banner-comprehensive-digital-security-policies-standards-controls-metrics-documentation.jpg

 

Comprehensive Security Policies & Standards Based On Leading Frameworks!

microsoft-word-editable-cybersecurity-policy-standards.png

Editable Documentation

The Digital Security Program (DSP) is a product we developed for companies that need to comply with multiple requirements, but do not want to be locked into documentation that is formatted to conform with the taxonomy ISO 27002 or NIST 800-53. Essentially, the DSP is a "best in class" approach to security documentation.

In addition to being a hybrid model that is made up of leading security frameworks, we also added in features that are not available in the Written Information Security Program (WISP), namely mapped controls and metrics. This equates to a potential time savings of hundreds of hours, based on how much work goes into not only creating controls and worthwhile metrics, but mapping those back into your organizations policies and standards.

One special aspect of the DSP is while it comes in Microsoft Word format, it also comes in Microsoft Excel so that it is easy to import into a GRC solution (e.g., Archer, RSAM, MetricStream, etc.)! This is an ideal solution for companies that either currently use a GRC solution or are exploring the use of one. The time savings can equate to a saving of tens of thousands of dollars in customizing "out of the box" documentation from these tools. 

If you are interested in learning more, there is a product walk-through video and other helpful documentation, so keep reading or contact us so we can help answer your specific questions.

Our DSP covers the following leading frameworks and requirements. The DSP comes with an Excel spreadsheet that provides the mapping for the standards to these references:

NIST 800-53
NIST 800-171
NIST Cybersecurity Framework (CSF)
National Industrial Security Program Operating Manual (NISPOM)
Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012)          
Federal Acquisition Regulation (FAR 52.204-21)
Federal Risk and Authorization Management Program (FedRAMP)
Fair & Accurate Credit Transactions Act (FACTA)
Financial Industry Regulatory Authority (FINRA)
Federal Financial Institutions Examination Council (FFIEC

ISO 27002
ISO 27018
Generally Accepted Privacy Principles (GAPP)
Payment Card Industry Data Security Standard (PCI DSS)
Control Objectives for Information and Related Technology (COBIT 5)    
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes Oxley Act (SOX)
Gramm Leach Bliley Act (GLBA)
NY DFS 23 NYCCRR 500
Federal Drug Administration (FDA) 21 CFR Part 11 

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
American Institute of CPAs Service Organization Control (AICPA SOC2)
Center for Internet Security Critical Security Controls (CIS CSC)
Cloud Security Alliance Cloud Controls Matrix (CSA CCM)
European Union Agency for Network and Information Security (ENISA)
European Union General Data Protection Regulation (EU GDPR)
United Kingdom Data Protection Act (UK DPA)
Massachusetts 201 CMR 17.00
Oregon Identity Theft Protection Act (ORS 646A)

  What Problem Does The DSP Solve?  

  • Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The DSP is an efficient method to obtain comprehensive security policies, standards, controls and metrics for your organization!
  • Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. The DSP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements. 
  • Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The DSP's standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.  
  • Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The DSP provides this evidence!

 How Does the DSP Solve It?  

  • Clear Documentation - The DSP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
  • Time Savings - The DSP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs. 
  • Alignment With Leading Practices - The DSP is written to support over two dozen leading frameworks!  

 

DSP Product Walkthrough Video

If you have a few minutes, please watch the video for information about the DSP, as well as a look at the deliverables. 

