Cybersecurity & Privacy Compliance Made Simple
Our Cybersecurity & Privacy Documentation Is Designed To Be Scalable, Comprehensive & Efficient
We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation addresses the interconnectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure and compliant. In addition to the SCF, this model works with ISO 27002, NIST CSF, NIST 800-171, CIS 20, PCI DSS, NIST 800-53 and other control frameworks.
ComplianceForge has simplified the concept of the hierarchical nature of cybersecurity and privacy documentation in the following downloadable diagram to demonstrate the unique nature of these components, as well as the dependencies that exist. You can click on the image below to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.
We Offer Huge Discounts Through Bundling Our Documentation
We offer several information security compliance documentation bundles - you can save up to 45% by purchasing certain bundled products! The bundles come from customer demand, since many clients who need policies and standards also require additional documentation to help establish or refine their IT security program. Since most companies do not have unlimited security budgets, these bundles can help you get what you need at a significant savings. If you have a unique need, please contact us since we might be able to work with you on your request.
Procedures Operationalize Policies & Standards - This Is A Key Concept To Being Both Secure & Compliant
We leverage the Operationalizing Cybersecurity Planning Model in creating a practical view towards implementing cybersecurity requirements. Organizations are often not at a loss for a set of policies, but executing those requirements often fall short due to several reasons. Standardized Operating Procedures (SOPs) are where the rubber meets the road for Individual Contributors (ICs), since these key players need to know (1) how they fit into day-to-day operations, (2) what their priorities are and (3) what is expected from them in their duties. When looking at it from an auditability perspective, the evidence of due diligence and due care should match what the organization's cybersecurity business plan is attempting to achieve.
One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:
- Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
- Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
- Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).
Given this approach to how documentation is structured, based on "ownership" of the documentation components:
- Policies, standards and controls are expected to be published for anyone within the organization to have access to, since it applies organization-wide. This may be centrally-managed by a GRC/IRM platform or published as a PDF on a file share, since they are relatively static with infrequent changes.
- Procedures are "living documents" that require frequent updates based on changes to technologies and staffing. Procedures are often documented in "team share" repositories, such as a wiki, SharePoint page, workflow management tool, etc.
The central focus of any procedures should be a Capability Maturity Model (CMM) target that provides quantifiable expectations for People, Processes and Technologies (PPT), since this helps prevent a “moving target” by establishing an attainable expectation for “what right looks like” in terms of PPT. Generally, cybersecurity business plans take a phased, multi-year approach to meet these CMM-based cybersecurity objectives. Those objectives, in conjunction with the business plan, demonstrate evidence of due diligence on behalf of the CISO and his/her leadership team. The objectives prioritize the organization’s service catalog through influencing procedures at the IC-level for how PPT are implemented at the tactical level. SOPs not only direct the workflow of staff personnel, but the output from those procedures provides evidence of due care.
The diagram below helps show the critical nature of documented cybersecurity procedures in keeping an organization both secure and compliant:
What Products Make Up These Bundles & Why?
Based client feedback, we made our bundles to simplify the needs to address specific compliance requirements. When you break down the requirements to comply, you will see how the products address a specific compliance need:
Please note that if you want a customized bundle, we are happy to create one for you. Just contact us with your needs and we will generate a quote for you.
Policies, Standards, Function-Specific Guidance & Procedures - Our Product Lineup
The following diagram helps demonstrate the layered nature of cybersecurity documentation. Policies & standards set the stage for teams/departments to create and implement programs that are function-specific.
- A policy on risk will define management's intent to manage risk (RA section of NIST 800-53);
- One of the standards supporting the risk policy might require an annual risk assessment (RA-3);
- Products such as the Risk Management Program (RMP) provide the middle-ground between the policy/standard and the actual deliverable risk assessment to provide risk-specific guidance on concepts such as acceptable risk, the methodology of risk management the organization aligns to, who within the organization can sign off on various levels of risk, etc.
If you would like to know more about how this works, please contact us and we'd be happy to further explain how our documentation links together to create comprehensive, linked cybersecurity and privacy documentation.