Cybersecurity Standardized Operating Procedures
Comprehensive Cybersecurity Procedures Template
Until now, developing a template to provide worthwhile cybersecurity procedures is somewhat of a "missing link" within the cybersecurity documentation industry. The good news is that ComplianceForge solved this issue with the Cybersecurity Standardized Operating Procedures (CSOP) product.
We currently offer one version of the CSOP that is tailored for NIST 800-171 compliance. The ComplianceForge team is currently working on a larger version of the CSOP that will cover all sections of the Digital Security Program (DSP) that will address NIST 800-53, ISO 27002 and all the other frameworks covered by the DSP. This larger version of the CSOP will be available in early 2018. The easiest way is to sign up for our newsletter (scroll to the bottom of the page) or you can contact us to learn more.
The CSOP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.
At the heart of it, the CSOP provides an organization with clear cybersecurity procedures that can scale to meet the needs and complexity of any team. The procedures are mapped to leading frameworks, so it is straightforward to have procedures that directly link to requirements from NIST 800-171, ISO 27002, NIST 800-53 and many other common cybersecurity and privacy-related statutory, regulatory and contractual frameworks!
The value of the CSOP comes from having well-constructed procedure statements that can help you become audit ready in a fraction of the time and cost to do it yourself or hire a consultant to come on-site and write it for you. The entire concept of this cybersecurity procedures template is focused on two things:
- Providing written procedures to walk your team members through the steps they need to meet a requirement to keep your organization secure; and
- Help your company be audit ready with the appropriate level of due diligence evidence that allows you to demonstrate your organization meets its obligations.
What Is The Cybersecurity Standardized Operating Procedures (CSOP)?
Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The NIST 800-171 version of the CSOP contains procedure statements in an editable Microsoft Word format:
- Each of the NIST 800-171 rev1 controls has a procedure associated with it - both Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls.
- The CSOP addresses the “how?” questions in an audit, since procedures provide the means for how your organization's policies and standards are actually implemented.
- The CSOP provides the underlying cybersecurity procedures that must be documented, as many stipulated by statutory, regulatory and contractual requirements.
- The procedure statements in the CSOP can be cut & pasted into other tools (e.g., wiki page) or left in a single document. There is no wrong answer for how procedures are maintained, since every organization is unique in the tools used and the location of users.
What Problem Does The CSOP Solve?
- Lack of In House Security Experience - Writing cybersecurity procedures is a skill that most cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive procedure documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The CSOP is an efficient method to obtain comprehensive security procedures for your organization!
- Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security procedures. Requirements range from PCI DSS to HIPAA to NIST 800-171. The DSP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements.
- Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The CSOP's procedures provide mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.
- Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies, standards and procedures.
How Does the CSOP Solve It?
- Clear Documentation - The CSOP provides a comprehensive template for your procedures to help prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings - The CSOP can provide your organization with a templated solution that requires minimal resources to fine tune for your organization's specific procedural needs.
- Alignment With Leading Practices - The CSOP is written to support over two dozen leading frameworks!
Product Example - NIST 800-171 CSOP
Our customers choose the NIST 800-171 Cybersecurity Standardized Operating Procedures (CSOP) because they:
- Have a need for comprehensive cybersecurity procedures to address their compliance needs
- Need to be able to edit the document to their specific technology, staffing and other considerations
- Have documentation that is directly linked to NIST 800-53, NIST 800-171 and other documentation
- Need an affordable and timely solution to address not having procedures
Don't take our word for it - take a look at the example below to see for yourself the level of professionalism and detail that went into it.
Cost Savings Estimate - Cybersecurity Standardized Operating Procedures (CSOP)
The process of writing cybersecurity policies and standards can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time.This also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months.
When you look at the costs associated with either hiring a consultant to write cybersecurity procedures for you or tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Purchasing the CSOP offers these clear advantages:
- Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars!
- Compared to writing your own procedures, you can potentially save hundreds of man-hours and the associated cost of lost productivity.
- Orders are usually processed the same business day so you get your NIST 800-171 CSOP quickly!
When you factor in approximately 160+ hours of a cybersecurity consultant and the internal staff time to perform reviews and refinements with key stakeholders, purchasing a CSOP from ComplianceForge is approximately 5% ($45,500+ savings) of the cost as compared to hiring a consultant to write it for you!
When you factor in 200+ hours of internal staff time to research, write and peer review cybersecurity documentation, purchasing a CSOP from ComplianceForge is approximately 17% ($12,000+ savings) of the cost as compared to writing your own documentation!
We've Done The Heavy Lifting For You!
