Presentation is loading. Please wait.

Presentation is loading. Please wait.

How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August 19-20, 2009.

Published byCleopatra Mills Modified over 8 years ago

Similar presentations

Presentation on theme: "How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August 19-20, 2009."— Presentation transcript:

1 How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August 19-20, 2009

2 CIP Audit Goals & Objectives Thoroughly comply with the requirements of the cyber security standards & enhance the protection of the bulk electric system Be “prepared” to successfully pass a CIP audit with No audit findings and No financial penalties 1. Establish a “Culture of Compliance” in your company 2. Be aware of the CIP auditor’s operations activities 3. Know how to interact with auditors 4. Consider software to automate compliance 5. Conduct pre-audit walk-thru exercises 2

3 Exhibit and instill a “Culture of Compliance” 3 Establish a strong regulatory compliance program that is supported by the CEO and the Senior Leaders A regulatory compliance program should have direct reports to the CEO or even the Board of Directors Compliance should be a part of employees goals & objectives 3

4 The mission of an internal regulatory compliance program is to:  Insure that adequate resources are dedicated to compliance with NERC reliability standards  Monitor regulatory compliance through the internal Working Groups  Review and approve policies that give direction and oversight to the Working Groups How To Prepare For A CIP Audit 4

5 5 XYZ Compliance Structure

6 Be Aware NERC Compliance Monitoring Methods  Periodic reporting  Self-Certifications  Exception reporting  Compliance Violation Investigations  Random spot checks or audits  Compliance Audits (On Site and Off Site)  Self Reporting 6

7 Be Aware of Your Audit Cycles  Mandatory audits every 3 years for TO’s & TOP’s  Mandatory audits every 6 years for GO’s & GOP’s  Cyber Security audits will be separate from Reliability Compliance audits but will follow the same cycle 7

8 Be Aware of Violation Statistics 8

9 Interaction With CIP Auditors All initial contacts with CIP auditors should be coordinated with the Administrator of CIP Compliance Request sufficient advanced notification to ensure:  Proper persons are on hand  Relevant records are gathered together in a timely manner  The audit is scheduled to minimize disruption 9

10 Administrator of CIP Compliance Keep the audit focused & facilitate the audit Keep in constant communication with the CIP auditor Resolve audit issues as soon as they are identified Keep all parties informed on the progress of the audit Accompany staff members during interviews when deemed appropriate 10

11 Entrance Conference Demonstrate a positive attitude Clarify the audit objective and scope (areas to be tested and period covered by the audit) Understand the audit process Understand the reporting process and determine who will receive audit reports Determine space requirements Know contacts in the CIP auditor's office Consider giving the auditor a tour of your facilities 11

12 Interaction With CIP Auditors During the Audit All requests for specific information or interviews should be coordinated through the Administrator of CIP Compliance The CIP auditor should keep the Administrator of CIP Compliance informed of any mistakes, discrepancies, or audit questions or concerns that arise during the audit process The purpose of such contact is to expedite the audit and to provide additional information or clarify any questions 12

13 CIP Records Provide access in a timely manner Make copies of documents as necessary, do not permit the original documents out of the office Do not provide records that are not relevant If a request seems unnecessary, ask the CIP auditor for the purpose of reviewing the document. Recommend alternatives that would achieve the same purpose Communicate the reasons for any significant delays in providing records Maintain a list of records provided to the auditor. Ensure all records are returned at the completion of audit fieldwork 13

14 Exit Conference  The purpose of the exit conference is to inform CIP representatives of the audit findings  At this time, any misunderstandings are clarified  Minutes of the exit conference should be taken and made available to the CIP auditors and appropriate internal regulatory compliance representatives 14

15 Useful Preparation Tips Compliance Software  AssurX – CATSWeb  Symantec – Control Compliance Suite Pre-Audits / Mock Audits  Use Reliability Standards Audit Worksheets (RSAW’s) as Guidance Documents  Internal Auditors  External Auditors (DYONYX, KEMA, etc.) Attend regional meeting & workshops 15

16 Do’s Be honest and open Understand the purpose of each meeting and review related records prior to interviews Listen carefully and understand each question before answering. Be sure responses are complete and accurate Respond only to the question asked—keep answers simple and direct Weigh answers carefully, being certain you have the facts to back them up Limit comments to areas where you have "first hand" knowledge 16

17 Do not speculate or answer hypothetical questions Do not agree or disagree with opinions Do not "ramble" or provide irrelevant information (office gossip) Do not get offended by WHY questions Don’ts 17

18 Questions ? 18 Contact Information Scott Barker CISSP, CISA Manager, Information Planning & Security Indianapolis Power & Light Company (317) 261-8280 scott.barker@aes.com

Download ppt "How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August 19-20, 2009."

Similar presentations

Evaluation Team Chair Training

Evaluation Team Chair Training
1 AUDIT AND AUDIT RESOLUTION Peg Rosenberry, Director of Grants Management Claire Moreno, Audit Liaison, Office of Grants Management 9/18/2009 AMERICORPS.

1 AUDIT AND AUDIT RESOLUTION Peg Rosenberry, Director of Grants Management Claire Moreno, Audit Liaison, Office of Grants Management 9/18/2009 AMERICORPS.
MONITORING OF SUBGRANTEES

MONITORING OF SUBGRANTEES
Tips to a Successful Monitoring Visit

Tips to a Successful Monitoring Visit
MSCG Training for Project Officers and Consultants: Project Officer and Consultant Roles in Supporting Successful Onsite Technical Assistance Visits.

MSCG Training for Project Officers and Consultants: Project Officer and Consultant Roles in Supporting Successful Onsite Technical Assistance Visits.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Confidential & Proprietary to Cooper Compliance Corporation Revised September 8, 2014 AUDiT-READY TM.

Confidential & Proprietary to Cooper Compliance Corporation Revised September 8, 2014 AUDiT-READY TM.
Internal Audit Documentation and Working Papers

Internal Audit Documentation and Working Papers
CIP Spot Check Process Gary Campbell Manager of Compliance Audits ReliabilityFirst Corporation August, 2009.

CIP Spot Check Process Gary Campbell Manager of Compliance Audits ReliabilityFirst Corporation August, 2009.
OVERVIEW OF ClASS METHODS and ACTIVITIES. Session Objectives By the end of the session, participants will be able to: Describe ClASS team composition.

OVERVIEW OF ClASS METHODS and ACTIVITIES. Session Objectives By the end of the session, participants will be able to: Describe ClASS team composition.
Internal Audit Awareness

Internal Audit Awareness
It’s Time to Talk About Risk and Control

It’s Time to Talk About Risk and Control
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Kentucky Auditor of Public Accounts Libby Carlin, Assistant State Auditor (502) 564-5841.

Kentucky Auditor of Public Accounts Libby Carlin, Assistant State Auditor (502)
IS Audit Function Knowledge

IS Audit Function Knowledge
Notice of Compliance Audit

Notice of Compliance Audit
Purpose of the Standards

Purpose of the Standards
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Similar presentations

Ads by Google