Key Takeaways - Documented Procedures & Control Activities
- US federal data security laws are statutory obligations. Required by law, carrying criminal and civil penalties for non-compliance.
- Key federal laws include FACTA, GLBA, HIPAA and SOX. Each targeting specific industries and data types.
- These laws represent Minimum Compliance Requirements (MCR). The absolute floor that must be addressed.
- ComplianceForge products map to these federal requirements through the Secure Controls Framework (SCF), ensuring your documentation addresses applicable laws.
- Statutory obligations carry the highest severity penalties. Including criminal prosecution, jail time and significant fines.
What Can Be Done To Make It Easier?How ComplianceForge Helps
The good news is that ComplianceForge developed a standardized template for procedures and control activity statements, the Cybersecurity Standardized Operating Procedures (CSOP).
Given the difficult nature of writing templated procedure statements, we aimed for approximately a "90% solution" since it is impossible to write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who / what / when / where / why / how to make it complete.
There are six (6) versions of the CSOP:
$ 6,400.00 USD
This version of the SCRP is a hybrid, "best in class" approach to cybersecurity documentation that covers dozens of statutory, regulatory and contractual frameworks to create a comprehensive set of cybersecurity procedures. The SCRP has a 1-1 mapping relationship with the Secure Controls Framework (SCF) so it maps to over 200 leading practices!
$ 4,700.00 USD
This version of the Cybersecurity Standardized Operating Procedures (CSOP) is based on the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) framework. It contains the necessary NIST CSF procedures that help achieve compliance with NIST CSF. You get fully-editable Microsoft Word documents that you can customize for your specific needs.
$ 4,700.00 USD
This version of the Cybersecurity Standardized Operating Procedures (CSOP) is based on the ISO 27001 / 27002 framework. It contains the necessary ISO 27001 / 27002 procedures that help achieve compliance with ISO 27001 / 27002. You get fully-editable Microsoft Word documents that you can customize for your specific needs.
$ 4,700.00 USD
This version of the Cybersecurity Standardized Operating Procedures (CSOP) is based on the NIST 800-53 Rev 5 framework. It contains cybersecurity procedures that align with NIST 800-53 (including NIST 800-171 & CMMC requirements). You get fully-editable Microsoft Word documents that you can customize for your specific needs.
$ 5,995.00 USD
This version of the Cybersecurity Standardized Operating Procedures (CSOP) is based on the NIST 800-53 Rev 5 framework. It contains cybersecurity procedures that align with NIST 800-53 (including NIST 800-171 & CMMC requirements). You get fully-editable Microsoft Word documents that you can customize for your specific needs.
$ 1,400.00 USD
This version of the Cybersecurity Standardized Operating Procedures (CSOP) is based on the SCF CORE Fundamentals from the Secure Controls Framework (SCF). It contains the necessary procedures that help achieve compliance with the SCF. You get fully-editable Microsoft Word and Excel documents that you can customize for your specific needs.
Procedure Documentation ExpectationsWhat Expectations Are There?
Procedures should be both clearly-written and concise, where procedure documentation is meant to provide evidence of due diligence that standards are complied with. Well-managed procedures are critical to a security program, since procedures represents the specific activities that are performed to protect systems and data. The diagram shown below helps visualize the linkages in documentation that involve written procedures:
- CONTROL OBJECTIVES exist to support POLICIES.
- STANDARDS are written to support CONTROL OBJECTIVES.
- PROCEDURES are written to implement the requirements that STANDARDS establish.
- CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their capabilities are implemented and/or function.
- METRICS exist as a way to measure the performance of CONTROLS.
ConsequencesWhat Can Go Wrong If I Do Not Have Written Procedures?
What can possibly go wrong with non-compliance with a law, regulation or contract?
It is reasonably expected that the other party will terminate contracts over non-compliance with major cybersecurity and privacy requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance may also cause a prime contractor to be non-compliant, as a whole.
If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).
Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a non-compliance related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., no documented procedures).
The Federal Trade Commission (FTC) has authority to investigate and fine companies found to have poor security programs. In addition to fines, companies can be forced to pay for recurring, annual audits to demonstrate cybersecurity program effectiveness.
Below is a short list of statutory and regulatory requirements, as well as leading cybersecurity frameworks, that EXPECT every organization documents and maintains cybersecurity-related procedures. If you need to address one or more of those frameworks, then you need to maintain documented procedures.
SOC 2
CIS CSC 7
Criminal Justice Information Services (CJIS)
COBIT5
COSO
ENISA
EU GDPR
FedRAMP
FFIEC
HIPAA
ISO 27001
ISO 27002
ISO 27018
ISO 29100
ISO 39100
New Zealand Information Security Manual (NZISM)
NIST Cybersecurity Framework
NIST 800-53
NIST 800-160
NIST 800-171
NY DFS 23 NYCRR 500
PCI DSS
UK Cyber Essentials
UL 2900-1
"Mission Creep"Identifying "Mission Creep" With Procedures
Procedures are not meant to be documented for the sake of generating paperwork - procedures are meant to satisfy a specific operational need that are complied with:
- If procedures exist and are not tied to a standard, then management should review why the procedure is in place.
- A procedure that lacks a mapping to a standard may indicate “mission creep” and represent an opportunity to reassign the work or cease performing the procedure.
Roles & ResponsibilitiesNIST NICE Cybersecurity Workforce Framework
The Cybersecurity Standardized Operating Procedures (CSOP) leverages the NIST NICE Cybersecurity Workforce Framework. The purpose of this framework is that work roles have an impact on an organization’s ability to protect its data, systems and operations. By assigning work roles, it helps direct the work of employees and contractors to minimize assumptions about who is responsible for certain cybersecurity and privacy tasks.
The CSOP uses the work roles identified in the NIST NICE Cybersecurity Workforce Framework to help make assigning the tasks associated with procedures/control activities more efficient and manageable. Keep in mind these are merely recommendations and are fully editable for every organization – this is just a helpful point in the right direction!
What Problem Does ComplianceForge Solve?What Problems Are There?
We sell cybersecurity documentation - policies, standards, procedures and more! Our documentation is meant to help companies become audit-ready!
Writing security documentation is a skill that many good cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive compliance documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. ComplianceForge offers documentation solutions that can save your organization significant time and money!
The reality of non-compliance with requirements means lost business and potential fines. In addition to losing contracts, charges of fraud may be leveled on companies that claim to be compliant but cannot provide evidence. Our documentation can help you become and stay compliant where you have documented evidence to prove it!
Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. Our documentation provides mapping to multiple leading security frameworks to show you exactly what is required to both stay secure and compliant. Being editable documentation, you are able to easily maintain it as your needs or technologies change.
How Does ComplianceForge Solve It?What Problems Are There?
We take a holistic approach to creating comprehensive cybersecurity documentation that is both scalable and affordable. This is beyond just generic policies and allows you to build out an audit-ready cybersecurity program for your organization!
In an audit, clear and concise documentation is half the battle. ComplianceForge provides comprehensive documentation that can prove your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
Time is money! Our cybersecurity documentation addresses dozens of requirements and this can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
We did the heavy lifting. Our documentation is mapped to multiple leading security frameworks!
