Building an Effective NERC Evidence Retention Program
Having an evidence retention program for your data is key to maintaining NERC compliance. Evidence retention is a necessary piece of the auditing process, as it serves as a record of compliance that demonstrates you have met NERC requirements for the full time period since your last audit.
Proper NERC evidence retention is essential for registered entities that will undergo audits, and is particularly important for Medium Impact and High Impact entities.
NERC requirements for evidence retention are as follows:
The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation:
- Each Responsible Entity shall retain evidence of each requirement in this standard for three calendar years.
- If a Responsible Entity is found non-compliant, it shall keep information related to the non-compliance until mitigation is complete and approved or for the time specified above, whichever is longer.
- The CEA shall keep the last audit records and all requested and submitted subsequent audit records.”
Things to Consider
As you can see, there is no guidance on where, how or even what format to retain the data/evidence. Vague guidelines may cause some entities to underestimate the value of having an appropriate evidence retention program in place. Yet without a program, ask yourself:
- Would you be prepared in the event your evidence was corrupted or destroyed, stolen, or misplaced?
- Do you have a process for recovering your evidence?
- What if someone accesses your evidence with the intention of modifying it? Do you have access controls in place?
Using a known and accepted framework for evidence retention is highly recommended. By doing this, if an auditor challenges the evidence retention process(es), the Responsible Entity can provide the auditor with a valid set of rules and guidelines that were used, therefore stopping preventing further issues with the auditing process.
The NIST 800-171 standards for protecting evidence on nonfederal systems is one of these accepted programs. The standard details subjects such as access control, awareness and training, configuration management and more.
Being proactive with establishing an effective and efficient NERC evidence retention program will ensure you have a robust program fit for audits that protects your evidence.
Interested in learning more about cybersecurity? Download our eBook, Field Testing in a Cyber Insecure World.