After 18 months as an auditor, I have been hired as the only cybersecurity person in a 1000+ organization. I have been tasked, among other things, to draft various security policies.
Is anyone aware of a repository of policy templates? For example, "Incident Response", "Access Control", "Configuration Management", etc. I am trying to align the org with 800-53; I don't need content, I need structure/format. Does that make sense?
If aligning to ISO 27001 you could try https://www.itgovernance.co.uk/shop/category/iso-27001-individual-templates
Hi there! Does your org require 800-53? I'm not familiar with any templates which directly correspond to 800-53's guidance, but if all you're wanting to do is start from scratch for a company that has never done this before, consider the SANS templates. They were perfect for me when I worked for a company with no security framework.
If your org requires something a little meatier, you might tell us about other requirements your leadership has tasked you to achieve (i.e., are you a financial institution, health care provider, government contractor, PCI compliance requirements, disclosure / publicly traded, etc... OR that they're just taking steps because the insurance company said to)
Take a look at the link below to get a general idea of a NIST policy layout. I wouldn't recommend putting all of this content into a single policy because it quickly becomes a TL;DR doc. I'd recommend a general outline in a policy with pointers to the detailed requirements of each section into a "Standards" or "Plan" doc for further reference.
For templates, try contacting your admin dept and have them forward whatever templates your organization uses.
Break down your write-up into different segments, e.g., title, background, scope, details, POC, signature block. And, different organizations label policies in different ways. You'll have to find out from your admin folks how they label other policies/documents. For example, "National Institute of Standards and Technology Special Publication 800-53 Revision 5" would be labeled as "NIST SP 800-53 Rev. 5".
Hey Joe! DCSA actually has templates for a lot of documentation in the DAAPM v2.2. Look at the appendices. Many won't be applicable to you but they have incident response, contingency, etc. You can also refer to the templates on www.i-assure.com but they are SUPER long and as someone else said... they will become a tl;dr doc. If you utilze those, I'd use them for structure but don't use the entire thing. As far as NIST, the NIST SP 800-137 talks about the continuous monitoring process, but doens't have a template per se. The NIST SP 800-128 does have a template for configuration management, as well as templates for a change request form, security impact analysis and CCB charter. The NIST SP 800-50 has some awareness and training templates. The NIST SP 800-34 has the contingency planning templates. NIST SP 800-30 has the risk assessment templates. NIST SP 800-61 has the necessary components for an Incident Response Plan, but doesn't actually lay it out into a template. This is what I can think of off the top of my head. Hope it helps!
Look here - www.complianceforge.com. They have every thing you need aligned to your chosen framework(s). There is a cost, but you won't have to scrape the entire internet looking, reformatting and editing hundreds of policies.
I have been tasked, among other things, to draft various security policies.
Is anyone aware of a repository of policy templates? For example, "Incident Response", "Access Control", "Configuration Management", etc. I am trying to align the org with 800-53;
Much of this might depend on your organization's current governance. Under the premise that policy has to be authored/adopted at the top-level (i.e. board/owner) of the organization, maybe what you are really looking at here is a single "information security and privacy" policy that says your organization will endeavor to comply with 800-53 (or editing existing policy(ies) to denote that standard). The policy will then instruct individual units/departments to develop procedures complying with this policy and to submit them to you for review/confirmation that the policy has been implemented.
I doubt I am telling you anything you don't already know, but having beat my head against a few board tables in my day, one thing I have learned is that to get a single policy approved can be arduous. Boards can turnover greatly from year to year. If you are trying to get a series of policies approved, it can feel like Groundhog Day. That's all the more reason to keep the policy simple and direct, and allow the procedures and/or guidelines to be more granular and detailed.
As far as a template, I'd start with the policies your organization already has, even if they are completely unrelated to technology or security. You want some overall coherence to the corporate policies. The board/general counsel should maintain a corporate binder of policies or a Board Policy Manual. I'd try to read that cover to cover to start. You may find the opportunity or need to leverage other corporate policies. For example, when you get into the system monitoring stuff of 800-53, that can dovetail with acceptable-use or employee privacy policies.
Two things often left out of a policy are
Not sure if any of that helps.
Did someone get back to you on this?
There's some free and out of date ones @ sans.org.
You can buy ISO 27001 Templates at Certikit which are ok.
The heavy NIST ones are a compliance forge.
Remember to tailor the policies, processes, and procedures to your organization and your culture. Cookie Cutter is only going to take you so far. Does is demonstrate commitment to protect CIA? Is it enforceable? (need disciplinary statment(s)) Does it fit the culture? Is it supported with a clear "tone from the top?"
AICPA SOC Audit / PCI empirical observation:
Policies in place?
Policies reviewed (within last 11 months)
Policies Approved (within last 11 months if there are changes)
Procedures in place to systemically implement policies and control objectives?
Policies are consistently followed
Standards are drafted to "Precisely Guide" technical steps and Configurations (STIGs, Hardening Checklists, Tape Library Maintenance Instructions)
Guidelines are drafted and distributed/published. (Suggestions, recommendations, and expamples...usually for end users on security hygiene).
Hope that helps.