Policy & Procedures
The first control in every NIST family domain is a requirement to have written information security policies and procedures. As such investing time into developing and maturing policy and procedures is the foundation of any IT Security Program.
Everybody has easy plug and play templates. The major lift is tailoring these templates based upon existing legislation, organization mission, and industry’s best practices in information security. This requires coordination with all appropriate representatives that has a hand in that particular domain. Questionnaires, virtual meetings and follow ups are necessary.
Developing/updating policy and procedures is not a one time event. While this approach may get an organization by, it usually fails after the first major audit. Assigning ownership to each policy to help ensure annual updates is crucial to support the organizations due diligence to third parties.
CyberSuite Policy and Procedure Service
Once we establish a baseline policy and procedure set, we can set a reoccurring monthly, quarterly or annual pulse check to ensure your organization is on the right track.
- We will review authorization memo’s, interconnection agreements, risk based decisions, briefings to managements, and draft legislative documents and provide timely feedback to stakeholders as necessary.
- CyberSuite will use Special Publication 800-53A and 800-53 Rev5 as a baseline when reviewing the effectiveness and compliance of your IT policy and procedure set.
- We will ensure that policies and procedures, for the given set of FISMA security controls, speak to the requirements and the determine-if-statements set within NIST guidelines in a cohesive manner that also coincides with your organizations overall mission.