning of “annual”; how it relates to
applicable requirements; and the audit team’s evidentiary expectations
• Reviewed “Bookending” expectations regarding exercising of Cyber Security Incident Response Plans and Recovery Plans for Critical Cyber Assets
CIP 43 Next Steps
ReliabilityFirst is preparing for the 2011 CIP Audit Schedule• CIP 43 and 693 audits will be conducted separately
Regional Entities are sharing audit observations to help develop effective practices and regional consistencies, where practical
ReliabilityFirst will implement audit process improvements, as necessary, based on audit observations
We welcome your support and preparedness in making your CIP 43 Audit a success!!!!!!
Questions
Questions should be emailed to Karen Yoder ([email protected]) Subject: “CIP WEBINAR”
Questions will be considered in the order they are received
Clarifying questions are welcome and we will do our best to answer during the question period
Challenges to a position should be addressed to the presenter and will be taken offline
Top Related