Cathy Bakk Lead Compliance Program Coordinator Notice of Audit - - PowerPoint PPT Presentation

Cathy Bakk Lead Compliance Program Coordinator

Notice of Audit Packet January 28, 2013 Compliance User Group (CUG) Meeting Mesa, AZ

2

• 3 year cycle
• Entities registered as a Balancing Authority

(BA) or Transmission Operator (TOP)

• 6 year cycle
• All others
• Entities declaring Critical Assets or Critical

Cyber Assets will be an On-site Audit

Audit Frequency

3

Notice of Compliance Audit Packet

• Notice of Audit Letter
• Compliance Monitoring Authority Letter
• Audit Team/Observers Biographies
• Audit Team/Observers Confidentiality

Agreements

4

Notice of Compliance Audit Packet

• Certification Letter
• Pre-Audit Data Requests
• Pre-Audit Survey
• Reliability Standard Audit Worksheets

(RSAWs)

5

• 90-Day Notice of Audit Letter
• Sent 90 days prior to the start of your Audit
• Details of your specific Audit
• Audit Periods
• Audit Scope
• Due Dates
• Audit Team Composition, observers (if applicable)

Observers may include FERC/NERC

• Date/time of proposed Pre-Audit Conference Call

Notice of Compliance Audit

6

• Operations & Planning (O&P)
• June 18, 2007 – last day of Audit OR
• Day after previous Audit – last day of Audit
• Cyber Security (CIP) (Version 3)
• October 1, 2010 – last day of Audit OR
• Day after previous Audit – last day of Audit

Audit Periods Defined

7

• Audit Team Composition
• Primary Audit Team
• Individuals expected to participate in the Audit
• Alternate Audit Team
• Individuals available to act as backup or

replacements for Primary Team members

• Observers (if applicable)
• May include FERC/NERC

Notice of Compliance Audit Letter

8

• Attachment A
• Compliance Monitoring Authority Letter
• Informational; Explanation of Compliance Monitoring

Authority

• Attachment B
• Audit Team/Observers Biographies
• Short Biographies of the WECC Audit Staff

Attachments A & B

9

• Attachment C
• Audit Team/Observers Confidentiality Agreements
• Signed Confidentiality Agreements of the WECC

Audit Staff/Observers

• Attachment D
• RSAWs (Reliability Standard Audit Worksheets)
• Customized for your Entity and your audit

Based on your Registered Functions and AML

Attachments C & D

10

• Attachment E - Certification Letter
• Must be printed on your company letterhead and

signed by an Authorized Officer

• Certifies that the information being provided for the

Audit is accurate

• Attachment F - Pre-Audit Survey
• Verify contact information
• Audit Logistics
• List any delegation agreements
• Signed by Authorized Officer

Attachments E & F

11

• Objectives
• Clarifications for data submittals
• Specifying types of evidence to remove some
• f the guess work
• Designed to help reduce the number of data

requests

Attachment G

Jennifer Salisbury Compliance Program Coordinator

Attachment G Break Down January 28, 2013 Compliance User Group (CUG) Meeting Mesa, AZ

13

• Principle Components
• Pre-Audit Data Requests
• Public Key Encryption
• Audit Evidence Submittal
• EFT File Naming Convention

Attachment G Break Down

14

• CIP-003-3, R2 (RSAW)
• R2. Leadership — The Responsible Entity shall

assign a single senior manager with overall responsibility and authority for leading and managing the entity’s implementation of, and adherence to, Standards CIP-002-3 through CIP-009-3.

• R2.2. Changes to the senior manager must be

documented within thirty calendar days of the effective date.

Pre-Audit Data Requests

15

• CIP-003-3, R2 (Att G)
• Documentation of the assignment of a CIP

senior manager.

• Evidence that changes to the CIP senior

manager were documented within thirty calendar days of the effective date. If no changes were made during the audit period, a signed statement with those details.

Pre-Audit Data Requests

16

• WECC strongly recommends utilizing public

key encryption for Cyber Security Documents

• Email your certificate or public key to the

Compliance Program Coordinator listed within Attachment G

Public Key Encryption

17

• Avoid submitting individual files
• Frequently used methods for submitting

evidence

• Adobe Portfolios
• File Folders

Audit Evidence Submittal

18

• Adobe Portfolio Suggestions
• Master folder name is the Reliability Standard
• Portfolio files for related standards in sub-

folders with specific standard name

• Requirement folders within the PDF portfolio

Audit Evidence Submittal

19

Audit Evidence Submittal

COM

20

• File Folder Suggestions
• Master folder name is the Reliability Standard
• Sub-folders for all related standards
• Additional sub-folders for requirements

Audit Evidence Submittal

21

Audit Evidence Submittal

COM COM-001-1

22

• RSAW Suggestions
• One file folder (zipped)
• RSAWs must be submitted as a word

document

• Auditor working tools for summarizing findings and

notating evidence

Audit Evidence Submittal

23

Audit Evidence Submittal

RSAWs

24

• File Names
• Must be under 200 characters, including sub-

folders

• Uploading File Folders
• Operations & Planning zip the file folders
• Encrypted file folders for CIP do not need to be

zipped

• Encrypting automatically zips the file folder

EFT File Naming Convention

25

• EFT Server File Folder Structure
• Audit Data folder is for entity uploads
• WECC Notification folder is for WECC use only
• Credential concerns and set up requests

should be emailed to: compliancesupport@wecc.biz

EFT File Naming Convention

26

• Know the Reliability Standards
• Use the RSAWs and Attachment G as

guides

• Participate in Outreach (CUG/CIPUG)
• Most Important, we are here for you…
• Questions
• Comments
• Concerns

Recommendations

27

Helpful Links

• NERC Standards
• http://www.nerc.com/page.php?cid=2|20
• WECC website
• http://www.wecc.biz/compliance/United_States/

Pages/default.aspx

• WECC Electronic Systems
• http://www.wecc.biz/compliance/ElectronicSyst

ems/Pages/default.aspx

Questions?