1 / 18

EMS Users Group – CIP Standards

EMS Users Group – CIP Standards. The Compliance Audits Are Coming… Are You Ready?. Compliance Program. Currently spot checking “AC” requirements Applicable Standard(s) and Requirement(s):. Compliance Program. Expected Spot Check Schedule Table 1 entities (RC + BA, TOP – Subject to 1200)

boone
Télécharger la présentation

EMS Users Group – CIP Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?

  2. Compliance Program • Currently spot checking “AC” requirements Applicable Standard(s) and Requirement(s):

  3. Compliance Program • Expected Spot Check Schedule • Table 1 entities (RC + BA, TOP – Subject to 1200) • 13 requirements through 6/30/2010 • All requirements beginning 7/1/2010 • Table 2 entities (TSP, RRO, NERC + BA, TOP – Not subject to 1200) • All requirements beginning 7/1/2010 • Table 3 entities (IA, TO, GO, GOP, LSE) • All requirements beginning 1/1/2011

  4. Compliance Program • Considerations • Any “Compliant” requirement can be spot-checked • Verify or confirm self-certifications • Verify or confirm self-reports of non-compliance • Verify or confirm periodic data submittals • In response to system events or operating problems • Can expand scheduled spot check scope as necessary • Audit uncovers possible non-compliance of requirement not in original scope

  5. Expectations • The audited entity has the obligation to demonstrate compliance • Sufficient, appropriate, and adequate documentation • Demonstrate sustained compliance • The auditor • Starts with neutral position • Seeks additional evidence as necessary to make compliance determination

  6. Approach • Entity completes Q/RSAWs and possibly supplemental questions prior to on-site audit or spot check. • Entity may be asked to submit certain evidence in advance of on-site audit or spot check. • Certain requirements will be statistically sampled during audit or spot check.

  7. How to prepare • Starting now • Consider pre-audit (internal or third-party) review • Build culture of compliance into your processes • Upon notice • Collect evidence of compliance • Identify subject matter experts • During audit • Be prepared to supply additional evidence

  8. Some Issues • Annual means 12 months, not calendar year. • Periodic reviews/approvals need to be date stamped as well as signed. • Authorized access needs evidence of authorization/approval. • A request is not the same as an action. • Electronic records can replace paper as long as all requirements are met.

  9. An Example – CIP-004/R4 • The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets. • How do you prove that the list is complete? • How do you prove that the list is accurate? • How do you prove access was authorized?

  10. An Example – CIP-004/R4 • You can maintain paper records • Possible reconciliation issues with reality • Need evidence of actions, not requests • Need evidence of approvals • You can rely on the access control systems to maintain records • Need date-stamped transaction logs • Still need to demonstrate approvals

  11. Technical Feasibility Exception • Interim guidance issued July 1, 2009 • Regions, not NERC, will manage process. • NERC has oversight role. • Regions working with NERC to develop a workable solution. • Interim guidance will be revised and reissued, possibly on or about September 21, 2009. • Region/NERC solution will be forwarded to FERC for approval.

  12. Technical Feasibility Exception • The TFE Process (as currently expected) • TFE requests limited to 14 or 15 specific CIP requirements that contain enabling language. • Entities will submit a “Part A” TFE request to the Region. • Region has 60 days to initially accept or reject. • Entity will be able to remedy/resubmit a deficient TFE request. • Safe Harbor granted once TFE request is accepted.

  13. Technical Feasibility Exception • The TFE Approval Process • Region has one year to complete comprehensive review of TFE request for approval. • Entity will be afforded opportunity to remedy and resubmit a rejected TFE request. • Entity will have to execute and maintain a remediation plan to achieve strict compliance. • Rejection of request, failure to maintain remediation, or failure to report periodically could void safe harbor.

  14. Technical Feasibility Exception • TFE Process • TFE Requests approved by Region subject to NERC review • NERC could override Region decision. • Once approved, entity must still maintain remediation and reporting plans or risk loss of safe harbor. • Entity can request amendment/modification to accepted or approved TFE request. • Amendment not effective until approved. • Rejection reverts to previous version of request.

  15. CIP Standards Development • Version 2 pending before FERC • Minor revisions to address time-critical aspects of Order 706. • Eliminated use of reasonable business judgment. • Minor, mostly non-controversial quick fixes. • Version 3 being developed • Concept paper published for comment. • Requirements and security controls catalog beginning to be drafted.

  16. CIP Standards Development • Expected Timeline • Post first draft of CIP-002-3 in December 2009. • Publish first revision and security controls catalog (CIP-003-3 through CIP-009-3) in April 2010. • Publish final revisions to CIP-002-3 through CIP-009-3 with implementation plan for ballot in December 2010. • Big paradigm change. Will take some getting used to.

  17. Questions?

More Related