NIST 800-53 Based Security Documentation

 banner-NIST-800-53-rev4-based-written-information-security-program-wisp.jpg

NIST 800-53 Rev4 - Comprehensive IT Security Policies & Standards

The NIST 800-53 rev4-based Written Information Security Program (WISP) is our premier set of IT security policies and standards. This is a comprehensive, editable, easily implemented document that contains the policies, control objectives, standards and guidelines that your company needs to establish a world-class IT security program. Being Microsoft Word documents, you have the ability to make edits, as needed. For companies that need to be compliant with NIST 800-171, the WISP provides coverage for NIST 800-53 Moderate baseline controls so you could implement the WISP for your NIST 800-171 compliance needs!

Unlike some of our competition that sell “bronze, silver and gold” levels of documentation, we understand that a standard is a standard for a reason. We take out the guesswork associated with picking an appropriate package level - we focus on providing documentation that offers a straightforward solution to provide the appropriate coverage you need. This focus on providing the best solution for our clients makes us proud that we are providing the best set of IT security policies and standards available. Saving a few dollars on a cheap solution can easily leave you with a false sense of security and gaping holes in your documentation that can leave you liable.

Our customers choose the NIST 800-53 rev 4 Written Information Security Program (WISP) because they:

  • Have a need for comprehensive IT security documentation built on an industry framework
  • Need to be able to edit the document to their specific needs
  • Have documentation that is directly linked to best practices, laws and regulations
  • Need an affordable solution

ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated IT Security staff. All information security policies and standards are backed up by documented best practices. The following leading practices are mapped into the NIST-based Written Information Security Program (WISP) and you will get an Excel spreadsheet with the mapping as part of your purchase:

  • NIST 800-53 rev4
  • FedRAMP (moderate baseline)
  • NIST 800-171 rev 1
  • DFARS
  • SOC 2 (AICPA criteria)
  • PCI DSS v3.2
  • CIS Critical Security Controls (CSC)
  • HIPAA
  • MA 201 CMR 17.00
  • Oregon ID Theft Protection Act (ORS 646A)
  • FACTA
  • GLBA 

graphic-example-information-security-policies-standards-control-objectives-procedures-guidelines.jpg

Our experience has proven that when it comes to Information Security policies, a standard is a standard for a reason. With that in mind, our Written Information Security Program (WISP) is based on industry-recognized best practices and Information Security standards so that you can meet your legal requirements. Unlike some competitor sites that offer “Bronze, Silver or Gold” packages that may leave you critically exposed, we offer a comprehensive Information Security solution to meet your specific compliance requirements. Why is this? It is simple - in the real world, compliance is penalty-centric. Court have established a track record of punishing businesses for failing to perform “reasonably expected” steps to meet compliance with known standards. 

2017-wisp-cybersecurity-documentation-components-it-security-policies-control-objectives-standards-procedures.jpg

 

SEE FOR YOURSELF - EXAMPLE NIST 800-53 Rev4 IT Security Policies & Standards 

Don't take our word for it - take a look at the examples of NIST 800-53 Written IT security policy and standard statements to see for yourself the level of professionalism and detail that went into it.

Example NIST 800-53 Cybersecurity Program - NIST 800-171 IT Security Compliance Policies

Written Information Security Program (WISP) Cost Savings Estimate

As you can see, when you factor in internal staff time to perform reviews and refinements with key stakeholders, purchasing a WISP from ComplianceForge is approximately 4% ($17,000+ savings) of the cost as compared to writing your own documentation and 2% ($41,000+ savings) of the cost as compared to hiring a consultant to write it for you!

   2017-pricing-written-information-security-program-wisp.jpg

 

NIST 800-171 Compliance Concerns?

Does your company need to comply with NIST 800-171 requirements for MODERATE baseline controls from NIST 800-53 rev4? The NIST version of the Written Information Security Program (WISP) is a comprehensive set of IT security policies and standards that is based on the National Institute of Standards & Technology (NIST) 800-53 rev4 framework and it can help your organization become compliant with NIST 800-171 requirements.

Additionally, you will want to take a look at our NIST 800-171 Compliance Criteria (NCC) product, since it contains practical guidance on how to comply with NIST 800-171 requirements. This supports the NIST-based WISP.

nist-800-171-compliance-made-easy.jpg

 

This NIST-based WISP is a comprehensive, customizable, easily-implemented Microsoft Word document that contains the NIST 800-53 rev4-based policies, control objectives, standards and guidelines that your company needs to establish a robust cybersecurity program. Being a Microsoft Word document, you have the ability to make edits to suit your company's specific needs. NIST 800-53 is the de facto standard for cybersecurity requirements that is issued by the US government. Therefore, government agencies, defense contractors, telecom service providers, health care providers, financial companies or any organizations that contract with the government tend to adopt NIST-based best practices over all other frameworks, based on regulatory requirements.

NIST 800-171 describes fourteen (14) families of security requirements for protecting the confidentiality of CUI. The families are aligned with the minimum security requirements for federal information and information systems described in Federal Information Processing Standard (FIPS) 200, with exceptions for contingency planning, system, and services acquisition and planning requirements. Appendix D of NIST 800-171 maps requirements to both NIST 800-53 rev4 and ISO 27002:2013 best practices. Only NIST 800-53 offers complete coverage for NIST 800-171 requirements.

 

This Is How IT Security Documentation Is Meant To Be Structured!

graphic-example-information-security-policies-standards-control-objectives-procedures-guidelines.jpg

From Fortune 500 organizations with tens of thousands of employees, to established mid-sized companies, to startups with just a few employees, our Written Information Security Program (WISP) has proven it is adaptable, since it is built on a scalable framework that utilizes best practices. Some clients need a refresh and understand it is better to save time and money by turning to professionals for their written IT security policies. Some clients turn to us because they are under pressure from companies they support to prove their levels of security and that requires redoing their security program. As we have proven, a standard is a standard for a reason – standards apply equally across organization of any size and across any industry. That is why we take the time to map our standards to best practices, laws and other important requirements. This allows out solution to work for any client, since it provides them the ability to provide evidence of due care and due diligence for their IT security documentation.

 

In addition to NIST-based IT Security Policies & Standards, NIST 800-53 WISP Comes With These Supplemental IT Security Resources

As an extra bonus, we include the following supplemental documentation at no additional cost:

  • User acknowledgement form
  • User equipment receipt of issue
  • Service provider non-disclosure agreement form
  • Incident response form
  • Information Security Officer (ISO) appointment orders
  • Administrator account request form
  • Change Control Board (CCB) meeting documentation template
  • Plan of Action & Milestones (POA&M) documentation template
  • Ports, protocols & services documentation template
  • Statutory, Regulatory & Legal compliance checklist
  • Incident Response Plan (IRP) template
  • Business Impact Analysis (BIA) template
  • Disaster Recovery Plan (DRP) template
  • Business Continuity Plan (BCP) template
  • Privacy Impact Assessment (PIA) template
  • Electronic discovery (e-discovery) guidelines

 

NIST 800-53 Written IT Security Documentation - Robust Approach To Cybersecurity

For a preview into what the twenty-six (26) Written Information Security Program (WISP) policies create a comprehensive IT security framework, based on NIST 800-53 v4 best practices:

 

2017-wisp-nist-800-53-written-information-security-program-nist-800-171-compliance-50.jpg

 

  

NIST 800-53 IT Security Documentation - Understanding How Policies, Control Objectives, Standards, Guidelines & Procedures Relate

example-cybersecrity-framework-customized-comprehensive-written-information-security-program-it-security-policy-wisp.jpg

 

 

The Most Comprehensive NIST 800-53-Based IT Security Documentation Available Online

2017-wisp-nist-800-53-rev-4-it-security-policy-components-management-operational-technical-privacy-control-objectives.jpg

 

Information Security Program - NIST 800-53 IT security policy & standards based on NIST 800-53 PM family

Purpose: The purpose of the Program Management (PM) policy is for your company to specify the development, implementation, assessment, authorization, and monitoring of the IT security program management. The successful implementation of security controls for organizational information systems depends on the successful implementation of the organization’s program management controls. The IT security Program Management (PM) controls are essential for managing the IT security program.

