Cathy Bakk Lead Compliance Program Coordinator Notice of Audit - PowerPoint PPT Presentation

Cathy Bakk Lead Compliance Program Coordinator Notice of Audit Packet January 28, 2013 Compliance User Group (CUG) Meeting Mesa, AZ

Audit Frequency • 3 year cycle o Entities registered as a Balancing Authority (BA) or Transmission Operator (TOP) • 6 year cycle o All others o Entities declaring Critical Assets or Critical Cyber Assets will be an On-site Audit 2

Notice of Compliance Audit Packet • Notice of Audit Letter • Compliance Monitoring Authority Letter • Audit Team/Observers Biographies • Audit Team/Observers Confidentiality Agreements 3

Notice of Compliance Audit Packet • Certification Letter • Pre-Audit Data Requests • Pre-Audit Survey • Reliability Standard Audit Worksheets (RSAWs) 4

Notice of Compliance Audit • 90-Day Notice of Audit Letter o Sent 90 days prior to the start of your Audit o Details of your specific Audit  Audit Periods  Audit Scope  Due Dates  Audit Team Composition, observers (if applicable) Observers may include FERC/NERC  Date/time of proposed Pre-Audit Conference Call 5

Audit Periods Defined • Operations & Planning (O&P) o June 18, 2007 – last day of Audit OR o Day after previous Audit – last day of Audit • Cyber Security (CIP) (Version 3) o October 1, 2010 – last day of Audit OR o Day after previous Audit – last day of Audit 6

Notice of Compliance Audit Letter • Audit Team Composition o Primary Audit Team  Individuals expected to participate in the Audit o Alternate Audit Team  Individuals available to act as backup or replacements for Primary Team members o Observers (if applicable)  May include FERC/NERC 7

Attachments A & B • Attachment A o Compliance Monitoring Authority Letter  Informational; Explanation of Compliance Monitoring Authority • Attachment B o Audit Team/Observers Biographies  Short Biographies of the WECC Audit Staff 8

Attachments C & D • Attachment C o Audit Team/Observers Confidentiality Agreements  Signed Confidentiality Agreements of the WECC Audit Staff/Observers • Attachment D • RSAWs (Reliability Standard Audit Worksheets)  Customized for your Entity and your audit Based on your Registered Functions and AML 9

Attachments E & F • Attachment E - Certification Letter  Must be printed on your company letterhead and signed by an Authorized Officer  Certifies that the information being provided for the Audit is accurate • Attachment F - Pre-Audit Survey o Verify contact information o Audit Logistics o List any delegation agreements o Signed by Authorized Officer 10

Attachment G • Objectives o Clarifications for data submittals o Specifying types of evidence to remove some of the guess work o Designed to help reduce the number of data requests 11

Jennifer Salisbury Compliance Program Coordinator Attachment G Break Down January 28, 2013 Compliance User Group (CUG) Meeting Mesa, AZ

Attachment G Break Down • Principle Components o Pre-Audit Data Requests o Public Key Encryption o Audit Evidence Submittal o EFT File Naming Convention 13

Pre-Audit Data Requests • CIP-003-3, R2 (RSAW) o R2. Leadership — The Responsible Entity shall assign a single senior manager with overall responsibility and authority for leading and managing the entity’s implementation of, and adherence to, Standards CIP-002-3 through CIP-009-3. o R2.2. Changes to the senior manager must be documented within thirty calendar days of the effective date. 14

Pre-Audit Data Requests • CIP-003-3, R2 (Att G) o Documentation of the assignment of a CIP senior manager. o Evidence that changes to the CIP senior manager were documented within thirty calendar days of the effective date. If no changes were made during the audit period, a signed statement with those details. 15

Public Key Encryption • WECC strongly recommends utilizing public key encryption for Cyber Security Documents • Email your certificate or public key to the Compliance Program Coordinator listed within Attachment G 16

Audit Evidence Submittal • Avoid submitting individual files • Frequently used methods for submitting evidence o Adobe Portfolios o File Folders 17

Audit Evidence Submittal • Adobe Portfolio Suggestions o Master folder name is the Reliability Standard o Portfolio files for related standards in sub- folders with specific standard name o Requirement folders within the PDF portfolio 18

Audit Evidence Submittal COM 19

Audit Evidence Submittal • File Folder Suggestions o Master folder name is the Reliability Standard o Sub-folders for all related standards o Additional sub-folders for requirements 20

Audit Evidence Submittal COM COM-001-1 21

Audit Evidence Submittal • RSAW Suggestions o One file folder (zipped) o RSAWs must be submitted as a word document  Auditor working tools for summarizing findings and notating evidence 22

Audit Evidence Submittal RSAWs 23

EFT File Naming Convention • File Names o Must be under 200 characters, including sub- folders • Uploading File Folders o Operations & Planning zip the file folders o Encrypted file folders for CIP do not need to be zipped o Encrypting automatically zips the file folder 24

EFT File Naming Convention • EFT Server File Folder Structure o Audit Data folder is for entity uploads o WECC Notification folder is for WECC use only • Credential concerns and set up requests should be emailed to: compliancesupport@wecc.biz 25

Recommendations • Know the Reliability Standards • Use the RSAWs and Attachment G as guides • Participate in Outreach (CUG/CIPUG) • Most Important , we are here for you… o Questions o Comments o Concerns 26

Helpful Links • NERC Standards o http://www.nerc.com/page.php?cid=2|20 • WECC website o http://www.wecc.biz/compliance/United_States/ Pages/default.aspx • WECC Electronic Systems o http://www.wecc.biz/compliance/ElectronicSyst ems/Pages/default.aspx 27

Questions?