Cathy Bakk Lead Compliance Program Coordinator Notice of Audit Packet January 28, 2013 Compliance User Group (CUG) Meeting Mesa, AZ
Audit Frequency • 3 year cycle o Entities registered as a Balancing Authority (BA) or Transmission Operator (TOP) • 6 year cycle o All others o Entities declaring Critical Assets or Critical Cyber Assets will be an On-site Audit 2
Notice of Compliance Audit Packet • Notice of Audit Letter • Compliance Monitoring Authority Letter • Audit Team/Observers Biographies • Audit Team/Observers Confidentiality Agreements 3
Notice of Compliance Audit Packet • Certification Letter • Pre-Audit Data Requests • Pre-Audit Survey • Reliability Standard Audit Worksheets (RSAWs) 4
Notice of Compliance Audit • 90-Day Notice of Audit Letter o Sent 90 days prior to the start of your Audit o Details of your specific Audit Audit Periods Audit Scope Due Dates Audit Team Composition, observers (if applicable) Observers may include FERC/NERC Date/time of proposed Pre-Audit Conference Call 5
Audit Periods Defined • Operations & Planning (O&P) o June 18, 2007 – last day of Audit OR o Day after previous Audit – last day of Audit • Cyber Security (CIP) (Version 3) o October 1, 2010 – last day of Audit OR o Day after previous Audit – last day of Audit 6
Notice of Compliance Audit Letter • Audit Team Composition o Primary Audit Team Individuals expected to participate in the Audit o Alternate Audit Team Individuals available to act as backup or replacements for Primary Team members o Observers (if applicable) May include FERC/NERC 7
Attachments A & B • Attachment A o Compliance Monitoring Authority Letter Informational; Explanation of Compliance Monitoring Authority • Attachment B o Audit Team/Observers Biographies Short Biographies of the WECC Audit Staff 8
Attachments C & D • Attachment C o Audit Team/Observers Confidentiality Agreements Signed Confidentiality Agreements of the WECC Audit Staff/Observers • Attachment D • RSAWs (Reliability Standard Audit Worksheets) Customized for your Entity and your audit Based on your Registered Functions and AML 9
Attachments E & F • Attachment E - Certification Letter Must be printed on your company letterhead and signed by an Authorized Officer Certifies that the information being provided for the Audit is accurate • Attachment F - Pre-Audit Survey o Verify contact information o Audit Logistics o List any delegation agreements o Signed by Authorized Officer 10
Attachment G • Objectives o Clarifications for data submittals o Specifying types of evidence to remove some of the guess work o Designed to help reduce the number of data requests 11
Jennifer Salisbury Compliance Program Coordinator Attachment G Break Down January 28, 2013 Compliance User Group (CUG) Meeting Mesa, AZ
Attachment G Break Down • Principle Components o Pre-Audit Data Requests o Public Key Encryption o Audit Evidence Submittal o EFT File Naming Convention 13
Pre-Audit Data Requests • CIP-003-3, R2 (RSAW) o R2. Leadership — The Responsible Entity shall assign a single senior manager with overall responsibility and authority for leading and managing the entity’s implementation of, and adherence to, Standards CIP-002-3 through CIP-009-3. o R2.2. Changes to the senior manager must be documented within thirty calendar days of the effective date. 14
Pre-Audit Data Requests • CIP-003-3, R2 (Att G) o Documentation of the assignment of a CIP senior manager. o Evidence that changes to the CIP senior manager were documented within thirty calendar days of the effective date. If no changes were made during the audit period, a signed statement with those details. 15
Public Key Encryption • WECC strongly recommends utilizing public key encryption for Cyber Security Documents • Email your certificate or public key to the Compliance Program Coordinator listed within Attachment G 16
Audit Evidence Submittal • Avoid submitting individual files • Frequently used methods for submitting evidence o Adobe Portfolios o File Folders 17
Audit Evidence Submittal • Adobe Portfolio Suggestions o Master folder name is the Reliability Standard o Portfolio files for related standards in sub- folders with specific standard name o Requirement folders within the PDF portfolio 18
Audit Evidence Submittal COM 19
Audit Evidence Submittal • File Folder Suggestions o Master folder name is the Reliability Standard o Sub-folders for all related standards o Additional sub-folders for requirements 20
Audit Evidence Submittal COM COM-001-1 21
Audit Evidence Submittal • RSAW Suggestions o One file folder (zipped) o RSAWs must be submitted as a word document Auditor working tools for summarizing findings and notating evidence 22
Audit Evidence Submittal RSAWs 23
EFT File Naming Convention • File Names o Must be under 200 characters, including sub- folders • Uploading File Folders o Operations & Planning zip the file folders o Encrypted file folders for CIP do not need to be zipped o Encrypting automatically zips the file folder 24
EFT File Naming Convention • EFT Server File Folder Structure o Audit Data folder is for entity uploads o WECC Notification folder is for WECC use only • Credential concerns and set up requests should be emailed to: compliancesupport@wecc.biz 25
Recommendations • Know the Reliability Standards • Use the RSAWs and Attachment G as guides • Participate in Outreach (CUG/CIPUG) • Most Important , we are here for you… o Questions o Comments o Concerns 26
Helpful Links • NERC Standards o http://www.nerc.com/page.php?cid=2|20 • WECC website o http://www.wecc.biz/compliance/United_States/ Pages/default.aspx • WECC Electronic Systems o http://www.wecc.biz/compliance/ElectronicSyst ems/Pages/default.aspx 27
Questions?
Recommend
More recommend