A foundation of a security program is a set of policies that establish a common understanding of organizational commitments around security. In securityprogram.io, we provide template policies that align to NIST 800-53 and which we have then mapped to tasks - things you need to actually do to meet policy.
Of course, you can download any number of security policies from the internet and frankly, if you email us at firstname.lastname@example.org we will point you to our templates for free. The truth is: writing the policies isn't the hard part of adopting security policies in a program. The hard part is actually making sure everybody knows about them and then following them!
Policies are important because they set expectations across an organization.
Policies and NIST Standards
We centered our default policies around NIST 800-53 because it allows us to build policies that are aligned to a broad set of industry standard controls. That makes it easier for us to map to things like NIST CSF and other standards which often also reference back to NIST 800-53 controls.
We wrote our policies so that most tech companies could basically adopt them "as is". We made them real, but pragmatic. Simple but complete. Our policies cover:
- Acceptable Use
- Business Continuity
- Data Classification
- Identity and Access Management
- Incident Response
The features we include around policies start with appropriate proven templates for each policy. That gets you started fast with templates that have been used by clients to pass security audits or demonstrate security during acquisitions or sales diligence. But we also provide an online editor, version control, the ability to upload your own policy (say in Word) and to track versions. This ensures that all policy changes are trackable.
We also provide a simple policy acknowledgement capability so that you can deploy and confirm policies are acknowledged by all of the employees that need to be aware of them. Since they sign on with SSO (supporting Google Workspace or Microsoft O365) it is seamless to invite them and let them acknowledge policies.
Let Us Assist You!
In the Assisted Tier of SPIO, our team helps you understand policies! This ensures that your team is able to understand and effectively leverage policy.
We tried to make our security policies as simple and pragmatic as possible. Whether you have us help you, or you do it yourself, the tools are right there for you in securityprogram.io.