Ensure a Mutual Understanding of the Scope. All of the variables involved in CIP compliance and audits—different audit teams, imprecise standards, different interpretations of the requirements and very different environments to be audited—contribute to potentially unpredictable audit results. These variables can be counteracted by achieving a clear and mutual understanding of what is in scope for the audit and auditor actions that will and will not be allowed. While your attempt to accomplish this with the audit teams may meet limited success, at the very least, make sure your teams are aware of what will be expected of them and what they will expect of the auditors.
Define Actions that Are and Are Not Allowed. Do not assume that auditors will ask to see or do something only when necessary. For example, auditors should never need to see a password to verify its complexity. If you show a password to an auditor to prove compliance with CIP-007-2a R5.2, then it must be changed immediately. If you do not, you will not be in compliance. Instead of showing passwords to prove they meet complexity requirements, you can provide examples of acceptable passwords and show how the default password no longer works.
Auditors should also never need to "test" physical controls. Trying to see if a cover is anchored securely by yanking on it is more akin to a penetration test than standard audit practices. Auditors should not damage property or ask that security controls be circumvented in order to assure that the controls are adequate.
Auditors should observe and record and not "penetrate." Nor should auditors ask your personnel to do something that violates your organization's established processes or policies. You shouldn't need to dismantle your infrastructure to prove your compliance. An audit team should not need the use of power tools to complete an audit.
Conducting a pre-audit walk-through really pays off. If you have never been audited, a walk-through will provide the opportunity to see what kind of efforts your organization will need to ensure success. Many companies typically do not realize that all assets are fair game. A pre-assessment of sample assets is not audit preparation. You need to check all your assets.
And, by the way, the above examples were not fabricated.
There are always electronic security perimeter diagram typos. Be prepared to double-check your work and documentation in minute detail. While a typo may be trivial, an auditor may think it is evidence of sloppy work and bad documentation.
The same internal teams should be used to work the pre audit and then the actual audit. Everyone gets used to the process, and they are much less likely to get flustered or be inconsistent with the audit team.
Protect your critical assets. Auditors do not need to do anything that may compromise the bulk electric system, and auditors should be subject to all the safety and security rules you have in place.
If you refuse to let an auditor take an action that is in violation of your safety or security controls, be prepared to help them achieve their objective using acceptable methods.
Do not exempt the auditors or pre-audit assessors from standard safety briefings. Not only is that good policy, but also the audit team expects it. Requiring EVERYONE to be trained on and follow policy and procedures also focuses the company's team, and where CIP is concerned focus is exactly what is required.
Phil Marasco, CISSP, ISON, LLC, Phil.Marasco@ison.com
Jay Abshier, CISSP, Sentigy, firstname.lastname@example.org