My time at NERC had me involved with quite a few projects over my seven-year career there. I was involved with CIP compliance audits, investigations, auditor training, and many advisory sessions. Typically, I was advising entities across North America on different tactics, techniques, and insight from best practices I have seen. I wanted to share a few of the dos and don’ts during my experience out in the field.
8) Do Practice a Mock Audit
You will be audited. I cannot believe how many times I would walk into an entity and find out they had never performed a mock audit with their staff. They didn’t know the types of questions they would be asked, the evidence to produce, or the responses they should prepare for. Everyone was yelling at each other. IT was a mess. Don’t let these be your entity, and make sure you practice several mock audits to understand where you may have some weaknesses. If you do nothing else listed here, this is highly recommended.
7) Don’t Lawyer up Every Conversation
While having lawyers is very important for any dispute, settlement, or compliance program process, they aren’t always the best to be the front line on answering questions. For example, you don’t want your corporate attorney to answer technical questions on how your ESP are designed and configured.
6) Do Show Your Work
A lot of times, I would see an entity provide evidence of results. Sometimes you will hear auditors ask to see how you got to your results. A great example here is a Cyber Vulnerability Assessment or CVA.
One time, I remember hearing an entity perform their CVA and get a pile of results/action items to fix. They then showed a piece of paper that said “Results” and had a completed check mark. When the auditors asked how they completed some of these tasks or if they could see the steps they went through to get this result, the entity had no answers. They couldn’t even confirm that all of the CVA findings were fixed because they didn’t have documentation for themselves.
5) Don’t Redact all Your Documentation and Evidence
The goal of the auditor is to help your entity demonstrate compliance to the NERC CIP standards, not to find areas of non-compliance.
I have been on audits where the entity would not even allow the auditors to view evidence by themselves – it had to be on an entity-owned machine with limited access and documents that were mostly blacked out information. All this did was extend the audit another week and create a starting point for more questions.
Please help the auditors by making evidence accessible and useful.
4) Do be Polite and Patient
When an auditor asks for information, they are usually just trying to get an understanding of your environment. This isn’t a court hearing. The audit team is just trying to gain an understanding of the entire picture because they don’t know your environment as well as you do.
They may also not be familiar with certain acronyms, diagrams and other procedures at your organization. Take your time and explain to them since they will help tell your story of compliance.
3) Don’t Scramble for Documentation
A perfect example here was always exemplified during CIP-004 R2 and R1 training and awareness program records. The CIP training standards dictate that authorized staff with unescorted physical or electronic access to BES Cyber Assets, otherwise known as BCAs, must go through a NERC CIP compliance training program. The NERC CIP security awareness program requirements under R1 just simply say you need to prove that you made a program aware to the staff and personnel in scope. Seems easy, but it’s not unless you work together with your departments.
Any of your staff, contractors, vendors, and even cleaning crew might fall into the scope of this requirement. Make sure you have reports and records of your security awareness training program content available during the audit scope so that you are not scrambling during the audit. Every department is going to have a different set of personnel to make sure it is compliant.
2) Do Listen to CIP Auditors’ Advice
I have worked with the CIP audit and compliance teams in every region across North America. Your auditors have a lot of experience. They have seen more implementations, configurations, environments and procedures than you could ever imagine.
Listen to them if they talk about best practices or advice for additional approaches towards demonstrating compliance. Sometimes it can really help open your eyes to a different point of view.
1) Don’t Argue Over Every Word
During old CIP Version 3 audits, I have seen words like “significant,” “annual” and other non-defined terms used in every possible way you could imagine. Of course, some of that language has been cleaned up in the modern CIP standards, but you get the point. If you do have an undefined term, ensure you define it somewhere in your internal documents to show the audit team what you mean. Listen to best practices across your region and from NERC. Don’t try and re-invent the wheel.
These are just some basic tips I have personally experienced along the way. Audits are going to be tough no matter how prepared you are. Knowing that going in is half the battle. Make sure you have a plan, get your employees to communicate that plan, and execute. If every program was perfect, we wouldn’t need these types of compliance regulations. Mistakes happen, and how you learn from these mistakes is the goal of a successful compliance program.
Learn more about how Tripwire can help make your NERC CIP audit simpler, including insights on generating RSAWs and responding appropriately to pre-audit requests, by downloading a new paper here.
About the Author: Nick Santora is the CEO of Curricula, a cyber security education company located in Atlanta, GA. Curricula provides cyber security awareness training and NERC CIP compliance training solutions using an innovative story based learning approach. You can follow Curricula on Twitter @Curricula or check out their website at www.GetCurricula.com
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.