Given the difficult nature of writing templated procedure statements, we aimed for approximately a "75% solution" since it is impossible to write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who / what / when / where / why / how to make it complete.
Take a look at the example to see for yourself. We even provide a matrix to help identify the likely stakeholders for these procedures.
NIST 800-171 Compliance Concerns?
Does your company need to comply with NIST 800-171 requirements for MODERATE baseline controls from NIST 800-53 rev4? The NIST version of the Written Information Security Program (WISP) is a comprehensive set of IT security policies and standards that is based on the National Institute of Standards & Technology (NIST) 800-53 rev4 framework and it can help your organization become compliant with NIST 800-171 requirements.
Additionally, you will want to take a look at our NIST 800-171 Compliance Criteria (NCC) product, since it contains practical guidance on how to comply with NIST 800-171 requirements. This supports the NIST 800-171 CSOP. NIST 800-171 describes fourteen (14) families of security requirements for protecting the confidentiality of CUI.
Below is a representation of the type of procedures and other documentation that must be addressed with NIST 800-171:
Standardizing Cybersecurity Processes Helps Become "Audit Ready"
We are using the framework from the Digital Security Program (DSP) as the foundation for the CSOP. This means that the CSOP will have a procedure statement written for every one of the standards in the DSP! The CSOP comes with an Excel spreadsheet that provides the mapping for the procedures to these leading frameworks and requirements:
NIST Cybersecurity Framework (CSF)
National Industrial Security Program Operating Manual (NISPOM)
Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012)
Federal Acquisition Regulation (FAR 52.204-21)
Federal Risk and Authorization Management Program (FedRAMP)
Fair & Accurate Credit Transactions Act (FACTA)
Financial Industry Regulatory Authority (FINRA)
Generally Accepted Privacy Principles (GAPP)
Payment Card Industry Data Security Standard (PCI DSS)
Control Objectives for Information and Related Technology (COBIT 5)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes Oxley Act (SOX)
Gramm Leach Bliley Act (GLBA)
NY DFS (23NYCCRR 500)
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
American Institute of CPAs Service Organization Control (AICPA SOC2)
Center for Internet Security Critical Security Controls (CIS CSC)
Cloud Security Alliance Cloud Controls Matrix (CSA CCM)
European Union Agency for Network and Information Security (ENISA)
European Union General Data Protection Regulation (EU GDPR)
United Kingdom Data Protection Act (UK DPA)
Massachusetts 201 CMR 17.00
Oregon Identity Theft Protection Act (ORS 646A)
Standardized Process Criteria - Helps Identify The Who/What/Where/When/How For Procedures
Your customization will be to help "fill in the blanks" with specific process owners, process operators, where additional documentation can be found, applicable service obligations (e.g., SLAs), and what technology/tools your team has available. We've done the heavy lifting and you just need to fill in the blanks.
- Process Owner:
- This is name of the individual or team accountable for the procedure being performed.
- Example: Chief Information Security Officer (CISO) / Cybersecurity Director.
- Process Operator:
- This is the name of the individual or team responsible to perform the actual task.
- Example: SOC Analyst / Risk Analyst / Network Admin.
- This is the annual, semi-annual, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed cadence for how often the procedure needs to be performed.
- Example: Quarterly vulnerability scans / Monthly software patches / Annual risk assessments.
- Scope of Impact:
- This is the scope of the procedure:
- Purely internal processes;
- Purely external processes (e.g., outsourced vendor processes); or
- Scope covers both internal processes and external ones.
- It also that affects the potential impact from the process, which can be one or more of the following:
- Geographic region; or
- The entire company
- Location of Additional Documentation:
- This is where additional documentation is stored or can be found. You might want to reference a Wiki, SharePoint site, or other documentation repository.
- Performance Target:
- This addresses targeted timelines for the process to be completed (e.g., Service Level Agreements).
- Not all processes have SLAs or targeted timelines
- Technology in Use:
- This addresses the applications/systems/services that are available to perform the procedure.
- Splunk for a Security Incident Event Manager (SIEM) solution to collect logs;
- McAfee ePO for centralized antimalware management; or
- Tripwire Enterprise for File Integrity Monitoring (FIM).
Which Product Is Right For You?
Our documentation is meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations. We offer up to 40% discounts on our documentation bundles, so please be aware that you have benefit from significant savings by bundling the documentation you need. You can see the available bundles here.
We are here to help make comprehensive cybersecurity documentation as easy and as affordable as possible. We serve businesses of all sizes, from the Fortune 500 all the way down to small businesses, since our cybersecurity documentation products are designed to scale for organizations of any size or level of complexity. Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready!