CIP 43 Audit Observations
advertisement
CIP 43 ReliabilityFirst Audit Observations ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance Topics Background CIP 43 Audit Observations CIP 43 Next Steps Questions Background ReliabilityFirst has started conducting CIP 43 Audits in 2010 A planned and coordinated approach is utilized to execute Pre-Audit, Onsite and Post-Audit activities • ReliabilityFirst continuously evaluates auditing practices for improvements to help streamline the audit process for the auditors and the registered entity Background Scope: • 2010: ReliabilityFirst is evaluating CIP compliance for the review period covering the previous full calendar year up through the end of audit date (based on Data Retention defined in the CIP Standards) 2010 audits cover 1/1/09 through end of audit • 2011: ReliabilityFirst is evaluating CIP compliance for the review period of 10/1/10 through the end of audit date to coincide with the release of the CIP V3 standards. 2011 CMEP Implementation Plan and Actively Monitored List will define the “minimum list” of CIP requirements within scope. Compliance is assessed against: • CIP V1 standards from 1/1/09 to 3/31/10 • CIP V2 standards from 4/1/10 to 9/30/10 • CIP V3 standards from 10/1/10 and on……… Background ReliabilityFirst is sharing the following observations for entity awareness in preparation for an upcoming CIP 43 Audit CIP 43 Audit Observations CIP 43 vs. CIP 13: • 2 teams of 3 vs. 1 team of 3, including the Audit Team Lead (ATL) Each team focused on specific CIP Standards • CIP 43 Onsite review started ½ day earlier (Monday @ 1:00 pm vs. Tuesday @ 8:30 am) • CIP 43 requires 2-3 wks of coordinated, web based pre-audit reviews by the two audit teams CIP 13 usually required less with only one team • Greater focus on final findings during pre-audit reviews CIP 43 Audit Observations Audit - completed in 1 wk onsite • ½ days: Monday (pm) & Friday (am) • 8-10 hr days: Tuesday through Thursday Based on onsite progress, additional time would have been scheduled to complete onsite objectives, if necessary While onsite, managing the hrs spent auditing allowed for daily recap and a fresh start the next day CIP 43 Audit Observations Audit team and Entity’s Primary Compliance Contact worked closely to manage the agenda and SME coordination between both audit teams • Entity SMEs split their time, as needed Effective and timely coordination within the team and with the entity allowed for meeting the schedule demands CIP 43 Audit Observations Onsite data requests had an assigned due date prior to the pre-established deadline • Due dates were agreed to by the entity and flexibility was granted where appropriate CIP 43 Audit Observations Evidence was voluminous but organized extremely well Entity bookmarked all versions of policies, procedures, processes, programs and test results for entire audit review period This resulted in efficient evidentiary reviews that supported the schedule demands CIP 43 Audit Observations Daily status reports were issued to keep the entity and audit team abreast of the overall audit status • The entity and audit team appreciated the value of the daily status report At the end of each day, audit team met to discuss status, results, questionable interpretations, problem areas, expectations and plans for the next day CIP 43 Audit Observations The audit team used the following tools and techniques to supplement evidentiary reviews: CIP-002: • Entity presented its process for determining Critical Assets and Critical Cyber Assets per its risk based assessment methodology • Examined the meaning of “essential to the operation” with regard to remote cyber access • Examined other systems that access Critical Assets and how the risks of those systems are addressed CIP 43 Audit Observations CIP-003: • Regionally developed “Cyber Security Policy” checklist was used to confirm the entity’s cyber security policy addressed all CIP-002 thru CIP-009 requirements CIP-004: • Regionally developed ”CIP-004” checklist was used to evaluate training, PRA and physical / electronic access records for a designated sample size. – Supporting evidence for each date, activity, record was cross-checked against the checklist CIP 43 Audit Observations CIP-006: • Conducted thorough walk thru of main control center, backup control center and IT data centers • Checked drop ceilings, cages, raised floors, HVAC and maintenance penetrations • Evaluated unauthorized access attempts (i.e. held door). • Evaluated physical access controls (i.e. monitoring, logging, alarming, security personnel activities) CIP 43 Audit Observations CIP-005 & CIP-007: • Strategic (haphazard) sampling was utilized The audit team selected four applications representing major processes and walked through entity procedures associated with each requirement • Evaluated firewall rule-sets and compared physical ESP device connections (i.e. ports) against diagrams and documentation CIP 43 Audit Observations CIP-008 & CIP-009: • Reviewed the meaning of “annual”; how it relates to applicable requirements; and the audit team’s evidentiary expectations • Reviewed “Bookending” expectations regarding exercising of Cyber Security Incident Response Plans and Recovery Plans for Critical Cyber Assets CIP 43 Next Steps ReliabilityFirst is preparing for the 2011 CIP Audit Schedule • CIP 43 and 693 audits will be conducted separately Regional Entities are sharing audit observations to help develop effective practices and regional consistencies, where practical ReliabilityFirst will implement audit process improvements, as necessary, based on audit observations We welcome your support and preparedness in making your CIP 43 Audit a success!!!!!! Questions Questions should be emailed to Karen Yoder (karen.yoder@rfirst.org) Subject: “CIP WEBINAR” Questions will be considered in the order they are received Clarifying questions are welcome and we will do our best to answer during the question period Challenges to a position should be addressed to the presenter and will be taken offline
