Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?

Published byAsher McDaniel Modified over 8 years ago

Similar presentations

Presentation on theme: "SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?"— Presentation transcript:

1 SPP.org 1

2 EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?

3 SPP.org Compliance Program Currently spot checking “AC” requirements Applicable Standard(s) and Requirement(s): 3 Standard:Requirement: CIP-002-1R1, R2, R3 CIP-003-1R1, R2, R3 CIP-004-1R2, R3, R4 CIP-007-1R1 CIP-008-1R1 CIP-009-1R1, R2

4 SPP.org Compliance Program Expected Spot Check Schedule Table 1 entities (RC + BA, TOP – Subject to 1200) 1.13 requirements through 6/30/2010 2.All requirements beginning 7/1/2010 Table 2 entities (TSP, RRO, NERC + BA, TOP – Not subject to 1200) 1.All requirements beginning 7/1/2010 Table 3 entities (IA, TO, GO, GOP, LSE) 1.All requirements beginning 1/1/2011 4

5 SPP.org Compliance Program Considerations Any “Compliant” requirement can be spot-checked 1.Verify or confirm self-certifications 2.Verify or confirm self-reports of non-compliance 3.Verify or confirm periodic data submittals 4.In response to system events or operating problems Can expand scheduled spot check scope as necessary 1.Audit uncovers possible non-compliance of requirement not in original scope 5

6 SPP.org Expectations The audited entity has the obligation to demonstrate compliance Sufficient, appropriate, and adequate documentation Demonstrate sustained compliance The auditor Starts with neutral position Seeks additional evidence as necessary to make compliance determination 6

7 SPP.org Approach Entity completes Q/RSAWs and possibly supplemental questions prior to on-site audit or spot check. Entity may be asked to submit certain evidence in advance of on-site audit or spot check. Certain requirements will be statistically sampled during audit or spot check. 7

8 SPP.org How to prepare Starting now Consider pre-audit (internal or third-party) review Build culture of compliance into your processes Upon notice Collect evidence of compliance Identify subject matter experts During audit Be prepared to supply additional evidence 8

9 SPP.org Some Issues Annual means 12 months, not calendar year. Periodic reviews/approvals need to be date stamped as well as signed. Authorized access needs evidence of authorization/approval. A request is not the same as an action. Electronic records can replace paper as long as all requirements are met. 9

10 SPP.org An Example – CIP-004/R4 The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets. How do you prove that the list is complete? How do you prove that the list is accurate? How do you prove access was authorized? 10

11 SPP.org An Example – CIP-004/R4 You can maintain paper records Possible reconciliation issues with reality Need evidence of actions, not requests Need evidence of approvals You can rely on the access control systems to maintain records Need date-stamped transaction logs Still need to demonstrate approvals 11

12 SPP.org Technical Feasibility Exception Interim guidance issued July 1, 2009 Regions, not NERC, will manage process. NERC has oversight role. Regions working with NERC to develop a workable solution. Interim guidance will be revised and reissued, possibly on or about September 21, 2009. Region/NERC solution will be forwarded to FERC for approval. 12

13 SPP.org Technical Feasibility Exception The TFE Process (as currently expected) TFE requests limited to 14 or 15 specific CIP requirements that contain enabling language. Entities will submit a “Part A” TFE request to the Region. 1.Region has 60 days to initially accept or reject. 2.Entity will be able to remedy/resubmit a deficient TFE request. 3.Safe Harbor granted once TFE request is accepted. 13

14 SPP.org Technical Feasibility Exception The TFE Approval Process Region has one year to complete comprehensive review of TFE request for approval. Entity will be afforded opportunity to remedy and resubmit a rejected TFE request. Entity will have to execute and maintain a remediation plan to achieve strict compliance. Rejection of request, failure to maintain remediation, or failure to report periodically could void safe harbor. 14

15 SPP.org Technical Feasibility Exception TFE Process TFE Requests approved by Region subject to NERC review 1.NERC could override Region decision. Once approved, entity must still maintain remediation and reporting plans or risk loss of safe harbor. Entity can request amendment/modification to accepted or approved TFE request. 1.Amendment not effective until approved. 2.Rejection reverts to previous version of request. 15

16 SPP.org CIP Standards Development Version 2 pending before FERC Minor revisions to address time-critical aspects of Order 706. Eliminated use of reasonable business judgment. Minor, mostly non-controversial quick fixes. Version 3 being developed Concept paper published for comment. Requirements and security controls catalog beginning to be drafted. 16

17 SPP.org CIP Standards Development Expected Timeline Post first draft of CIP-002-3 in December 2009. Publish first revision and security controls catalog (CIP-003-3 through CIP-009-3) in April 2010. Publish final revisions to CIP-002-3 through CIP-009-3 with implementation plan for ballot in December 2010. Big paradigm change. Will take some getting used to. 17

18 SPP.org Questions? 18

Download ppt "SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?"

Similar presentations

CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.

Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.
FRCC Fall Compliance Workshop October , 2013

FRCC Fall Compliance Workshop October , 2013
THE STANDARDS DEVELOPMENT PROCESS STEP 1 PUBLIC AND COMMITTEE PROPOSAL STAGE PUBLIC AND COMMITTEE PROPOSAL CLOSING DATE FIRST TECHNICAL COMMITTEE MEETING.

THE STANDARDS DEVELOPMENT PROCESS STEP 1 PUBLIC AND COMMITTEE PROPOSAL STAGE PUBLIC AND COMMITTEE PROPOSAL CLOSING DATE FIRST TECHNICAL COMMITTEE MEETING.
CIP Spot Check Process Gary Campbell Manager of Compliance Audits ReliabilityFirst Corporation August, 2009.

CIP Spot Check Process Gary Campbell Manager of Compliance Audits ReliabilityFirst Corporation August, 2009.
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.

1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification [LOCATION] – [DATES OF ON-SITE VISIT] [Presenter Name,

[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification [LOCATION] – [DATES OF ON-SITE VISIT] [Presenter Name,
Compliance Application Notice Process Update and Discussion with NERC MRC.

Compliance Application Notice Process Update and Discussion with NERC MRC.
Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20, 2010 1.

Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20,
Project 2008-06 Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.

1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Tony Purgar CIP Compliance Workshop Baltimore, MD August 19-20, 2009 1.

Tony Purgar CIP Compliance Workshop Baltimore, MD August 19-20,
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Association of Washington Public Hospital Districts The Role of the Audit Process in Sustaining Your District’s Credibility.

Association of Washington Public Hospital Districts The Role of the Audit Process in Sustaining Your District’s Credibility.
CIP Version 5 Update OC Meeting November 7, 2013.

CIP Version 5 Update OC Meeting November 7, 2013.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Notice of Compliance Audit

Notice of Compliance Audit
Cyber Security Standard Workshop Status of Draft Cyber Security Standards Larry Bugh ECAR Standard Drafting Team Chair January 2005.

Cyber Security Standard Workshop Status of Draft Cyber Security Standards Larry Bugh ECAR Standard Drafting Team Chair January 2005.
Update in NERC CIP Activities June 5, 2014. 2 Update on CIP-014-1 Update on Revisions to CIP Version 5 –BES Cyber Asset Survey –Implementation Plan Questions.

Update in NERC CIP Activities June 5, Update on CIP Update on Revisions to CIP Version 5 –BES Cyber Asset Survey –Implementation Plan Questions.
Technical Feasibility Exceptions (TFEs) ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Steve Garn, Sr. Engineer.

Technical Feasibility Exceptions (TFEs) ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Steve Garn, Sr. Engineer.

Similar presentations

Ads by Google