Example Cybersecurity & Privacy Documentation
We are proud of the documentation that we produce for our clients and we encourage you to take a look at our example cybersecurity documentation. Each product page has at least one PDF example so that you can view the quality of ComplianceForge products for yourself - if you scroll down on the product pages you will find an "examples" section (generally located about 1/4 of the way down each product page).
Let us help you be successful! For many IT / cybersecurity / privacy professionals, when they refer to a “policy” they are really meaning a “standard” and that creates a great deal of confusion when discussing cybersecurity documentation, since those are not interchangeable terms. The most common questions we get pertain to "word crimes" that revolve around the misunderstanding what a policy, standard or procedure is meant to be, based on industry-recognized definitions. There are a lot of bad practices and we demonstrate what the words actually mean, so that everyone can operate from the same baseline understanding of the terminology, since in compliance, words have meanings and terminology matters.
Cybersecurity & data protection documentation needs to usable. This means the documentation needs to be written clearly, concisely and in a business-context language that users can understand. By doing so, users will be able to find the information they are looking for and that will lead to IT security best practices being implemented throughout your company. Additionally, having good cybersecurity documentation can be “half the battle” when preparing for an audit, since it shows that effort went into the program and key requirements can be easily found. The PDF document shown below provides two, side-by-side examples from policies all the way through metrics, so you can see what the actual content looks like.
Word Crimes: Start From A Solid Understanding Of What Right Looks Like For Cybersecurity Documentation
The Hierarchical Cybersecurity Governance Framework (HCGF) is the "ComplianceForge Reference Model" of cybersecurity and privacy documentation. The HCGF is a documentation model that leverages industry-recognized terminology to logically arrange these documentation components into their rightful order. This model creates an approach to architecting documentation that is concise, scalable and comprehensive. When that is all laid out properly, an organization's cybersecurity and data protection documentation should be hierarchical and linked from policies all the way through metrics. The swimlane diagram shown below (click for a larger PDF) defines the terminology and demonstrates the linkages between these various documentation components.
It all starts with influencers – these influencers set the tone and establish what is considered to be due care for cybersecurity & data protection operations. For external influencers, this includes statutory requirements (laws), regulatory requirements (government regulations) and contractual requirements (legally-binding agreements) that companies must address. For internal influencers, these are business-driven and the focus is more on management’s desire for consistent, efficient and effective operations:
- Alignment with business strategy; and
- Meeting business goals & objectives.
In the context of good cybersecurity documentation, components are hierarchical and build on each other to build a strong governance structure that utilizes an integrated approach to managing requirements. Well-designed documentation is comprised of five (5) core components:
- Policies are established by an organization’s corporate leadership establishes “management’s intent” for cybersecurity and data protection requirements that are necessary to support the organization’s overall strategy and mission.
- Control Objectives identify the technical, administrative and physical protections that are generally tied to a law, regulation, industry framework or contractual obligation.
- Standards provide organization-specific, quantifiable requirements for cybersecurity and data protection.
- Guidelines are additional guidance that is recommended, but not mandatory.
- Procedures (also known as Control Activities) establish the defined practices or steps that are performed to meet to implement standards and satisfy controls / control objectives.
The "ComplianceForge Reference Model" for writing documentation is entirely based on industry-recognized "best practices" according to terminology definitions from NIST, ISO, ISACA and AICPA. This approach is designed to encourage clear communication by clearly defining cybersecurity and privacy documentation components and how those are linked. This comprehensive view identifies the primary documentation components that are necessary to demonstrate evidence of due diligence and due care. It addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure and compliant. ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that visualizes the unique nature of these components, as well as the dependencies that exist.
To demonstrate that bold claim, we wrote the "START HERE: A guide to understanding cybersecurity and data protection documentation". This follows the schema shown above (the Hierarchical Cybersecurity Governance Framework (HCGF)) that demonstrates the linkages from policies all the way through metrics. The following guide is designed to demonstrate "what right looks like" for cybersecurity and privacy documentation, so that it is at the same time scalable, concise and provides comprehensive coverage. You can jump straight to the definitions on page 6 if you are curious.
Cybersecurity & data protection documentation needs to usable – it cannot just exist in isolation. This means the documentation needs to be written clearly, concisely and in a business-context language that users can understand. By doing so, users will be able to find the information they are looking for and that will lead to IT security best practices being implemented throughout your company. Additionally, having good cybersecurity documentation can be “half the battle” when preparing for an audit, since it shows that effort went into the program and key requirements can be easily found.
Understanding Cybersecurity & Privacy Documentation
Understanding Basic Cybersecurity & Data Protection Documentation Components
It is imperative that cybersecurity and privacy documentation be scalable and flexible, so it can adjust to changes in technology, evolving risk and changes within an organization. The modern approach to cybersecurity and privacy documentation is being modular, where it is best to link to or reference other documentation, rather than replicated content throughout multiple policy or standard documents. Not only is "traditional model of cybersecurity documentation" inefficient, but it can also be confusing and lead to errors. Additionally, when it comes to audits/assessments, it is true that "time is money" where inefficient, cumbersome documentation has a very real financial cost associated with the amount of time it takes an auditor/assessor to parse through the documentation. Concise, efficient documentation can pay for itself in the cost-savings from a single audit/assessment. Additionally, having good cybersecurity documentation can be “half the battle” when preparing for an audit, since it shows that effort went into the program and key requirements can be easily found.
A good example of documentation that is scalable, modular and hierarchical is in the diagram below:
External vs Internal Documentation
Industry frameworks are often referred to as a standard. In reality, most frameworks are merely a repository of specific controls that are organized by control families (e.g., NIST CSF, ISO 27002, NIST SP 800-171, NIST SP 800-53, etc.). For example, while NIST SP 800-53 R5 is called a "standard" it is made up of 1,189 controls that are organized into 20 control families (e.g., Access Control (AC), Program Management (PM), etc.). These controls are what make up NIST SP 800-53 as a "framework" that an organization can use as a guide to develop its internal policies and standards that allow it to align with those expected practices.
Internal Cybersecurity & Privacy Documentation
An organization is expected to identify cybersecurity and privacy principles (e.g., industry framework) that it wants to align its cybersecurity and privacy program with, so that its practices follow reasonably-expected controls. For example, to help make an organization's alignment with its NIST SP 800-53 R5 more straightforward and efficient:
- A policy that corresponds to each of the control families that defines executive leadership's statement of management intent for that specific area of focus (e.g., access control, compliance, physical security, etc.).
- Control objectives provide a 1-1 mapping to address a specific control (e.g., AC-3, AC-7, etc.). For each control, there should be a control objective.
- Granular standards addresses the particulars necessary to accomplish the objective of the control (hence the name "control objective").
- Guidelines may or may not be needed to provided additional details about the standard.
- Procedures (e.g., Standardized Operating Procedures (SOP)) describes how the standard is operationalized to meet the intent of the control.
ComplianceForge Sells Far More Than Just Cybersecurity Policies & Standards!
ComplianceForge sells a wide range of documentation from core policies and standards, to function-specific "program level" documentation to procedures. We encourage you to read through the product pages to learn more.
If you have any product-related questions, please let us know. We are happy to help answer your questions!