After the experience of creating a security document package for the commercial product installed in our network, I was fortunate enough to have subsequent work assisting with security audits of organizations outside our company.
Only one of the several organizations I worked with was in the process of developing a system security plan based on the US National Institute of Standards and Technology (NIST) 800-53 controls. They were not ready to share that documentation at the time. The other organizations I worked with all had plans that addressed the highlights of NIST 800-53 but did not delve into the individual controls. Having a plan that addresses all of the controls is a great roadmap to help a company make sure that they have adequate data security protections in place and can be a great artifact to hand to auditors when they arrive.
Creating a system security plan (SSP) based on NIST 800-53 will cost the company time and resources. However, the investment can pay off as data security becomes a bigger issue and more stress is placed on meeting higher standards.
The method I have found most successful is the interview. People are usually happy to tell you about their work and happier when you do the required writing and give them text to review rather than ask them to write.
A NIST-based SSP is also a handy tool to have on hand if you are subject to a security or process audit. Because of the scope of the controls, you have information on many subjects, including security training, personnel practices, and the physical security of your data and facility.
There are a number of pre-made SSP templates in Microsoft Word available for download. FedRAMP has an SSP and a number of other security related document templates you may need. A second source with a pre-formatted Microsoft Word document is the US Federal Deposit Insurance Corporation. This template addresses moderate-impact systems, but by referencing the NIST 800-53 Revision 4 Table D-2: Security Control Baseslines, you can map out which controls and enhancements are required at the low- and moderate-impact levels.
You can also adjust these templates for your own needs and add or remove material. And once the initial investment in the research and writing is done, yearly updates are not as onerous. You can ask IT personnel to review individual controls or interview them for information to keep the burden small at any given time.
Read Craig R. Hollingsworth’s recent Journal article:
“Auditing for FISMA and HIPAA: Lessons Learned Performing an In-house Cybersecurity Audit,” ISACA Journal, volume 5, 2016.