Policy & Procedures
The first control in every NIST family domain is a requirement to have written information security policies and procedures. As such investing time into developing and maturing policy and procedures is the foundation of any IT Security Program.
Everybody has easy plug and play templates. The major lift is tailoring these templates based upon existing legislation, organization mission, and industry’s best practices in information security. This requires coordination with all appropriate representatives that has a hand in that particular domain. Questionnaires, virtual meetings and follow ups are necessary.
Developing/updating policy and procedures is not a one time event. While this approach may get an organization by, it usually fails after the first major audit. Assigning ownership to each policy to help ensure annual updates is crucial to support the organizations due diligence to third parties.