 

FAR MORE THAN JUST POLICIES & STANDARDS – THE DSP COMES WITH MAPPED CONTROLS AND METRICS

The DSP is a “best in class” hybrid that leverages numerous leading frameworks to create a comprehensive security program for your organization!

digital-security-program-product-comparison-example.jpg 

The DSP comes with policies, standards, controls and metrics! The DSP comes mapped to both the NIST Cybersecurity Framework (CSF) and the Center for Internet Security Critical Security Controls (CIS CSC) for the controls and metrics, so you can choose which controls and metrics are most applicable to your organization!

digital-security-program-cybersecurity-policies-standards-controls-metrics.jpg

We even further broke things down to provide recommended key controls, KPIs and KRIs!

digital-security-program-cybersecurity-key-controls-kpi-kri-examples.jpg

 

ALIGNMENT IS KEY – ENTERPRISE-CLASS COVERAGE OF LEADING FRAMEWORKS

The DSP is the most comprehensive document we’ve made and it is targeted for enterprise-class organizations that have a need to align to the following frameworks:

example-digital-security-program-overview.jpg

[click to download overview]

  download-example-digital-cybersecurity-program-dsp.jpg 

DIGITAL SECURITY – THE EVOLUTION OF SECURITY

If you are reading this, you are likely familiar with how “IT Security,” “Information Security,” and “Cybersecurity” are used interchangeably by most people. However, these terms do have meaning and as you “peel back the onion” on terminology you will see that “Digital Security” is the new leading terminology to describe the entire security ecosystem. This term has evolved to be all-encompassing, since it addresses technology, information, physical security, privacy and safety.

digital-security-model.jpg

 

SAFETY COMPONENT – ONE BENEFIT OF THINKING DIGITAL

For years, the “CIA Triad” stood as the foundation for what a security program was designed to address – the Confidentiality, Integrity and Availability of both systems and data. That has now changed, since there are real-world safety considerations from Operational Technology (OT) and the Internet of Things (IoT). This has caused the evolution of the CIA Triad into the Confidentiality, Integrity, Availability and Safety (CIAS) model.

The DSP is designed around the CIAS model by adopting the best of leading security frameworks.

cia-triad-evolved-cias-model2.jpg

 


IMPORT-READY FOR GRC TOOLS – THE DSP COMES IN BOTH MICROSOFT WORD AND EXCEL FORMATS

The DSP is ready to import into your Governance, Risk & Compliance (GRC) solution, since it comes in both Microsoft Word and Excel formats. This makes the import from Excel easy. For many GRC tools, this provides you the ability to perform your customization and collaboration directly from your GRC portal.

If you do not currently have a GRC tool, but want to deploy the DSP from a user-friendly internal website, we can help with that. We offer a fixed-price service to convert the DSP into an internal website using GRAV, a Content Management System (CMS). If that interests you, please contact us at support@compianceforge.com and we can provide you with more details on that option.


DEMONSTRATING VALUE – THE NEVER-ENDING SECURITY STRUGGLE!

It is a simple fact that technology and cybersecurity departments are not revenue-generating. These cost centers must continuously demonstrate value to justify current and future budgets. While many boards of directors and executive management provide initial security budget funding based on Fear, Uncertainty & Doubt (FUD), there is an eventual need to demonstrate a Security Return on Investment (SROI). Without this return on investment, budgets are hard to justify and capabilities suffer.

The most common ways for a security program to justify budget needs is through metrics reporting. Arguably, COBIT 5’s Process Assessment Model (PAM) is the industry leading model for measuring process maturity. COBIT 5’s model is based on the well-known ISO 15504-2:2003 Capability Maturity Model (CMM) that uses six levels to describe maturity.

We avoided re-inventing the wheel and simply created an enterprise-class product that can help your organization rapidly advance its capability maturity to a CCM 4 level. The DSP can help your organization rapidly advance to CMM4!

cobit5-iso-15504-2-instant-security-maturity.jpg

 

QUICK WIN – STEPS TO USING THE DIGITAL SECURITY PROGRAM (DSP) TO OBTAIN CMM 4 (PREDICTABLE) MATURITY

While nearly all organizations have “security policies” in place, it is a sad reality that many are outdated, improperly scoped, and inadvertently add to technical debt. Quite simply, most security policies were never designed to scale as the organization grows or technologies evolve and are more of a liability than benefit. If that is your organization, the DSP can be a “quick win” to dramatically advance the maturity of your security program.

