Security Documentation Starts with Policies & Standards
Our products offer coverage for these and other leading frameworks and requirements:
NIST 800-53 NIST 800-171 NIST Cybersecurity Framework (CSF) National Industrial Security Program Operating Manual (NISPOM) Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012) Federal Acquisition Regulation (FAR 52.204-21) FedRAMP Fair & Accurate Credit Transactions Act (FACTA) Financial Industry Regulatory Authority (FINRA)
ISO 27002 ISO 27018 Generally Accepted Privacy Principles (GAPP) Payment Card Industry Data Security Standard (PCI DSS) Control Objectives for Information and Related Technology (COBIT 5) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes Oxley Act (SOX) Gramm Leach Bliley Act (GLBA) NY DFS 23 NYCCRR 500
American Institute of CPAs (AICPA) Service Organization Control (SOC2) Center for Internet Security Critical Security Controls (CIS CSC) Cloud Security Alliance Cloud Controls Matrix (CSA CCM) European Union Agency for Network and Information Security (ENISA) European Union General Data Protection Regulation (EU GDPR) United Kingdom Data Protection Act (UK DPA) Massachusetts 201 CMR 17.00 Oregon Identity Theft Protection Act (ORS 646A)
ComplianceForge offers four (4) unique products to implement an organization-wide security program:
From surveying cybersecurity professionals, we created the following chart to provide a comparison of options for companies needing security program documentation:
Written Information Security Program (WISP) Cost Savings Estimate
As you can see, when you factor in internal staff time to perform reviews and refinements with key stakeholders, purchasing a WISP from ComplianceForge is approximately 4% ($17,000+ savings) of the cost as compared to writing your own documentation and 2% ($41,000+ savings) of the cost as compared to hiring a consultant to write it for you!
Digital Security Program (DSP) Cost Savings Estimate
Similar to the WISP example above, when you factor in internal staff time to perform reviews and refinements with key stakeholders, purchasing a DSP from ComplianceForge is approximately 17% ($37,000+ savings) of the cost as compared to writing your own documentation and 8% ($90,000+ savings) of the cost as compared to hiring a consultant to write it for you!
In both the Written Information Security Program (WISP) and Digital Security Program (DSP), we use a hierarchical model to design the documentation. The idea is the structure allows the mapping of policies all the way down to metrics.
Policies are “high level” statements of management’s intent and are intended to guide decisions to achieve rational outcomes. Policies are not meant to be prescriptive, but provide an overall direction for the organization.
Control Objectives support policy by identifying applicable requirements that the organization needs to address. These applicable requirements can be best practices, laws or other legal obligations.
Standards establish formal requirements in regards to processes, actions and configurations. Standards are entirely focused on providing narrowly-focused, prescriptive requirements that are quantifiable.
Procedures are formal methods of performing a task, based on a series of actions conducted in a defined and repeatable manner.
Controls are technical or administrative safeguards that may prevent, detect or lessen the ability of the threat actor to exploit a vulnerability.
Metrics are designed to facilitate decision-making, improve performance, and improve accountability through the collection, analysis, and reporting of relevant performance-related data.