Documented Procedures & Control Activities
At the heart of it, procedures represent an established way of doing something, such as a series of actions conducted in a specified order or manner. Some organizations refer to procedures as “control activities” and the terms are essentially synonymous.
Documented procedures are one of the most overlooked requirements in cybersecurity compliance, but procedures are also a minimum expectation that an auditor is going to look for. Organizations that undergo annual audits tend to do better with procedures, since they learned early on that lacking procedures would earn a control deficiency and possibly fail the audit (e.g., SOX). Companies tend to learn quickly about the ramification that lacking procedures is a demonstrated failure of internal controls in the auditor's eyes. In general terms, internal controls are the policies, standards and procedures that an organization implements to govern its cybersecurity and privacy program.
For anyone who has written procedures, the answer for why companies routinely fail to maintain procedures is clear - it can take considerable time and effort to properly document processes. Part of that is tied to a lack of best practices around what good procedures look like - every organization tends to do something different, based on internal staff preferences or auditor pressure. This leads to a lack of standardization across departments and business functions, which can be an issue when trying to maintain "what right looks like" if a benchmark does not exist.
What Can Be Done To Make It Easier?
The good news is that ComplianceForge developed a standardized template for procedures and control activity statements, the Cybersecurity Standardized Operating Procedures (CSOP).
Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible to write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who / what / when / where / why / how to make it complete.
Take a look at an example to see for yourself. We even provide a matrix to help identify the likely stakeholders for these procedures. There are four (4) versions of the CSOP:
- CSOP - Digital Security Program (DSP) (directly maps to the Secure Controls Framework (SCF))
- CSOP - NIST 800-53
- CSOP - ISO 27002
- CSOP - NIST Cybersecurity Framework
Procedure Documentation Expectations
Procedures should be both clearly-written and concise, where procedure documentation is meant to provide evidence of due diligence that standards are complied with. Well-managed procedures are critical to a security program, since procedures represents the specific activities that are performed to protect systems and data. The diagram shown below helps visualize the linkages in documentation that involve written procedures:
- CONTROL OBJECTIVES exist to support POLICIES
- STANDARDS are written to support CONTROL OBJECTIVES
- PROCEDURES are written to implement the requirements that STANDARDS establish
- CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their capabilities are implemented and/or functioning
- METRICS exist as a way to measure the performance of CONTROLS
What Can Go Wrong If I Do Not Have Written Procedures?
What can possibly go wrong with non-compliance with a law, regulation or contract?
- Contract Termination. It is reasonably expected that the other party will terminate contracts over non-compliance with major cybersecurity and privacy requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance may also cause a prime contractor to be non-compliant, as a whole.
- Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).
- Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a non-compliance related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., no documented procedures).
- Fines. The Federal Trade Commission (FTC) has authority to investigate and fine companies found to have poor security programs. In addition to fines, companies can be forced to pay for recurring, annual audits to demonstrate cybersecurity program effectiveness.
Below is a short list of statutory and regulatory requirements, as well as leading cybersecurity frameworks, that EXPECT every organization documents and maintains cybersecurity-related procedures. If you need to address one or more of those frameworks, then you need to maintain documented procedures.
- SOC 2
- CIS CSC 7
- Criminal Justice Information Services (CJIS)
- EU GDPR
- ISO 27001
- ISO 27002
- ISO 27018
- ISO 29100
- ISO 39100
- New Zealand Information Security Manual (NZISM)
- NIST Cybersecurity Framework
- NIST 800-53
- NIST 800-160
- NIST 800-171
- NY DFS 23 NYCRR 500
- PCI DSS
- UK Cyber Essentials
- UL 2900-1
Identifying "Mission Creep" With Procedures
Procedures are not meant to be documented for the sake of generating paperwork - procedures are meant to satisfy a specific operational need that are complied with:
- If procedures exist and are not tied to a standard, then management should review why the procedure is in place.
- A procedure that lacks a mapping to a standard may indicate “mission creep” and represent an opportunity to reassign the work or cease performing the procedure.
Roles & Responsibilities - NIST NICE Cybersecurity Workforce Framework
The Cybersecurity Standardized Operating Procedures (CSOP) leverages the NIST NICE Cybersecurity Workforce Framework. The purpose of this framework is that work roles have an impact on an organization’s ability to protect its data, systems and operations. By assigning work roles, it helps direct the work of employees and contractors to minimize assumptions about who is responsible for certain cybersecurity and privacy tasks.
The CSOP uses the work roles identified in the NIST NICE Cybersecurity Workforce Framework to help make assigning the tasks associated with procedures/control activities more efficient and manageable. Keep in mind these are merely recommendations and are fully editable for every organization – this is just a helpful point in the right direction!
What Problem Does ComplianceForge Solve?
We sell cybersecurity documentation - policies, standards, procedures and more! Our documentation is meant to help companies become audit-ready!
- Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive compliance documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. ComplianceForge offers documentation solutions that can save your organization significant time and money!
- Compliance Requirements - The reality of non-compliance with requirements means lost business and potential fines. In addition to losing contracts, charges of fraud may be leveled on companies that claim to be compliant but cannot provide evidence. Our documentation can help you become and stay compliant where you have documented evidence to prove it!
- Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. Our documentation provides mapping to multiple leading security frameworks to show you exactly what is required to both stay secure and compliant. Being editable documentation, you are able to easily maintain it as your needs or technologies change.
Hows Does ComplianceForge Solve It?
We take a holistic approach to creating comprehensive cybersecurity documentation that is both scalable and affordable. This is beyond just generic policies and allows you to build out an audit-ready cybersecurity program for your organization!
- Clear Documentation - In an audit, clear and concise documentation is half the battle. ComplianceForge provides comprehensive documentation that can prove your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings - Time is money! Our cybersecurity documentation addresses dozens of requirements and this can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
- Alignment With Leading Practices - We did the heavy lifting. Our documentation is mapped to multiple leading security frameworks!