CIP-003-7 - Cyber Security — Security Management Controls
C. Compliance 1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority: As defined in the NERC Rules of Procedure, “Compliance Enforcement Authority” (CEA) means NERC or the Regional Entity in their respective roles of monitoring and enforcing compliance with the NERC Reliability Standards. 1.2. Evidence Retention: The following evidence retention periods identify the period of time an entity is required to retain specific evidence to demonstrate compliance. For instances where the evidence retention period specified below is shorter than the time since the last audit, the CEA may ask an entity to provide other evidence to show that it was compliant for the full time period since the last audit. The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: • Each Responsible Entity shall retain evidence of each requirement in this standard for three calendar years. • If a Responsible Entity is found non-compliant, it shall keep information related to the non-compliance until mitigation is complete and approved or for the time specified above, whichever is longer. • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. 1.3. Compliance Monitoring and Assessment Processes:
• Compliance Audits • Self-Certifications • Spot Checking • Compliance Investigations • Self-Reporting • Complaints 1.4. Additional Compliance Information: None.
Page 7 of 57
Made with FlippingBook - Online magazine maker