Supporting Documentation: Program Management (PM) standards directly support this policy. 

 

Security Testing Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 CA family

Purpose:  The purpose of the Certification, Accreditation & Security Assessment (CA) policy is to ensure that risk determinations made during the initial risk assessment for a project or information system are accurate and provide a thorough portrayal of the risks to the your company.  

Supporting Documentation: Certification, Accreditation & Security Assessment (CA) standards directly support this policy. 

 

Security Resource Planning Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 PL family

Purpose:  The purpose of the Planning (PL) policy is to ensure due care planning considerations are addressed to minimize risks to your company.

Supporting Documentation: Planning (PL) standards directly support this policy. 

 

Risk Assessment Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 RA family

Purpose: The purpose of the Risk Assessment (RA) policy is to ensure that risk determinations made during the initial risk assessment for a project or information system are accurate and provide a thorough portrayal of the risks to your company.  

Supporting Documentation: Risk Assessment (RA) standards directly support this policy. 

 

IT Systems & Services Acquisition Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 SA family

Purpose:  The purpose of the System & Services Acquisition (SA) policy is to ensure that information systems employ a System Development Life Cycle (SDLC), where the security of systems and services are assessed throughout the operational life of the systems to reduce risks to your company.  

Supporting Documentation: System & Service Acquisition (SA) standards directly support this policy. 

 

IT Security Awareness & Training Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 AT family

Purpose:  The purpose of the Awareness & Training (AT) policy is to provide guidance for broad security awareness and security training for your company users.

Supporting Documentation: Awareness & Training (AT) standards directly support this policy. 

 

Configuration Management Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 CM family

Purpose:  The purpose of Configuration Management (CM) policy is to establish and maintain the integrity of information systems.

Supporting Documentation: Configuration Management (CM) standards directly support this policy. 

 

Contingency Planning Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-CP family

Purpose:  The purpose of Contingency Planning (CP) policy is to establish procedures that will help your company management to quickly determine the appropriate actions to be taken due to an interruption of service or disaster.

Supporting Documentation: Contingency Planning (CP) standards directly support this policy. 

 

Incident Response Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 IR family

Purpose:  The purpose of Incident Response (IR) policy is to establish a protocol to guide your company’s response to a cyber-security incident.

Supporting Documentation: Incident Response (IR) standards directly support this policy. 

 

Maintenance Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 MA family

Purpose:  The purpose of the Maintenance (MA) policy is to ensure that due diligence is performed by properly maintaining your company information systems.  

Supporting Documentation: Maintenance (MA) standards directly support this policy. 

 

Media Protection Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 MP family

Purpose:  The purpose of the Media Protection (MP) policy is to ensure that access to both paper and digital media is limited to authorized individuals. 

Supporting Documentation: Media Protection (MP) standards directly support this policy. 

 

Personnel Security Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 PS family

Purpose:  The purpose of the Personnel Security (PS) policy is to ensure that your company performs due care and due diligence in its personnel management of procedures.

Supporting Documentation: Personnel Security (PS) standards directly support this policy. 

 

Physical & Environmental Protection Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 PE family

Purpose:  The purpose of the Physical & Environmental Protection (PE) policy is to minimize risk to your company information systems and data by addressing applicable physical security and environmental concerns.

Supporting Documentation: Physical & Environmental Protection (PE) standards directly support this policy. 

 

System & Information Integrity Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 SI family

Purpose:  The purpose of the System & Information Integrity (SI) policy is to ensure confidentiality, integrity and availability of your company’s data.

Supporting Documentation: System & Information Integrity (SI) standards directly support this policy. 

 

Access Control Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 AC family

Purpose:  The purpose of the Access Control (AC) policy is to ensure that your company limits access to its information systems and data to authorized users.

Supporting Documentation: Access Control (AC) standards directly support this policy. 

 

Audit & Accountability Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 AU family

Purpose:  The purpose of the Audit & Accountability (AU) policy is to ensure that your company creates and maintains appropriate scope and totality of audit records.  

Supporting Documentation: Audit & Accountability (AU) standards directly support this policy. 

 

Identification & Authentication Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 IA family

Purpose:  The purpose of the Identification & Authentication (IA) policy is to ensure sufficient methods are enacted to properly identify and authentication your company’s authorized users and processes.  

Supporting Documentation: Identification & Authentication (IA) standards directly support this policy. 

 

System & Communication Protection Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 SC family

Purpose:  The purpose of the System & Communication Protection (SC) policy is to ensure sufficient protections are in place to protect the confidentiality and integrity of your company’s communications.  

Supporting Documentation: System & Communication Protection (SC) standards directly support this policy. 

 

Data Authority & Purpose Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 AP family

Purpose:  The purpose of the Data Authority & Purpose (AP) policy is to that your company identifies the authority to collect Personally Identifiable Information (PII) or activity that impacts privacy and specifies the purpose(s) for which PII is collected.

Supporting Documentation: Data Authority & Purpose (AP) standards directly support this policy. 

 

Data Accountability, Audit & Risk Management Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 AR family

Purpose:  The purpose of the Accountability, Audit & Risk Management (AR) policy is to enhance public confidence through effective governance, monitoring, risk management, and assessments to demonstrate that your company is complying with applicable privacy protection requirements and minimizing overall privacy risk.

Supporting Documentation: Data Accountability, Audit & Risk Management (AR) standards directly support this policy. 

 

Data Quality & Integrity Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 DI family

Purpose:  The purpose of the Data Quality & Integrity (DI) policy is to enhance public confidence that any PII collected and maintained by your company is accurate, relevant, timely, and complete for the purpose for which it is to be used.

Supporting Documentation: Data Quality & Integrity (DI) standards directly support this policy. 

 

Data Minimization & Retention Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 DM family

Purpose:  The purpose of the Data Minimization & Retention (DM) policy is to implement data minimization and retention standards that your company uses to collect, use, and retain only PII that is relevant and necessary for the specified purpose for which it was originally collected. 

Supporting Documentation: Data Minimization & Retention (DM) standards directly support this policy. 

 

Individual Participation & Redress Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 IP family

Purpose:  The purpose of the Individual Participation & Redress (IP) policy is to addresses the need to make individuals active participants in the decision-making process regarding the collection and use of their Personally Identifiable Information (PII).

Supporting Documentation: Individual Participation & Redress (IP) standards directly support this policy. 

 

Data Security Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 SE family

Purpose: The purpose of the Data Security (SE) policy is to supplements the management, operational and technical security controls to ensure safeguards are in place to protect Personally Identifiable Information (PII) collected or maintained by your company against loss, unauthorized access, or disclosure.

Supporting Documentation: Data Security (SE) standards directly support this policy. 

 

Data Transparency Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 TR family

Purpose:  The purpose of the Data Transparency (TR) policy is to implement your company’s method for disclosing information practices and activities for consumer data.

Supporting Documentation: Data Transparency (TR) standards directly support this policy. 

 

Data Use Limitation Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 UL family

Purpose:  The purpose of the Data Use Limitation (UL) policy is to help your company implement controls that will ensure that the scope of Personally Identifiable Information (PII) use is limited accordingly.

Supporting Documentation: Data Use Limitation (UL) standards directly support this policy.

 

 

Sort by:
×
×