Comprehensive Cybersecurity Procedures Template
Developing a template to provide worthwhile cybersecurity procedures is somewhat of a "holy grail" in the cybersecurity documentation industry. The good news is that ComplianceForge has solved this issue and is actively working on completing the Cybersecurity Standardized Operating Procedures (CSOP) product. While there is huge demand for this, the CSOP is not yet available and we are expecting a product release of the NIST 800-171 version of the CSOP in early November 2017. Our team is working on getting it published as quickly as we can, but it is a significant amount of documentation and that takes time to do it properly.
The easiest way is to sign up for our newsletter (scroll to the bottom of the page) or you can contact us to learn more. We are also taking pre-orders for the NIST 800-171 version for the CSOP.
NIST 800-171 Procedures Template
We are planning on releasing the NIST 800-171 version of the CSOP template on November 1, 2017. That date may change, but our team is focusing efforts on getting this template published as quickly as we can. This version of the CSOP is specifically focused on procedures to meet control requirements within NIST 800-171 rev1 for Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls.
|Taking PRE-ORDERS NOW
||Click for example procedures and responsibility matrix
Please take a moment to read through our example Cybersecurity Standardized Operating Procedures (CSOP) product:
WHAT PROBLEM DOES THE CSOP SOLVE?
- Lack of In House Security Experience - Writing cybersecurity procedures is a skill that most cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive procedure documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The CSOP is an efficient method to obtain comprehensive security procedures for your organization!
- Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security procedures. Requirements range from PCI DSS to HIPAA to NIST 800-171. The DSP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements.
- Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The CSOP's procedures provide mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.
- Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies, standards and controls.
HOW DOES THE CSOP SOLVE IT?
- Clear Documentation - The CSOP provides a comprehensive template for your procedures to help prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings - The CSOP can provide your organization with a templated solution that requires minimal resources to fine tune for your organization's specific procedural needs.
- Alignment With Leading Practices - The CSOP is written to support over two dozen leading frameworks!
Standardizing Cybersecurity Processes Helps Become "Audit Ready"
We are using the framework from the Digital Security Program (DSP) as the foundation for the CSOP. This means that the CSOP will have a procedure statement written for every one of the standards in the DSP! The CSOP comes with an Excel spreadsheet that provides the mapping for the procedures to these leading frameworks and requirements:
NIST Cybersecurity Framework (CSF)
National Industrial Security Program Operating Manual (NISPOM)
Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012)
Federal Acquisition Regulation (FAR 52.204-21)
Federal Risk and Authorization Management Program (FedRAMP)
Fair & Accurate Credit Transactions Act (FACTA)
Financial Industry Regulatory Authority (FINRA)
Generally Accepted Privacy Principles (GAPP)
Payment Card Industry Data Security Standard (PCI DSS)
Control Objectives for Information and Related Technology (COBIT 5)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes Oxley Act (SOX)
Gramm Leach Bliley Act (GLBA)
NY DFS (23NYCCRR 500)
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
American Institute of CPAs Service Organization Control (AICPA SOC2)
Center for Internet Security Critical Security Controls (CIS CSC)
Cloud Security Alliance Cloud Controls Matrix (CSA CCM)
European Union Agency for Network and Information Security (ENISA)
European Union General Data Protection Regulation (EU GDPR)
United Kingdom Data Protection Act (UK DPA)
Massachusetts 201 CMR 17.00
Oregon Identity Theft Protection Act (ORS 646A)
Standardized Process Criteria - Helps Identify The Who/What/Where/When/How For Procedures
Your customization will be to help "fill in the blanks" with specific process owners, process operators, where additional documentation can be found, applicable service obligations (e.g., SLAs), and what technology/tools your team has available. We've done the heavy lifting and you just need to fill in the blanks.
- Process Owner:
- This is name of the individual or team accountable for the procedure being performed.
- Example: Chief Information Security Officer (CISO) / Cybersecurity Director.
- Process Operator:
- This is the name of the individual or team responsible to perform the actual task.
- Example: SOC Analyst / Risk Analyst / Network Admin.
- This is the annual, semi-annual, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed cadence for how often the procedure needs to be performed.
- Example: Quarterly vulnerability scans / Monthly software patches / Annual risk assessments.
- Scope of Impact:
- This is the scope of the procedure:
- Purely internal processes;
- Purely external processes (e.g., outsourced vendor processes); or
- Scope covers both internal processes and external ones.
- It also that affects the potential impact from the process, which can be one or more of the following:
- Geographic region; or
- The entire company
- Location of Additional Documentation:
- This is where additional documentation is stored or can be found. You might want to reference a Wiki, SharePoint site, or other documentation repository.
- Performance Target:
- This addresses targeted timelines for the process to be completed (e.g., Service Level Agreements).
- Not all processes have SLAs or targeted timelines
- Technology in Use:
- This addresses the applications/systems/services that are available to perform the procedure.
- Splunk for a Security Incident Event Manager (SIEM) solution to collect logs;
- McAfee ePO for centralized antimalware management; or
- Tripwire Enterprise for File Integrity Monitoring (FIM).
We've Done The Heavy Lifting For You!
Given the difficult nature of writing templated procedure statements, we aimed for approximately a "75% solution" since customization is absolutely necessary. The reason for that is pretty clear - every company has different resources, technology and structures in place, so no one procedure can be equally applied across multiple organizations. However, we found that about 3/4 of the procedures can be generic enough to form a template that any organization can put the finishing touches on to have a concise and effective procedures statement.