SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?

Slides:



Advertisements
Similar presentations
CIP Cyber Security – Security Management Controls
Advertisements

Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.
FRCC Fall Compliance Workshop October , 2013
THE STANDARDS DEVELOPMENT PROCESS STEP 1 PUBLIC AND COMMITTEE PROPOSAL STAGE PUBLIC AND COMMITTEE PROPOSAL CLOSING DATE FIRST TECHNICAL COMMITTEE MEETING.
CIP Spot Check Process Gary Campbell Manager of Compliance Audits ReliabilityFirst Corporation August, 2009.
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification [LOCATION] – [DATES OF ON-SITE VISIT] [Presenter Name,
Compliance Application Notice Process Update and Discussion with NERC MRC.
Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20,
Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Tony Purgar CIP Compliance Workshop Baltimore, MD August 19-20,
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Association of Washington Public Hospital Districts The Role of the Audit Process in Sustaining Your District’s Credibility.
CIP Version 5 Update OC Meeting November 7, 2013.
Office of Inspector General (OIG) Internal Audit
Notice of Compliance Audit
Cyber Security Standard Workshop Status of Draft Cyber Security Standards Larry Bugh ECAR Standard Drafting Team Chair January 2005.
Update in NERC CIP Activities June 5, Update on CIP Update on Revisions to CIP Version 5 –BES Cyber Asset Survey –Implementation Plan Questions.
Technical Feasibility Exceptions (TFEs) ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Steve Garn, Sr. Engineer.
Compliance Monitoring Audit Tutorial Version 1.0 April 2013.
CIP 43 ReliabilityFirst Audit Observations ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance.
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
1 Texas Regional Entity Report December Performance Highlights ERCOT’s Control Performance Standard (NERC CPS1) score for October – Initial.
Texas Regional Entity Compliance Report TAC July 9, 2009.
Federal Energy Regulatory Commission June Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.
Effective Management and Compliance 1 ANA GRANTEE MEETING  FEBRUARY 5, 2015.
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification Review for [RELATED ENTITIES] [LOCATION] – [DATES OF ON-SITE.
How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August 19-20, 2009.
New Auditing Standards Laurie Ball, CPA Swenson Advisors, LLP (Murrieta) Audit Director Accounting Day May 12, 2008.
Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.
January 2008 Texas Regional Entity Report. 2 Performance Highlights ●ERCOT’s Control Performance Standard (NERC CPS1) score for November – ●Scores.
Procedures and Forms 2008 FRCC Compliance Workshop April 8-9, 2008.
NERC Data Collection & Coordination. Rules of Procedure: Section 1600 Overview  NERC’s authority to issue a mandatory data request in the U.S. is contained.
1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.
QUALITY OF EVIDENCE FRCC Compliance Workshop September/October 2008.
1 Texas Regional Entity 2008 Budget Update May 16, 2007.
July 2008 CPS2 Waiver SDT Technical Workshop for Draft BAL-001-TRE-01 Judith A. James Reliability Standards Manager TRE.
Project System Protection Coordination Requirement revisions to PRC (ii) Texas Reliability Entity NERC Standards Reliability Subcommittee.
Project (COM-001-3) Interpersonal Communications Capabilities Michael Cruz-Montes, CenterPoint Energy Senior Consultant, Policy & Compliance, SDT.
Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,
Problem Areas Updates Penalties FRCC Compliance Workshop September / October
Date CIP Standards Update Chris Humphreys Texas RE CIP Compliance.
SACS Reaffirmation Project Compliance Certification Team Orientation Overview Thursday, September 30, – 11:00AM 209 Main Building – Lexmark Public.
Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure.
Page 1 of 13 Texas Regional Entity ROS Presentation April 16, 2009 T EXAS RE ROS P RESENTATION A PRIL 2009.
Texas Regional Entity Report Mark Henry June 6, 2008.
Fair Go Rates System Dr Ron Ben-David Chairperson MAV Rate Capping Forum 26 November 2015.
Tony Purgar June 22,  Background  Portal Update ◦ CIP 002 thru 009 Self Certification Forms  Functional Specific (i.e. BA, RC, TOP – SCC, Other)
2011 ReliabilityFirst 693 Compliance Audit Process for 6 Year Audit Cycle Entities Glenn Kaht Senior Consultant - Compliance ReliabilityFirst Corporation.
Texas Regional Entity ROS Presentation January 15, 2009 T EXAS RE ROS P RESENTATION J ANUARY 2009.
1 Power System Restoration. 2 Not Active 3 4 Compliance Audit Process APPA E&O Technical Conference – Atlanta April 16, 2007.
Compliance Program Update Lisa Milanes Manager of Compliance Administration.
Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Enforcement 101 Rachael Ferrin Associate Process Analyst.
Updated ERO Enterprise Guide for Internal Controls
ERCOT Technical Advisory Committee June 2, 2005
NERC Cyber Security Standards Pre-Ballot Review
Larry Bugh ECAR Standard Drafting Team Chair January 2005
Background (history, process to date) Status of CANs
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO]
Larry Bugh ECAR Standard Drafting Team Chair January 2005
Rates & Regulatory Updates
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO]
Role of Internal Auditors in Actuarial Valuations
EER Assurance December 2018
Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005
Standards Development Process
Presentation transcript:

SPP.org 1

EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?

