A Gap Assessment led to a full internal controls development project with a large investor-owned utility serving the NY Metro Region.
NST began work in 2020 to complete a Gap Analysis and subsequent audit support for their 2020 NERC CIP Audit. NST reviewed all RSAW materials for the entire program and completed a Mock Audit on the standards expected for the upcoming Audit. NST specifically focused on whether the data collected would be fit for submittal and if it adequately answered all parts of the ReliabilityFirst version of the NERC CIP Evidence Request Tool (ERT) questions. After the Gap Analysis was completed, NST worked closely with the utility SMEs to review updates to procedures and evidence prior to the audit letter, reviewed actual audit evidence prior to submittal, assisted SMEs in preparing responses to audit questions and reviewed the audit report to verify the precision and accuracy of the contents before accepting the report. NST has also worked with this team to review their previous settlement agreement and provided feedback to Legal and Sr. Management to support their negotiations.
NST began working on an Internal Controls Development Project in early 2021. The entity had ample behavioral practices which supported CIP compliance and IT/OT security but lacked clarity on which activities were the key controls and lacked transparency into who was responsible for their performance. Moreover, they had limited documentation of the controls, which meant they could not take credit for “good hygiene” with their Regional Entity. NST successfully documented all of CIP-007 controls and trained SMEs on the process for capturing such controls for other CIP standards. Once SMEs were able to demonstrate capacity to support the further development of the project, NST took the lead as project manager and quality assurance advisor for the balance of the project.
This client has several business units, each with unique needs to support the overall compliance obligations across the portfolio of assets owned and operated under their umbrella. NST has supported day to day compliance tasks like the performance of patch management at generation sites, training and guidance on the appropriate methods for creating evidence for procurements in-scope to CIP-013, and is generally called upon during key decisions to be a sounding board to ensure continuous improvement of the program.
