Add to collection(s) Add to saved
  1. Business
  2. Management

15 CIP v5 Evidence Request 03 24 16 King

advertisement 
CIP v5 Evidence Request
Morgan King
CISSP-ISSAP, CISA
W
Senior Compliance Auditor, Cyber Security
WECC Compliance Workshop
La Jolla, CA
March 24, 2016
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
2
Evidence
• Component of performing a compliance audit
is the gathering of evidence to support
audit findings
• Generally Accepted Government Auditing
Standards (GAGAS) require audit teams to
– “obtain sufficient, appropriate evidence to provide
a reasonable basis for their findings and
conclusions.”
GAGAS 6.56
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
3
Evidence
• The strength or weakness of the evidence
depends on how persuasive it is
• Persuasiveness depends on:
– Relevance
– Sufficiency
– Competence
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
4
Evidence
• Evidence is relevant if different results would
lead to different conclusion about the audit
objective
• Evidence is sufficient if there is enough of it to
reach a confident conclusion
• Evidence is competent if it is credible
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
5
History
• Each region issued a request for information prior
to the audit and the Responsible Entity provided
the requested information
• Request from the industry representatives to
standardize the evidence requests across the ERO
• Ensure ERO Enterprise be more consistent and
transparent in its audit approach
• RSAW Development Team met with industry
representatives to develop a better set of RSAWs
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
6
RSAWS
• NERC/Region core development team
– Started in early 2013
– Draft 1 had extensive evidence requests and guidance
– Based on comments, Draft 2 had evidence requests
and most of guidance removed
•
•
•
•
•
W
E
Advised by additional Region specialists
Posted four times for industry review/comment
Three meetings with 791 SDT
Final review by NERC legal staff
Final version posted May 2015 for public use
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
7
RFI Development
• Core Development Team
– NERC, RF and WECC
• Region Advisory Group
– One member per Region
• Entity Advisory Group
– Small (6-8) group of advisors from selected
entities
• FERC Observers
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
8
RFI Purpose
• Provide a set of common evidence request
documents to promote consistency within the
ERO
• Framework for collecting and preserving the
evidence that the audit team is likely to ask for
and needs to validate and verify compliance
• The earlier in the process that information can be
requested, the better
• Provide suggested audit approach to supplement
the RSAW Compliance Assessment Approach
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
9
RFI
• Types of evidence Registered Entities may use
to demonstrate compliance
• Not intended to require a single, exclusive
approach
• Enhanced transparency around the
compliance expectations for Reliability
Standards
• Does not, and cannot, alter the meaning of
the Standards
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
10
CIP Version 5 Evidence Request and User
Guide
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
11
Evidence Request User Guide
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
12
Evidence Request Flow
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
13
Approach
• Evidence Requests occur in “Levels”
– Level 1
• Request for Information (RFI) delivered as part of the initial
audit notification
• Requests applicable processes, procedures, policies, etc.
• Requests lists of various items to form populations for
sampling
• Requests sufficient evidence to develop directed samples
– Level 2
• Directed requests for specific evidence based on a sample of
the applicable population
– Level 3
• Tightly focused requests for specific evidence
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
14
Evidence Request Flow
Initial Evidence Request (Level 1)
BES Cyber
Systems
Cyber Assets
IRA
&
ICE
Considerations
Assets
Processes &
Procedures
Personnel
CIP Exceptional
Circumstances &
TFEs
Initial Sampling (Level 2)
BES Cyber
Systems
Cyber Assets
Assets
Personnel
Directed Sampling (Level 3)
BES Cyber
Systems
Cyber Assets
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
Assets
I
T
Y
C
Personnel
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
15
NERC CIP v5 RFI
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
16
NERC CIP v5 RFI
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
17
Future Enhancements
• Provide guidance for incorporating risk
considerations into the evidence and samples
– Lower risk entities requiring less evidence and
smaller sample sets to provide reasonable
assurance of audit results
• Relational database to be used by the audit
teams when processing the detailed evidence
and when selecting samples
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
18
Questions
• What evidence of compliance will be needed
for CIP Version 5 WECC Audit?
• Will WECC require CIP Version 5 evidence to
be submitted in a specific format?
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
19
Notice of Audit
W
E
S
T
New
Legacy
Audit Scope
Att D
Certification Letter
Att E
Pre-Audit Survey
Att F
Documentation Instructions
Audit_Request_For_Information.xlsx
CIP_Audit_Data_Set.xlsx
Att G
Protection Systems Maintenance
Att G Supplement
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
20
WECC CIP v5 RFI
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
21
Question
Does an entity need to provide all the
information outlined in the Audit Request for
Information?
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
22
Considerations
• Audit Approach
– Review of processes and procedures to verify all required
components are included
– Verification of an entity’s performance to the Requirement
– Verification of the completeness of an entity’s
performance
• Strategies
– Ask as much as possible up front
– Not asking for more information than will be reviewed by
the audit team
– later requests will be directed requests, usually based on a
sample of assets under review
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
23
Is Not
• Intended to be prescriptive
• Carved in stone
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
24
Availability
https://www.wecc.biz/Pages/Compliance-UnitedStates.aspx
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
25
Implied Requirements
• Requirements not explicitly stated but implied
by the language
• Consequence of writing CIP Version 5 as
results-based Standards
• Desired end result is specified, with the
method of achieving the result left unspecified
• Some actions that are actually required are
not explicitly stated in the Standard
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
26
Implied Requirements
• Examples
– CIP-002-5.1
• Identification of BES Cyber Assets
– CIP-005-5 R1, Part 1.1
• Identification of PCA
– Identification of Electronic Access Control and
Monitoring Systems
• No list of all implied requirements
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
27
Implied Requirements
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
28
Intermediate System Resides in a DMZ
Western Electricity Coordinating Council
Control Consoles Designated as
Intermediate Systems
Western Electricity Coordinating Council
29
30
Interactive Remote Access
• An Intermediate System is required to be
identified as an EACMS and protected
accordingly
• Carefully review the capabilities of the
Intermediate System to ensure it cannot
directly perform any BES Reliability Operating
Services (BROS) functions
Western Electricity Coordinating Council
31
References
• NERC. (2015 December 15). CIP Version 5 Evidence
Request User Guide]. Retrieved from
http://www.nerc.com/pa/CI/Documents/CIP%20Ve
rsion%205%20Evidence%20Request_User%20Guide
.zip
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
32
Contact Info
Morgan King, CISSP-ISSAP, CISA
Senior Compliance Auditor - Cyber
Security
Western Electricity
Coordinating Council (WECC)
Mking@wecc.biz
Cell - 801.608.6652
Office - 801.819.7675
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
Related documents
A departmental time reporting system is used to... professional audit staff, including time working on projects, ... SECTION E-2
A departmental time reporting system is used to... professional audit staff, including time working on projects, ... SECTION E-2
Exercise Chapter 15
Exercise Chapter 15
Look Ahead Feature To access the application that
Look Ahead Feature To access the application that
Download
advertisement