bryan carr pmp, cisa compliance auditor – cyber …...bryan carr pmp, cisa compliance auditor –...
TRANSCRIPT
![Page 1: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/1.jpg)
Bryan Carr PMP, CISA Compliance Auditor – Cyber Security
Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT
September 25, 2013
![Page 2: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/2.jpg)
2
• Joined WECC in August 2012 • Before WECC – CIP Compliance Program
Manager at PacifiCorp • Prior years experience in project and program
management
About Me
![Page 3: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/3.jpg)
3
-Audit Period -Data Retention -Evidence & Other Documentation -Attachment G
Topics for Today
![Page 4: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/4.jpg)
4
BES: Bulk Electric System ROP: NERC Rules of Procedure CMEP: Compliance Monitoring and Enforcement Program RSAW: Reliability Standard Audit Worksheet DR: Data Request
A.C.R.O.N.Y.M.S.
![Page 5: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/5.jpg)
5
An audit is like an onion… o It stinks o Makes some people cry o Involves peeling back layers of evidence o An important ingredient in the stew of reliability o When prepared properly, it adds flavor o Improves the overall health of the BES
Metaphorically Speaking
![Page 6: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/6.jpg)
6
• 3 year audit cycle - BA, TOP, RC • 6 year audit cycle - all other registrations • 3 year audit may include 6 year functions • Audit Period (monitoring period):
o Specified in Notice of Audit (90 day notice) § Starts day after completion of last audit § Ends on date of Notice of Audit (90 day notice)
o May be affected by self-report, self-certification, other enforcement activities
Audit Cycle & Audit Period
![Page 7: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/7.jpg)
7
Section D Compliance – Subsection 1.4 Data Retention of each CIP Standard states:
“The Responsible Entity shall keep documentation required by Standard CIP-00X-3 from the previous full calendar year unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation.”
Data Retention
![Page 8: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/8.jpg)
8
CMEP Section 3.1.4.2 Period Covered “The Registered Entity’s data and information must show compliance with the Reliability Standards that are the subject of the Compliance Audit for the entire period covered by the Compliance Audit…The Registered Entity will be expected to demonstrate compliance for the entire period described above. If a Reliability Standard specifies a document retention period that does not cover the entire period described above, the Registered Entity will not be found in noncompliance solely on the basis of the lack of specific information that has rightfully not been retained based on the retention period specified in the Reliability Standard. However, in such cases, the Compliance Enforcement Authority will require the Registered Entity to demonstrate compliance through other means.”
Audit Period vs. Data Retention
![Page 9: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/9.jpg)
9
• Demonstrate compliance through other means o Must be as sufficient and appropriate as the
actual evidence that would have otherwise been provided.
• Strongly recommend maintaining actual evidence for the entire audit period
• Specific timeframes called out in Requirements are still valid (e.g. 90 days, 3 months, etc.)
Other Means?
![Page 10: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/10.jpg)
10
The CMEP is which Appendix
to the NERC Rules of Procedure?
4C
![Page 11: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/11.jpg)
11
• FAQ: “What examples can you give us for the best compliance documentation or evidence?” o Revision history/table w/sufficient detail o Purpose statement (context) o Tie content back to Requirement(s) o Approvals & reviews (where applicable) o Definitions of uncommon or undefined terms o Less concerned about layout, look & feel o Provide additional context/explanation in RSAW
Audit Documentation & Evidence
![Page 12: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/12.jpg)
12
• Don’t o Rename documents to fit different Standards &
Requirements o Extract approval page(s) from original documents
and provide as separate document • Do
o Remember Auditor Speak vs. Entity Speak o Provide context for exports, reports, spreadsheets o Create searchable PDFs, use Acrobat Portfolio o Encrypt all evidence prior to submittal
Documentation & Evidence Pointers
![Page 13: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/13.jpg)
13
• Completely revised for 2014 • A guide to help you prepare, organize, and
submit evidence prior to audit • Tailored to the scope of your audit • Does not preclude additional Data Requests • Generally follows language of each
Requirement • Does contain a few detailed and specific
requests • Due 30 days prior to audit
Attachment G
![Page 14: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/14.jpg)
14
Attachment G Snapshots
![Page 15: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/15.jpg)
15
Attachment G Snapshots
![Page 16: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/16.jpg)
16
Attachment G Snapshots
![Page 17: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/17.jpg)
17
Attachment G Snapshots
![Page 18: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/18.jpg)
18
Attachment G Snapshots
![Page 19: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/19.jpg)
19
Attachment G Snapshots
![Page 20: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/20.jpg)
20
The Northeast blackout occurred on what
date?
August 14, 2003
![Page 21: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/21.jpg)
21
• Attachment G is only a guide • Provide sufficient and appropriate evidence
to demonstrate compliance • If evidence is missing or incomplete,
auditors will send additional Data Requests • For complicated documents or
organizational structures, use RSAW to tell the story
Attachment G Recap
![Page 22: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/22.jpg)
22
• Just a phone call away
• Always willing to provide our “audit approach”
At Your Service
![Page 23: Bryan Carr PMP, CISA Compliance Auditor – Cyber …...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security Audit Evidence & Attachment G CIP 101 – Salt Lake City, UT September](https://reader035.vdocuments.net/reader035/viewer/2022081400/5f23eb5554d74d26b170db14/html5/thumbnails/23.jpg)
Bryan Carr, PMP, CISA Compliance Auditor, Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT 84103 (801) 819-7691 [email protected]
Questions?