Policies need to be established and signed off by C-level management. Implementation of policy flows through standards, guidelines, and procedures. Before jumping to writing policies, consider establishing a framework. See NIST "Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, 16 April 2018. Another comprehensive example is provided by the DoD - a framework built upon 4 goals: 1. Organize, 2. Enable, 3, Anticipate, 4. Prepare. For details, see the Build and Operate a Trust DoDIN Cybersecurity-Related Policies and Issuances IA Policy Chart.
Since compliance with NIST standards, SP 800-53 for DoD and federal agencies and SP 800-171 for DoD contractors, a good starting point is policies that are aligned with the NIST SP 800-53 controls families. As of NIST SP 800-53 Rev 4, there are 18 control families, with 8 more included if the Privacy Overlay applies. I-Assure RMF Templates are available for the following:
- AC - Access Control
- AT - Awareness and Training
- AU - Audit and Accountability
- CA - Security Assessment and Authorization
- CM - Configuration Management
- CP - Contingency Planning
- IA - Identification and Authentication
- IR - Incident Response. Follow NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover).
- Incident Response Plan (Tech Pro Research, 2017)
- MA - Maintenance
- MP - Media Protection
- PE - Physical and Environmental Protection
- PL - Planning
- PM - Program Management
- PS - Personnel Security
- RA - Risk Assessment
- SA - System and Services Acquisition
- SC - System and Communications Protection
- SI - System and Information Integrity
Other policies and procedures:
- Cloud Computing Policy. See http://www.techproresearch.com/downloads/cloud-computing-policy/.
- Business Impact Analysis (BIA). First step in disaster planning. Identify systems, services, processes, and workflows in the organization and prioritize recovery (i.e. set RPO, RTO).
- Business Continuity Plan (BCP). Describes how to meet the availability objective defined by the BIA.
- Why your business needs a continuity plan and how to create one (TechRepublic, February 5, 2019).
- Disaster Response Plan (DRP). Should be invoked based on some threshold defined in the Incident Response Plan (IRP).
- Disaster Recovery: How to Prepare for the Worst (TechRepublic, 2019)
- Electronic Communications Policy. What tool(s) to use, what medium(s) to use (email, blog, social media), define restrictions.
- Electronic Communication Policy (TechRepublic, 2/2017)
- Employee Termination Process
- Employee Termination Checklist (TechRepublic)
- Inventory Management
- Lifecycle Management
- Preventive Maintenance Plan
- Portable Media Policy (covering PDAs, iPods, iPads, flash devices, cameras, portable hard drives, cell phones, thumb drives, digital recorders)
- Personnel Fitness Devices (PED)
- Wireless Networking Policy
- Privacy
- Password Policy.
- Media Disposal
- Pre-hire
- Contracts and Agreementsf
- Disciplinary Action
- Virtual Private Network (VPN)
- Telecommuting/telework Policy
- NIST SP 800-114 Revision 1, "User's Guide to Telework and Bring You Own Device (BYOD) Security," July 2016
- For DoD, DD2496 (Department of Defense Telework Agreement) is required. When Controlled Unclassified Information (CUI) including competition sensitive or source selection data is authorized for use at the telework location, criteria for proper encryption and safeguarding of such information and data must be consistent with Enclosure 3, subparagaphs 3.f.(1) through (3) of DoDI 1035.01, Telework Policy.
- Office of Personnel Management (OPM) Telework Site. Also see https://www.telework.gov/federal-community/telework-employees/making-your-case-for-telework/
- NIST Cybersecurity Framework
- Tech Pro Research IT Policies
- USACE Cyber Quick Reference Card