CIP low impact: Quality evidence cheat sheet
By Lew Folkerth, Principal Reliability Consultant, External Affairs
This “cheat sheet” provides quick guidance for registered entities to gather and present quality evidence when they are audited to the NERC Reliability Standards. For a more in-depth look at gathering and presenting quality evidence, click here to read Lew’s full article on this topic.
Questions your documentary evidence should answer:
| Is the document credible? | This is an assessment of the overall appearance of the document. Think of this as an indicator of the first impression an auditor might receive upon seeing the document. Does the appearance of the document help establish that it is genuine? Does the document appear to be altered? |
| What task was performed? | Each document presented as evidence should help build a coherent, consistent picture of how you implement your compliance program, and how compliance advances your security posture. Be sure the task being documented is clearly stated. |
| Who performed the task? | If there are questions about the task, who should be contacted? |
| Why was the task performed? | What security or compliance need did the task support? |
| Which assets were affected by the task? | An asset could be a physical Facility (such as a substation), a computer (Cyber Asset), or something else (such as roles and responsibilities lists). The evidence should indicate who or what was affected. |
| When was the task performed? | Dates are critical in demonstrating compliance. In general, evidence without dates is weak evidence. |
| Who authorized the task? | In security, and also compliance, it’s best to have multiple sets of eyes on any changes. A system of authorization and verification (the review, below) will add substantial credibility to the compliance evidence. |
| What was the state of the asset before the task was performed? | One of the best methods of demonstrating that a task was performed is to show the state of the asset both before and after the task. Examples of this include: a) for a process or procedure document a detailed version history is usually sufficient, although the prior version of the document should also be available if needed; b) for a software version update you should keep dated evidence of the version numbers before and after the update; c) for Windows patches keep a dated list of the installed KB numbers before and after the patch installation. |
| What was the state of the asset after the task was performed? | |
| Was the result of the task reviewed, and if so, when and by whom? | A strong compliance program will include monitoring the performance of the compliance tasks, and keeping records of this monitoring is a good practice. |
Lew Folkerth’s advice for keeping consistent quality for various types of documents you might use as evidence:
| Document | Evidence |
| Policies, plans, processes, and procedures | Develop a standard template for this type of document that includes the document title, document revision number and date, company name or logo, applicable NCR numbers if you have multiple registrations, the person or group responsible for the document content, and the person, group or asset type the document applies to. Keep detailed revision histories and effective dates for each version of the document. For cyber security policies per CIP-003, make sure the CIP Senior Manager’s approval of each policy is clear and accompanied by the date of approval. |
| Periodic actions, such as asset list reviews | Dated documentation of actions performed is particularly important for periodic requirements. Ensure your documents clearly identify the action taken and the resulting changes, if any. |
| Event-triggered actions, such as incident response | Some of the CIP Standards require action based on a triggering event, such as incident response to a Cyber Security Incident, or a malware check for a Transient Cyber Asset. For these types of actions, I recommend that you use a checklist to ensure each required step of the applicable process or plan is performed. The checklist, when appropriately completed, signed, and dated, becomes your evidence of implementing the steps in your process or plan. |
| Ongoing actions, such as access control | For ongoing actions, such as managing a firewall ruleset to control electronic access to a Bulk Electric System asset, I suggest using a combination of change control and periodic review. The change control process will ensure that access control is not compromised by an unauthorized change, and the completed change control tickets will document this ongoing effort. The periodic review will ensure that old information is purged and current information is adequately documented. |
| General considerations | All documentary evidence should identify your company, should carry a date, and should be page numbered to show that the document is complete, and no pages are missing. |