Editable Secure Controls Framework (SCF) Procedures Template

The Cybersecurity Standardized Operating Procedures (CSOP) has complete coverage for the Secure Controls Framework (SCF). The SCF version of the CSOP is an enterprise-class solution for cybersecurity procedures. The SCF version of the CSOP contains a catalog of over 1,200 editable procedure statements that come in both Word and Excel format, so you have the flexibility to import the procedure statements into a tool (e.g., GRC platform) or edit in Word. The CSOP is a one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! 

The structure of the DSP / SCF maps to over 100 statutory, regulatory and contractual frameworks, so the CSOP is the most comprehensive set of procedures that you will find for the price. 

• The CSOP addresses the “how?” questions in an audit, since procedures provide the means for how your organization's policies and standards are actually implemented.
• The CSOP provides the underlying cybersecurity procedures that must be documented, as may be stipulated by statutory, regulatory and contractual requirements.
• The procedure statements in the CSOP can be cut & pasted into other tools (e.g., wiki page) or left in a single document. There is no wrong answer for how procedures are maintained, since every organization is unique in the tools used and the location of users.

Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible to write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who / what / when / where / why / how to make it complete.

What Problem Does The SCF Procedures Template Solve?

• Lack of In House Security Experience - Writing cybersecurity procedures is a skill that most cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive procedure documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The CSOP is an efficient method to obtain comprehensive IT security procedures for your organization!
• Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security procedures. Requirements range from PCI DSS to HIPAA to NIST 800-171. The CSOPis designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements. 
• Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The CSOP's procedures provide mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.   
• Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies, standards and procedures.

Our customers choose the Cybersecurity Standardized Operating Procedures (CSOP) because they:

• Have a need for comprehensive cybersecurity procedures to address their compliance needs.
• Need to be able to edit the document to their specific technology, staffing and other considerations.
• Have documentation that is directly linked to leading frameworks (e.g., CMMC, NIST CSF 2.0, NIST 800-53, NIST 800-171, ISO 27002, HIPAA and others).
• Need an affordable and timely solution to address not having procedures.

How Does The SCF Procedures Template Solve These Problems?

• Clear Documentation - The CSOP provides a comprehensive template for your procedures to help prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
• Time Savings - The CSOP can provide your organization with a templated solution that requires minimal resources to fine tune for your organization's specific procedural needs. 
• Alignment With Leading Practices - The CSOP is written to support over two dozen leading frameworks! 

Until now, developing a template to provide worthwhile cybersecurity procedures is somewhat of a "missing link" within the cybersecurity documentation industry. The good news is that ComplianceForge solved this issue with the Cybersecurity Standardized Operating Procedures (CSOP) product. We are the only provider to have an affordable and comprehensive procedures template! Our CSOP can save a business several hundred hours of work in developing control activities / procedure statements, so the CSOP is worth checking out! 

Example SCF Procedures

The CSOP is essentially a templatized catalog of procedures that you can edit for your needs. We did the heavy lifting in writing the procedures to get to approximately an "80% solution" so you just need to do the final customization of the procedure that only you will know since that is going to be very specific to your organization and business processes. This can jump start your procedures effort and save you several hundred hours of development time. Seeing is believing, so you can view an example of the SCF procedures template below:

View Product Example

The PDF document shown below provides two, side-by-side examples from policies all the way through metrics, so you can see what the actual content looks like.

Cost Savings Estimate - SCF Procedures Template

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the SCF procedures template from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

• For your internal staff to generate comparable documentation, it would take them an estimated 1,200 internal staff work hours, which equates to a cost of approximately $100,000 in staff-related expenses. This is about 9-18 months of development time where your staff would be diverted from other work.
• If you hire a consultant to generate this documentation, it would take them an estimated 800 consultant work hours, which equates to a cost of approximately $260,000. This is about 6-12 months of development time for a contractor to provide you with the deliverable.
• The CSOP is approximately 2% of the cost for a consultant or 6% of the cost of your internal staff to generate equivalent documentation.
• We process most orders the same business day so you can potentially start working with the DSP CSOP the same day you place your order.

The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. 

SCF Procedures Are Aligned With The NIST NICE Framework

One very special aspect of the CSOP is that it leverages the NIST NICE Cybersecurity Workforce Framework. NIST released the NICE framework in 2017 with purpose of streamlining cybersecurity roles and responsibilities. We adopted this in the CSOP framework since work roles have a direct impact procedures. By assigning work roles, the CSOP helps direct the work of employees and contractors to minimize assumptions about who is responsible for certain cybersecurity and privacy tasks.

The CSOP uses the work roles identified in the NIST NICE Cybersecurity Workforce Framework to help make assigning the tasks associated with procedures/control activities more efficient and manageable. Keep in mind these are merely recommendations and are fully editable for every organization – this is just a helpful point in the right direction!

The CSOP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.

The value of the CSOP comes from having well-constructed procedure statements that can help you become audit ready in a fraction of the time and cost to do it yourself or hire a consultant to come on-site and write it for you. The entire concept of this cybersecurity procedures template is focused on two things: 

1. Providing written procedures to walk your team members through the steps they need to meet a requirement to keep your organization secure; and
2. Help your company be audit ready with the appropriate level of due diligence evidence that allows you to demonstrate your organization meets its obligations.

How Do I Write SCF Procedures?

Your customization will be to help "fill in the blanks" with specific process owners, process operators, where additional documentation can be found, applicable service obligations (e.g., SLAs), and what technology/tools your team has available. We've done the heavy lifting and you just need to fill in the blanks.  

• Process Owner:
• This is name of the individual or team accountable for the procedure being performed.
• Example: Chief Information Security Officer (CISO) / Cybersecurity Director.
• Process Operator: 
• This is the name of the individual or team responsible to perform the actual task.
• Example: SOC Analyst / Risk Analyst / Network Admin.
• Occurrence: 
• This is the annual, semi-annual, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed cadence for how often the procedure needs to be performed.
• Example: Quarterly vulnerability scans / Monthly software patches / Annual risk assessments.
• Scope of Impact:
  • Purely internal processes;
  • Purely external processes (e.g., outsourced vendor processes); or
  • Scope covers both internal processes and external ones.
  • System;
  • Application;
  • Process
  • Team;
  • Department;
  • User;
  • Client;
  • Vendor;
  • Geographic region; or
  • The entire company
• This is the scope of the procedure:
• It also that affects the potential impact from the process, which can be one or more of the following:
• Location of Additional Documentation: 
  • This is where additional documentation is stored or can be found. You might want to reference a Wiki, SharePoint site, or other documentation repository.
• Performance Target: 
• This addresses targeted timelines for the process to be completed (e.g., Service Level Agreements).
• Not all processes have SLAs or targeted timelines
• Technology in Use:
  • Splunk for a Security Incident Event Manager (SIEM) solution to collect logs;
  • McAfee ePO for centralized antimalware management; or
  • Tripwire Enterprise for File Integrity Monitoring (FIM).
• This addresses the applications/systems/services that are available to perform the procedure.
• Examples:

 

• C-SCRM & NIST 800-161 R1

  For many cybersecurity practitioners, even those well versed in NIST 800-171 and Cybersecurity Matur...

• Secure Software Development Attestation

  Can you tell the difference in these secure software development attestation forms? There isn't one...

• NIST 800-171 R3 ODPs

  ComplianceForge released NIST 800-171 R3 documentation updated to address DoD-provided Organization-...

• SCF Training & Certifications

  ComplianceForge is a Licensed Content Provider (LCP) for the Secure Controls Framework (SC...

---