1 / 18

CIP 43 Reliability First Audit Observations

CIP 43 Reliability First Audit Observations. Reliability First CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance. Topics. Background CIP 43 Audit Observations CIP 43 Next Steps Questions. Background.

rayya
Download Presentation

CIP 43 Reliability First Audit Observations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIP 43ReliabilityFirst Audit Observations ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance

  2. Topics • Background • CIP 43 Audit Observations • CIP 43 Next Steps • Questions

  3. Background • ReliabilityFirst has started conducting CIP 43 Audits in 2010 • A planned and coordinated approach is utilized to execute Pre-Audit, Onsite and Post-Audit activities • ReliabilityFirst continuously evaluates auditing practices for improvements to help streamline the audit process for the auditors and the registered entity

  4. Background • Scope: • 2010: ReliabilityFirst is evaluating CIP compliance for the review period covering the previous full calendar year up through the end of audit date(based on Data Retention defined in the CIP Standards) • 2010 audits cover 1/1/09 through end of audit • 2011: ReliabilityFirst is evaluating CIP compliance for the review period of 10/1/10 through the end of audit date to coincide with the release of the CIP V3 standards. • 2011 CMEP Implementation Plan and Actively Monitored List will define the “minimum list” of CIP requirements within scope. • Compliance is assessed against: • CIP V1 standards from 1/1/09 to 3/31/10 • CIP V2 standards from 4/1/10 to 9/30/10 • CIP V3 standards from 10/1/10 and on………

  5. Background • ReliabilityFirst is sharing the following observations for entity awareness in preparation for an upcoming CIP 43 Audit

  6. CIP 43 Audit Observations • CIP 43 vs. CIP 13: • 2 teams of 3 vs. 1 team of 3, including the Audit Team Lead (ATL) • Each team focused on specific CIP Standards • CIP 43 Onsite review started ½ day earlier • (Monday @ 1:00 pm vs. Tuesday @ 8:30 am) • CIP 43 requires 2-3 wks of coordinated, web based pre-audit reviews by the two audit teams • CIP 13 usually required less with only one team • Greater focus on final findings during pre-audit reviews

  7. CIP 43 Audit Observations • Audit - completed in 1 wk onsite • ½ days: Monday (pm) & Friday (am) • 8-10 hr days: Tuesday through Thursday • Based on onsite progress, additional time would have been scheduled to complete onsite objectives, if necessary • While onsite, managing the hrs spent auditing allowed for daily recap and a fresh start the next day

  8. CIP 43 Audit Observations • Audit team and Entity’s Primary Compliance Contact worked closely to manage the agenda and SME coordination between both audit teams • Entity SMEs split their time, as needed • Effective and timely coordination within the team and with the entity allowed for meeting the schedule demands

  9. CIP 43 Audit Observations • Onsite data requests had an assigned due date prior to the pre-established deadline • Due dates were agreed to by the entity and flexibility was granted where appropriate

  10. CIP 43 Audit Observations • Evidence was voluminous but organized extremely well • Entity bookmarked all versions of policies, procedures, processes, programs and test results for entire audit review period • This resulted in efficient evidentiary reviews that supported the schedule demands

  11. CIP 43 Audit Observations • Daily status reports were issued to keep the entity and audit team abreast of the overall audit status • The entity and audit team appreciated the value of the daily status report • At the end of each day, audit team met to discuss status, results, questionable interpretations, problem areas, expectations and plans for the next day

  12. CIP 43 Audit Observations • The audit team used the following tools and techniques to supplement evidentiary reviews: • CIP-002: • Entity presented its process for determining Critical Assets and Critical Cyber Assets per its risk based assessment methodology • Examined the meaning of “essential to the operation” with regard to remote cyber access • Examined other systems that access Critical Assets and how the risks of those systems are addressed

  13. CIP 43 Audit Observations • CIP-003: • Regionally developed “Cyber Security Policy” checklist was used to confirm the entity’s cyber security policy addressed all CIP-002 thru CIP-009 requirements • CIP-004: • Regionally developed ”CIP-004” checklist was used to evaluate training, PRA and physical / electronic access records for a designated sample size. • Supporting evidence for each date, activity, record was cross-checked against the checklist

  14. CIP 43 Audit Observations • CIP-006: • Conducted thorough walk thru of main control center, backup control center and IT data centers • Checked drop ceilings, cages, raised floors, HVAC and maintenance penetrations • Evaluated unauthorized access attempts (i.e. held door). • Evaluated physical access controls (i.e. monitoring, logging, alarming, security personnel activities)

  15. CIP 43 Audit Observations • CIP-005 & CIP-007: • Strategic (haphazard) sampling was utilized • The audit team selected four applications representing major processes and walked through entity procedures associated with each requirement • Evaluated firewall rule-sets and compared physical ESP device connections (i.e. ports) against diagrams and documentation

  16. CIP 43 Audit Observations • CIP-008 & CIP-009: • Reviewed the meaning of “annual”; how it relates to applicable requirements; and the audit team’s evidentiary expectations • Reviewed “Bookending” expectations regarding exercising of Cyber Security Incident Response Plans and Recovery Plans for Critical Cyber Assets

  17. CIP 43 Next Steps • ReliabilityFirst is preparing for the 2011 CIP Audit Schedule • CIP 43 and 693 audits will be conducted separately • Regional Entities are sharing audit observations to help develop effective practices and regional consistencies, where practical • ReliabilityFirst will implement audit process improvements, as necessary, based on audit observations • We welcome your support and preparedness in making your CIP 43 Audit a success!!!!!!

  18. Questions • Questions should be emailed to Karen Yoder (karen.yoder@rfirst.org) Subject: “CIP WEBINAR” • Questions will be considered in the order they are received • Clarifying questions are welcome and we will do our best to answer during the question period • Challenges to a position should be addressed to the presenter and will be taken offline

More Related