User Tools

Site Tools

You are here: start » corpgov » intro

Sidebar

Org. Governance

Home

Governance

Organizational Authority

Risk Management Framework

Audit Docs & Tasks

HR Personnel Policies

3.9 HR Policies

Functional/Technical Policies

(Satisfies SOC IS-1 Requirements)

3.1 Access Control

3.2 Awareness & Training Policies

3.3 Audit & Accountability

3.4 Configuration Management

3.5 Identification and Authentication

3.6 Incident Response

3.7 Maintenance

3.8 Media Protection

3.9 HR Policies

3.10 Physical Protection

3.11 Risk Assessment

3.12 Security Assessment

3.13 Systems & Communications Protection

3.14 Systems & Information Integrity

Internal Processes

Breach Notification

Contingency Planning - Internal - CP

Change Management - CM

SaaS App Management

Executive Compliance Directives

DOD Impact Levels

Definitions & References

IT Policy Artifacts

corpgov:intro

Table of Contents

Governance and Policy Approach

Control Satisfaction Matrix

Standard Category Controls Satisfied 800-53r4 Controls ISO/SEC 27001 Audit Controls
NIST 800-171 None None None None None

Major Document History

Date Comment Who
8/01/2019 Initial Doc Tharp
1/04/2021 Added Evidence File Directory Structure Tharp

Cyber Security Standard

DZP Group elected to adopt the most comprehensive and widely recognized framework NIST 800-53rev4 for both public and private entities along with guidance from other NIST Frameworks in our case 800-171 that was derived from 800-53rev4.

The 800-171 Framework provides guidance on policy creation and implementation for Controlled Unclassified Information (CUI). DLZP determined it was less complicated to adopt a single classification standard and set of controls setting the bar to the highest measure than attempt to take a varied approach to data classification with several layers. Thus, 800-171 adoption provides a single high-hurdle to measure our processes against and maps to both 800-53rev4 and ISO/SEC 27001 Frameworks. These controls are easily achievable within the Amazon Web Service cloud solutions services.

Each Policy Area below shall consist of the Policy its Control Objectives, assertions that define the control objective measures and the relevant test(s) to validate assertion compliance. 

Policy Area >>> Policy(s) >>> Control Objective(s) >>> Test(s) >>> Assertion(s)

DLZP Group uses 800-171 as our default minimum standards. Where requested by client contract we will match the compliance frameworks that their business or industry is measured by incorporating additional NIST 800-53rev4 measures to satisfy client requirements.

Organization Responsibility Matrix

Division SECURITY REQUIREMENTS Abbreviation
Operations 3.1 ACCESS CONTROL AC
Security 3.2 AWARENESS AND TRAININGAT
Audit Control 3.3 AUDIT AND ACCOUNTABILITYAU
Operations 3.4 CONFIGURATION MANAGEMENTCM
Engineering 3.5 IDENTIFICATION AND AUTHENTICATIONIA
Operations 3.6 INCIDENT RESPONSEIR
Operations 3.7 MAINTENANCEMA
Corporate 3.8 MEDIA PROTECTIONMP
Corporate 3.9 PERSONNEL SECURITY see HR PoliciesPS
Corporate 3.10 PHYSICAL PROTECTIONPE
Security 3.11 RISK ASSESSMENTRA
Security 3.12 SECURITY ASSESSMENTSA
Engineering 3.13 SYSTEM AND COMMUNICATIONS PROTECTIONSC
Engineering 3.14 SYSTEM AND INFORMATION INTEGRITYSI

Functional Organization

Functional Teams responsible for various Compliance Framework Sections

800-171 NIST 800-171 Naming A-lign Security Policy Manual Asigned
3.1 Access Control 3.0 Access Control Policy Dave
3.1 Access Control 20.0 Remote Access Policy Dave
3.1 Access Control 28.0 Third Party Access Dave
3.2 Awareness & Training - Brian
3.3 Audit & Accountability - Brian
3.4 Configuration Management 8.0 Operational and Software Development Change Management Policy Dave
3.4 Configuration Management 12.0 Encryption Policy Dave
3.4 Configuration Management 24.0 Server Documentation Policy Dave
3.4 Configuration Management 25.0 Server Security Policy Dave
3.4 Configuration Management 26.0 Source Code Control Policy Dave
3.5 Identificaion & Authentication 9.0 Password Policy Dave
3.5 Identificaion & Authentication 10.0 Database Password Policy Dave
3.6 Incident Response 14.0 Incident Handling Policy Brian
3.6 Incident Response 15.0 Incident Response Guidelines Brian
3.7 Maintenance 19.0 Patch Management and Systems Update Policy Brian
3.8 Media Protection 17.0 Media Disposition Policy Brian
3.8 Media Protection 22.0 Removable Media Policy Brian
3.9 HR Policies 2.0 Acceptable Use Policy Kim
3.9 HR Policies 6.0 Automatically Forwarded Email Policy Kim
3.9 HR Policies 11.0 Email Retention Policy Kim
3.9 HR Policies 16.0 Information Sensitivity Policy Kim
3.9 HR Policies 27.0 Wireless Communication Policy Kim
3.10 Physical Protection 4.0 Physical Security Policy Brian
3.11 Risk Assessment 23.0 Risk Assessment Policy Brian
3.13 Systems & Communications Protection 13.0 Extranet Policy Dave
3.13 Systems & Communications Protection 18.0 Network Documentation Policy Dave
3.13 Systems & Communications Protection 21.0 Virtual Private Network (VPN) Policy Dave
3.14 Systems & Information Integrity 5.0 Anti-Virus Software Policy Dave
3.14 Systems & Information Integrity 7.0 Backup / Restore Policy Dave

Evidence Storage File Structure

/opt/bitnami/dokuwiki/data/pages/corpgov/intro.txt · Last modified: 2021/01/04 20:46 by brian.tharp

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki