banner-NIST-800-53-rev4-based-written-information-security-program-wisp.jpg

 

NIST 800-53 Rev4 - Comprehensive IT Security Policies & Standards

microsoft-word-editable-cybersecurity-policy-standards.png

Editable Documentation

The NIST 800-53 rev4-based Written Information Security Program (WISP) is our leading set of NIST-based cybersecurity policies and standards. This is a comprehensive, editable, easily implemented document that contains the policies, control objectives, standards and guidelines that your company needs to establish a world-class IT security program. Being Microsoft Word documents, you have the ability to make edits, as needed. For companies that need to be compliant with NIST 800-171, the WISP provides coverage for NIST 800-53 moderate baseline controls so you could implement the WISP for your NIST 800-171 compliance needs!

Unlike some of our competition that sell “bronze, silver and gold” levels of documentation, we understand that a standard is a standard for a reason. We take out the guesswork associated with picking an appropriate package level - we focus on providing documentation that offers a straightforward solution to provide the appropriate coverage you need. This focus on providing the best solution for our clients makes us proud that we are providing the best set of IT security policies and standards available. Saving a few dollars on a cheap solution can easily leave you with a false sense of security and gaping holes in your documentation that can leave you liable.

The WISP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer:

What Is The Written Information Security Program (WISP)?

  • The WISP contains NIST 800-53 based cybersecurity policies & standards in an editable Microsoft Word format.
    • Each of the NIST 800-53 rev4 families has a policy associated with it, so there is a total of 26 policies.
    • Under each of the policies are standards that support it.
    • The WISP covers the moderate control set from NIST 800-53 rev 4.
  • The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
    • The WISP provides the underlying cybersecurity standards that must be in place, as stipulated by statutory, regulatory and contractual requirements.
    • Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the WISP does this from a cybersecurity perspective.

We are here to help make comprehensive cybersecurity documentation as easy and as affordable as possible. We serve businesses of all sizes, from the Fortune 500 all the way down to small businesses, since our cybersecurity documentation products are designed to scale for organizations of any size or level of complexity. Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident responserisk management or vulnerability management program documents. Our focus is on helping you become audit ready!

 

2017-cybersecurity-governance-wip-dsp-pci-risk-compliance-framework-documentation.jpg

   What Problem Does The WISP Solve?  

  • Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The NIST-based WISP is an efficient method to obtain comprehensive NIST 800-53 based security policies and standards for your organization!
  • Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. The WISP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements. The WISP maps to several leading compliance frameworks so you can clearly see what is required!
  • Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The WISP's standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.  
  • Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The WISP provides this evidence!

 How Does the WISP Solve It?  

  • Clear Documentation - The WISP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
  • Time Savings - The WISP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs. 
  • Alignment With Leading Practices - The NIST-based WISP is written to align your organization with NIST 800-53 rev4!  

 

SEE FOR YOURSELF - EXAMPLE NIST 800-53 Rev4 IT Security Policies & Standards 

Don't take our word for it - take a look at the examples of NIST 800-53 Written IT security policy and standard statements to see for yourself the level of professionalism and detail that went into it.

Example NIST 800-53 Cybersecurity Program - NIST 800-171 IT Security Compliance Policies

NIST 800-53 Security Program

Our customers choose the NIST 800-53 rev 4 Written Information Security Program (WISP) because they:

  • Have a need for comprehensive IT security documentation built on an industry framework
  • Need to be able to edit the document to their specific needs
  • Have documentation that is directly linked to best practices, laws and regulations
  • Need an affordable solution

ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated IT Security staff. All information security policies and standards are backed up by documented best practices. The following leading practices are mapped into the NIST-based Written Information Security Program (WISP) and you will get an Excel spreadsheet with the mapping as part of your purchase:

  • NIST 800-53 rev4
  • FedRAMP (moderate baseline)
  • NIST 800-171 rev 1 (DFARS 252.204-7012)
  • FAR 52.204-21
  • NISPOM
  • SOC 2 (AICPA criteria)
  • NY DFS
  • PCI DSS v3.2
  • ISO 27002:2013
  • NIST Cybersecurity Framework
  • CIS Critical Security Controls (CSC) (SANS Top 20)
  • HIPAA
  • MA 201 CMR 17.00
  • Oregon ID Theft Protection Act (ORS 646A)
  • FACTA
  • GLBA 

This Is How NIST 800-53 Cybersecurity Documentation Is Meant To Be Structured!

ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated IT Security staff. All information security policies and standards are backed up by documented best practices.

graphic-example-information-security-policies-standards-control-objectives-procedures-guidelines.jpg

HIERARCHICAL APPROACH – BUILT TO SCALE & EVOLVE WITH YOUR BUSINESS

Our experience has proven that when it comes to Information Security policies, a standard is a standard for a reason. With that in mind, our Written Information Security Program (WISP) is based on industry-recognized best practices and Information Security standards so that you can meet your legal requirements. Unlike some competitor sites that offer “Bronze, Silver or Gold” packages that may leave you critically exposed, we offer a comprehensive Information Security solution to meet your specific compliance requirements. Why is this? It is simple - in the real world, compliance is penalty-centric. Courts have established a track record of punishing businesses for failing to perform “reasonably expected” steps to meet compliance with known standards. 

The Written Information Security Program (WISP) follows a hierarchical approach to how the structure is designed so that standards map to control objectives and control objectives map to policies. This allows for the standards to be logically grouped to support the policies.

Component

Example Content  
comprehensive-cybersecurity-documentation.jpg   comprehensive-cybersecurity-documentation-example.jpg

Policies are “high level” statements of management’s intent and are intended to guide decisions to achieve rational outcomes. Policies are not meant to be prescriptive, but provide an overall direction for the organization.

Control Objectives support policy by identifying applicable requirements that the organization needs to address. These applicable requirements can be best practices, laws or other legal obligations.

Standards establish formal requirements in regards to processes, actions and configurations. Standards are entirely focused on providing narrowly-focused, prescriptive requirements that are quantifiable.

Procedures are formal methods of performing a task, based on a series of actions conducted in a defined and repeatable manner.

Controls are technical or administrative safeguards that may prevent, detect or lessen the ability of the threat actor to exploit a vulnerability.

Metrics are designed to facilitate decision-making, improve performance, and improve accountability through the collection, analysis, and reporting of relevant performance-related data.

 

Written Information Security Program (WISP) Cost Savings Estimate

As you can see, when you factor in internal staff time to perform reviews and refinements with key stakeholders, purchasing a WISP from ComplianceForge is approximately 4% ($17,000+ savings) of the cost as compared to writing your own documentation and 2% ($41,000+ savings) of the cost as compared to hiring a consultant to write it for you!

   2017-pricing-written-information-security-program-wisp.jpg

 

Which Product Is Right For You?

Our documentation is meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations. 

We offer up to 40% discounts on our documentation bundles, so please be aware that you have benefit from significant savings by bundling the documentation you need. You can see the available bundles here.

2017-cybersecurity-audit-preparation-integrated-comprehensive-cybersecurity-program-documentation-example.jpg

 

NIST 800-171 Compliance Concerns?

Does your company need to comply with NIST 800-171 requirements for MODERATE baseline controls from NIST 800-53 rev4? The NIST version of the Written Information Security Program (WISP) is a comprehensive set of IT security policies and standards that is based on the National Institute of Standards & Technology (NIST) 800-53 rev4 framework and it can help your organization become compliant with NIST 800-171 requirements.

Additionally, you will want to take a look at our NIST 800-171 Compliance Criteria (NCC) product, since it contains practical guidance on how to comply with NIST 800-171 requirements. This supports the NIST-based WISP.

nist-800-171-compliance-made-easy.jpg

 

This NIST-based WISP is a comprehensive, customizable, easily-implemented Microsoft Word document that contains the NIST 800-53 rev4-based policies, control objectives, standards and guidelines that your company needs to establish a robust cybersecurity program. Being a Microsoft Word document, you have the ability to make edits to suit your company's specific needs. NIST 800-53 is the de facto standard for cybersecurity requirements that is issued by the US government. Therefore, government agencies, defense contractors, telecom service providers, health care providers, financial companies or any organizations that contract with the government tend to adopt NIST-based best practices over all other frameworks, based on regulatory requirements.

NIST 800-171 describes fourteen (14) families of security requirements for protecting the confidentiality of CUI. The families are aligned with the minimum security requirements for federal information and information systems described in Federal Information Processing Standard (FIPS) 200, with exceptions for contingency planning, system, and services acquisition and planning requirements. Appendix D of NIST 800-171 maps requirements to both NIST 800-53 rev4 and ISO 27002:2013 best practices. Only NIST 800-53 offers complete coverage for NIST 800-171 requirements.

 

In addition to NIST-based IT Security Policies & Standards, NIST 800-53 WISP Comes With These Supplemental IT Security Resources

As an extra bonus, we include the following supplemental documentation at no additional cost:

  • User acknowledgement form
  • User equipment receipt of issue
  • Service provider non-disclosure agreement form
  • Incident response form
  • Information Security Officer (ISO) appointment orders
  • Administrator account request form
  • Change Control Board (CCB) meeting documentation template
  • Plan of Action & Milestones (POA&M) documentation template
  • Ports, protocols & services documentation template
  • Statutory, Regulatory & Legal compliance checklist
  • Incident Response Plan (IRP) template
  • Business Impact Analysis (BIA) template
  • Disaster Recovery Plan (DRP) template
  • Business Continuity Plan (BCP) template
  • Privacy Impact Assessment (PIA) template
  • Electronic discovery (e-discovery) guidelines

 

NIST 800-53 Written IT Security Documentation - Robust Approach To Cybersecurity

For a preview into what the twenty-six (26) Written Information Security Program (WISP) policies create a comprehensive IT security framework, based on NIST 800-53 v4 best practices:

 

2017-wisp-nist-800-53-written-information-security-program-nist-800-171-compliance-50.jpg

 

  

NIST 800-53 IT Security Documentation - Understanding How Policies, Control Objectives, Standards, Guidelines & Procedures Relate

example-cybersecrity-framework-customized-comprehensive-written-information-security-program-it-security-policy-wisp.jpg

 

 

The Most Comprehensive NIST 800-53-Based IT Security Documentation Available Online

2017-wisp-nist-800-53-rev-4-it-security-policy-components-management-operational-technical-privacy-control-objectives.jpg

 

Information Security Program - NIST 800-53 IT security policy & standards based on NIST 800-53 PM family

Purpose: The purpose of the Program Management (PM) policy is for your company to specify the development, implementation, assessment, authorization, and monitoring of the IT security program management. The successful implementation of security controls for organizational information systems depends on the successful implementation of the organization’s program management controls. The IT security Program Management (PM) controls are essential for managing the IT security program.

Supporting Documentation: Program Management (PM) standards directly support this policy. 

 

Security Testing Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 CA family

Purpose:  The purpose of the Certification, Accreditation & Security Assessment (CA) policy is to ensure that risk determinations made during the initial risk assessment for a project or information system are accurate and provide a thorough portrayal of the risks to the your company.  

Supporting Documentation: Certification, Accreditation & Security Assessment (CA) standards directly support this policy. 

 

Security Resource Planning Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 PL family

Purpose:  The purpose of the Planning (PL) policy is to ensure due care planning considerations are addressed to minimize risks to your company.

Supporting Documentation: Planning (PL) standards directly support this policy. 

 

Risk Assessment Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 RA family

Purpose: The purpose of the Risk Assessment (RA) policy is to ensure that risk determinations made during the initial risk assessment for a project or information system are accurate and provide a thorough portrayal of the risks to your company.  

Supporting Documentation: Risk Assessment (RA) standards directly support this policy. 

 

IT Systems & Services Acquisition Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 SA family

Purpose:  The purpose of the System & Services Acquisition (SA) policy is to ensure that information systems employ a System Development Life Cycle (SDLC), where the security of systems and services are assessed throughout the operational life of the systems to reduce risks to your company.  

Supporting Documentation: System & Service Acquisition (SA) standards directly support this policy. 

 

IT Security Awareness & Training Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 AT family

Purpose:  The purpose of the Awareness & Training (AT) policy is to provide guidance for broad security awareness and security training for your company users.

Supporting Documentation: Awareness & Training (AT) standards directly support this policy. 

 

Configuration Management Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 CM family

Purpose:  The purpose of Configuration Management (CM) policy is to establish and maintain the integrity of information systems.

Supporting Documentation: Configuration Management (CM) standards directly support this policy. 

 

Contingency Planning Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-CP family

Purpose:  The purpose of Contingency Planning (CP) policy is to establish procedures that will help your company management to quickly determine the appropriate actions to be taken due to an interruption of service or disaster.

Supporting Documentation: Contingency Planning (CP) standards directly support this policy. 

 

Incident Response Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 IR family

Purpose:  The purpose of Incident Response (IR) policy is to establish a protocol to guide your company’s response to a cyber-security incident.

Supporting Documentation: Incident Response (IR) standards directly support this policy. 

 

Maintenance Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 MA family

Purpose:  The purpose of the Maintenance (MA) policy is to ensure that due diligence is performed by properly maintaining your company information systems.  

Supporting Documentation: Maintenance (MA) standards directly support this policy. 

 

Media Protection Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 MP family

Purpose:  The purpose of the Media Protection (MP) policy is to ensure that access to both paper and digital media is limited to authorized individuals. 

Supporting Documentation: Media Protection (MP) standards directly support this policy. 

 

Personnel Security Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 PS family

Purpose:  The purpose of the Personnel Security (PS) policy is to ensure that your company performs due care and due diligence in its personnel management of procedures.

Supporting Documentation: Personnel Security (PS) standards directly support this policy. 

 

Physical & Environmental Protection Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 PE family

Purpose:  The purpose of the Physical & Environmental Protection (PE) policy is to minimize risk to your company information systems and data by addressing applicable physical security and environmental concerns.

Supporting Documentation: Physical & Environmental Protection (PE) standards directly support this policy. 

 

System & Information Integrity Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 SI family

Purpose:  The purpose of the System & Information Integrity (SI) policy is to ensure confidentiality, integrity and availability of your company’s data.

Supporting Documentation: System & Information Integrity (SI) standards directly support this policy. 

 

Access Control Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 AC family

Purpose:  The purpose of the Access Control (AC) policy is to ensure that your company limits access to its information systems and data to authorized users.

Supporting Documentation: Access Control (AC) standards directly support this policy. 

 

Audit & Accountability Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 AU family

Purpose:  The purpose of the Audit & Accountability (AU) policy is to ensure that your company creates and maintains appropriate scope and totality of audit records.  

Supporting Documentation: Audit & Accountability (AU) standards directly support this policy. 

 

Identification & Authentication Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 IA family

Purpose:  The purpose of the Identification & Authentication (IA) policy is to ensure sufficient methods are enacted to properly identify and authentication your company’s authorized users and processes.  

Supporting Documentation: Identification & Authentication (IA) standards directly support this policy. 

 

System & Communication Protection Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 SC family

Purpose:  The purpose of the System & Communication Protection (SC) policy is to ensure sufficient protections are in place to protect the confidentiality and integrity of your company’s communications.  

Supporting Documentation: System & Communication Protection (SC) standards directly support this policy. 

 

Data Authority & Purpose Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 AP family

Purpose:  The purpose of the Data Authority & Purpose (AP) policy is to that your company identifies the authority to collect Personally Identifiable Information (PII) or activity that impacts privacy and specifies the purpose(s) for which PII is collected.

Supporting Documentation: Data Authority & Purpose (AP) standards directly support this policy. 

 

Data Accountability, Audit & Risk Management Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 AR family

Purpose:  The purpose of the Accountability, Audit & Risk Management (AR) policy is to enhance public confidence through effective governance, monitoring, risk management, and assessments to demonstrate that your company is complying with applicable privacy protection requirements and minimizing overall privacy risk.

Supporting Documentation: Data Accountability, Audit & Risk Management (AR) standards directly support this policy. 

 

Data Quality & Integrity Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 DI family

Purpose:  The purpose of the Data Quality & Integrity (DI) policy is to enhance public confidence that any PII collected and maintained by your company is accurate, relevant, timely, and complete for the purpose for which it is to be used.

Supporting Documentation: Data Quality & Integrity (DI) standards directly support this policy. 

 

Data Minimization & Retention Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 DM family

Purpose:  The purpose of the Data Minimization & Retention (DM) policy is to implement data minimization and retention standards that your company uses to collect, use, and retain only PII that is relevant and necessary for the specified purpose for which it was originally collected. 

Supporting Documentation: Data Minimization & Retention (DM) standards directly support this policy. 

 

Individual Participation & Redress Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 IP family

Purpose:  The purpose of the Individual Participation & Redress (IP) policy is to addresses the need to make individuals active participants in the decision-making process regarding the collection and use of their Personally Identifiable Information (PII).

Supporting Documentation: Individual Participation & Redress (IP) standards directly support this policy. 

 

Data Security Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 SE family

Purpose: The purpose of the Data Security (SE) policy is to supplements the management, operational and technical security controls to ensure safeguards are in place to protect Personally Identifiable Information (PII) collected or maintained by your company against loss, unauthorized access, or disclosure.

Supporting Documentation: Data Security (SE) standards directly support this policy. 

 

Data Transparency Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 TR family

Purpose:  The purpose of the Data Transparency (TR) policy is to implement your company’s method for disclosing information practices and activities for consumer data.

Supporting Documentation: Data Transparency (TR) standards directly support this policy. 

 

Data Use Limitation Policy & Standards - NIST 800-53 IT security policy & standards based on NIST 800-53 UL family

Purpose:  The purpose of the Data Use Limitation (UL) policy is to help your company implement controls that will ensure that the scope of Personally Identifiable Information (PII) use is limited accordingly.

Supporting Documentation: Data Use Limitation (UL) standards directly support this policy.

 

 

Sort by:

Sign up for our Newsletter!

×
×