SPP.org Compliance Program Currently spot checking “AC” requirements Applicable Standard(s) and Requirement(s): 3 Standard:Requirement: CIP-002-1R1, R2, R3 CIP-003-1R1, R2, R3 CIP-004-1R2, R3, R4 CIP-007-1R1 CIP-008-1R1 CIP-009-1R1, R2

SPP.org Compliance Program Expected Spot Check Schedule Table 1 entities (RC + BA, TOP – Subject to 1200) 1.13 requirements through 6/30/ All requirements beginning 7/1/2010 Table 2 entities (TSP, RRO, NERC + BA, TOP – Not subject to 1200) 1.All requirements beginning 7/1/2010 Table 3 entities (IA, TO, GO, GOP, LSE) 1.All requirements beginning 1/1/2011 4

SPP.org Compliance Program Considerations Any “Compliant” requirement can be spot-checked 1.Verify or confirm self-certifications 2.Verify or confirm self-reports of non-compliance 3.Verify or confirm periodic data submittals 4.In response to system events or operating problems Can expand scheduled spot check scope as necessary 1.Audit uncovers possible non-compliance of requirement not in original scope 5

SPP.org Expectations The audited entity has the obligation to demonstrate compliance Sufficient, appropriate, and adequate documentation Demonstrate sustained compliance The auditor Starts with neutral position Seeks additional evidence as necessary to make compliance determination 6

SPP.org Approach Entity completes Q/RSAWs and possibly supplemental questions prior to on-site audit or spot check. Entity may be asked to submit certain evidence in advance of on-site audit or spot check. Certain requirements will be statistically sampled during audit or spot check. 7

SPP.org How to prepare Starting now Consider pre-audit (internal or third-party) review Build culture of compliance into your processes Upon notice Collect evidence of compliance Identify subject matter experts During audit Be prepared to supply additional evidence 8

SPP.org Some Issues Annual means 12 months, not calendar year. Periodic reviews/approvals need to be date stamped as well as signed. Authorized access needs evidence of authorization/approval. A request is not the same as an action. Electronic records can replace paper as long as all requirements are met. 9

SPP.org An Example – CIP-004/R4 The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets. How do you prove that the list is complete? How do you prove that the list is accurate? How do you prove access was authorized? 10

SPP.org An Example – CIP-004/R4 You can maintain paper records Possible reconciliation issues with reality Need evidence of actions, not requests Need evidence of approvals You can rely on the access control systems to maintain records Need date-stamped transaction logs Still need to demonstrate approvals 11

SPP.org Technical Feasibility Exception Interim guidance issued July 1, 2009 Regions, not NERC, will manage process. NERC has oversight role. Regions working with NERC to develop a workable solution. Interim guidance will be revised and reissued, possibly on or about September 21, Region/NERC solution will be forwarded to FERC for approval. 12

SPP.org Technical Feasibility Exception The TFE Process (as currently expected) TFE requests limited to 14 or 15 specific CIP requirements that contain enabling language. Entities will submit a “Part A” TFE request to the Region. 1.Region has 60 days to initially accept or reject. 2.Entity will be able to remedy/resubmit a deficient TFE request. 3.Safe Harbor granted once TFE request is accepted. 13

SPP.org Technical Feasibility Exception The TFE Approval Process Region has one year to complete comprehensive review of TFE request for approval. Entity will be afforded opportunity to remedy and resubmit a rejected TFE request. Entity will have to execute and maintain a remediation plan to achieve strict compliance. Rejection of request, failure to maintain remediation, or failure to report periodically could void safe harbor. 14

SPP.org Technical Feasibility Exception TFE Process TFE Requests approved by Region subject to NERC review 1.NERC could override Region decision. Once approved, entity must still maintain remediation and reporting plans or risk loss of safe harbor. Entity can request amendment/modification to accepted or approved TFE request. 1.Amendment not effective until approved. 2.Rejection reverts to previous version of request. 15

SPP.org CIP Standards Development Version 2 pending before FERC Minor revisions to address time-critical aspects of Order 706. Eliminated use of reasonable business judgment. Minor, mostly non-controversial quick fixes. Version 3 being developed Concept paper published for comment. Requirements and security controls catalog beginning to be drafted. 16

SPP.org CIP Standards Development Expected Timeline Post first draft of CIP in December Publish first revision and security controls catalog (CIP through CIP-009-3) in April Publish final revisions to CIP through CIP with implementation plan for ballot in December Big paradigm change. Will take some getting used to. 17

SPP.org Questions? 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.