The DSP is a different animal – it is built to scale and adapt to the needs of the organization. The modular nature of the DSP means that each policy has its own standards, all the way down to controls and metrics. This hierarchical nature makes mapping metrics to policies a breeze, due to the logical organization of the documentation.

 

HIERARCHICAL APPROACH – BUILT TO SCALE & EVOLVE WITH YOUR BUSINESS

Similar to the Written Information Security Program (WISP) format, the DSP follows a hierarchical approach to how the structure is designed so that policies map all the way down to metrics.

Component

Example Content  
comprehensive-cybersecurity-documentation.jpg   comprehensive-cybersecurity-documentation-example.jpg

Policies are “high level” statements of management’s intent and are intended to guide decisions to achieve rational outcomes. Policies are not meant to be prescriptive, but provide an overall direction for the organization.

Control Objectives support policy by identifying applicable requirements that the organization needs to address. These applicable requirements can be best practices, laws or other legal obligations.

Standards establish formal requirements in regards to processes, actions and configurations. Standards are entirely focused on providing narrowly-focused, prescriptive requirements that are quantifiable.

Procedures are formal methods of performing a task, based on a series of actions conducted in a defined and repeatable manner.

Controls are technical or administrative safeguards that may prevent, detect or lessen the ability of the threat actor to exploit a vulnerability.

Metrics are designed to facilitate decision-making, improve performance, and improve accountability through the collection, analysis, and reporting of relevant performance-related data.


NOT JUST A MICROSOFT WORD DOCUMENT – CONTENT IS IN EXCEL & READY TO IMPORT INTO A GRC SOLUTION

While the DSP does come in Microsoft Word like the WISP, the included Excel version of the DSP comes with the following content so it is easy to import into a GRC solution (e.g., Archer, RSAM, MetricStream, etc.):

  • Policy statements
  • Policy intent
  • Control objectives
  • Standards
  • Guidance
  • Controls
  • Metrics - including suggested Key Performance Indicators (KPIs) & 
  • Key Risk Indicators (KRIs)
  • Indicators of Compromise (IoC)
  • Indicators of Exposure (IoC)
  • Target Audience Applicability
  • Scoping - Basic or Enhanced Requirement
  • Recommended roles / teams with responsibility for each standard (basically a RACI for key stakeholders)

  example-digital-security-program-grc-export-ready-excel.jpg

[click to see an example of the Excel content]

COMPREHENSIVE DOCUMENTATION – COVERAGE FOR YOUR SECURITY PROGRAM’S NEEDS

The DSP consists of thirty-two (32) policies. Nested within these policies are the control objectives, standards and guidelines that make your security program run.

The structure of the DSP makes is easy to add or remove policy sections, as your business needs change. The same concept applies to standards – you can simply add/remove content to meet your specific needs.

 

Policy Identifier            # Policy Identifier
1  Digital Security Governance GOV  

17

 Information Assurance  IAO
2  Asset Management AST   18  Maintenance   MNT
 Business Continuity & Disaster Recovery BCD   19  Mobile Device Management MDM
 Capacity & Performance Planning CAP   20  Network Security NET
 Change Management CHG   21  Physical & Environmental Security PES
 Cloud Security CLD   22  Privacy PRI 
 Compliance CPL   23  Project & Resource Management PRM 
 Configuration Management CFG   24  Risk Management RSK 
 Continuous Monitoring MON   25  Secure Engineering & Architecture SEA 
10   Cryptographic Protections CRY   26  Security Operations OPS 
11   Data Classification & Handling DCH   27  Security Awareness & Training SAT 
12   Embedded Technology EMB   28  Technology Development & Acquisition TDA 
13   Endpoint Security END   29  Threat Management THR 
14   Human Resources Security HRS   30  Third-Party Management TPM 
15   Identification & Authentication IAC   31  Vulnerability & Patch Management VPM 
16   Incident Response IRO   32  Web Security WEB 

 

DUE CARE & DUE DILIGENCE – JUMP START YOUR RACI FOR “OWNERSHIP” OF STANDARDS

We went the extra mile to help create a basic RACI-type mapping that identifies both the target audiences, but also the key stakeholders for each standard. It is all customizable, since it is Excel, but it enables you to hit the ground running.

example-applicablility-scope-raci-excel.jpg

[click to see an example of the Excel content]


“GOLDILOCKS” CONTROLS – NOT TOO BIG AND NOT TOO SMALL. JUST RIGHT.

