Today the Northeast CMMC Coalition met and we spent a good time discussing policy and knowledge management.You need a guiding light when imaginative the Seas of CMMC. Policy points the way.
We first began with a discussion of the delta between the policy automation vendoirs sell and the legacy documents many Organizations have.
Policy as code in a dynamic state sounds great. Cybersecurity as code and all. The reality DevSecOps probably works for less than 1% of DIB companies given their current workflows.
People need to create and track the governance of their policies first. Common tools used for policy included: purchasing policy packs, using a wiki, or using sharepoint and wet signatures for authorization.
The majority of small businesses at today’s meeting rely or have customers that primarily rely on human only readable word documents that get added to an SSP as read only files. No use of metadata or any tools of automation hyped by vendors.
Managed Service Providers also need a policy solution. The good one’s usually require you to adopt their baseline and architecture. This should standardize much of the policy. Judge an MSP by the policy they provide.
According to NIST MEP Handbook 162 you should have in order to meet the 171 Security requirements. These 39 plans , policies, and procedures do not have to be separate documents. Many for example would get included in an employee handbook.
Plans you Should have
- Business Continuity Plans
- Contingency Plans
- Continuity of Operations Plans
- Critical Infrastructure Plans
- Crisis Communications Plan
- Disaster Recovery Plans
- Incident Response Plan
- Incident Response Testing Plan
- Occupant Emergency Plan
- Physical/Environmental Protection Plan
- Plan of Action
- Security Assessment Plan
- Security Plan
- System Security Plan
Policies and Procedures you should have:
- Access Control
- Audit and Accountability
- Configuration Management
- Configuration Planning
- Incident Response
- Identification and Authentication
- Information Flow Control
- Information Flow Enforcement
- Information System Maintenance
- Media Protection
- Media Sanitization and Disposal
- Mobile Code Implementation
- Personnel Security
- Physical and Environmental Protection
- Portable Media
- Risk Assessment
- Security Assessment and Authorization
- Security Awareness and Training
- Security Planning
- Separation of Duties
- System and Information Integrity
- System and Services Acquisition
- System and Communication Protection
- System Use