The DSP uses the NIST Cybersecurity Controls Framework (CSF) version 1.1 for its control set, so the controls are aligned with a leading framework for expected security controls. Key controls are identified from this control set and metrics are mapped to these controls. Again, being Excel it is editable for your needs.

 example-digital-security-program-controls-excel.jpg

[click to see an example of the Excel content]



ACCELERATING YOUR BUSINESS – MAPPING STANDARDS TO LEADING FRAMEWORKS

The DSP maps twenty-four (24) leading frameworks! This includes the most common statutory, regulatory and contractual requirements that are expected from a security program.

example-framework-mapping-excel.jpg

[click to see an example of the Excel content]


ACCELERATING YOUR BUSINESS – MAPPING CONTROLS TO METRICS, KPIS AND KRIS

Metrics are the bane of many cybersecurity professionals’ existence. Unfortunately, this is due in large part to poor program-level documentation. Without alignment with leading frameworks (e.g., NIST Cybersecurity Framework, CIS Critical Security Controls, ISO 27002, etc.), it is unlikely that an organization’s management will know the correct questions to ask when measuring performance. That is why the tired and generally useless metric of “how many port scans the firewall blocked” still exists in many companies. We want to help change that with the DSP!

The DSP provides you with usable metrics to prove the status of the controls, which in turn allows you to report on the health of your overall security program.

example-kpis-kris-key-controls-excel.jpg 

[click to see an example of the Excel content]

 

 

Digital Security Program (DSP) Cost Savings Estimate

Similar to the WISP example above, when you factor in internal staff time to perform reviews and refinements with key stakeholders, purchasing a DSP from ComplianceForge is approximately 17% ($37,000+ savings) of the cost as compared to writing your own documentation and 8% ($90,000+ savings) of the cost as compared to hiring a consultant to write it for you!

 2017-pricing-cybersecurity-digital-security-policy-program.jpg

 

 

 

ADD-ON SERVICE: Share The Digital Security Program (DSP) Internally - Intranet Site Powered By Grav

We are pleased to offer an add-on service for organizations that purchase the DSP. For organizations that lack a GRC tool (e.g., Archer, RSAM, MetricStream, etc.) and who would prefer to have an interactive format to share policies and standards with users. Please click on the image below to see it for yourself! 

example-digital-security-program-krav-cms.jpg

[click to see an example]

 

These intranet sites are powered by Grav, a flat-file Content Management Service (CMS). CMS are used to create and manage digital content, so it is a perfect way to manage your DSP. If you would like to learn more about this service, please contact us

Benefits include the following:

Keyword Searching
• Rapidly search through the DSP by using keywords and only relevant content will be displayed.

Email & Print
• All HTML documents are deep linked which can be used in an email conversations.
• Easily print a branded version of the HTML content with a click of a button.

GRC Integration
• Easily integrate policy / standard content into any popular GRC platform via JSON or XML outputs.

Easy Content Management
• Easy page administration & content authoring via a admin portal.
• Built with plain text files for your content. There is no database needed! (See Web Server Requirements)


Your internal server requirements include the following, since you would be hosting the website internal to your network:

Web Server Requirements
• Webserver (Apache, Nginx, LiteSpeed, Lightly, IIS, etc.)
• PHP 5.5.9 or higher

PHP Requirements
• gd (a graphics library used to manipulate images)
• curl (client for URL handling used by GPM)
• openssl (secure sockets library used by GPM)
• zip extension support (used by GPM)
• mbstring (multibyte string support)
• xml (XML support)

 

 

 

 

Sort by:

Sign up for our Newsletter!

×
×