Writing Solid Implementation Procedures
In a previous blog, CMMC Documentation Lamentations, I wrote about the importance of solid security documentation. In this blog I’d like to expand on that theme and focus on why well written implementation procedures are important and describe how to write them.
I think we can all agree there are two ends of the spectrum for corporate IT systems; those designed, architected, and implemented from a well thought out plan, and those that grew ad hoc from evolving requirements, and the availability and affordability of components. Wherever your system lies on that spectrum, the importance of documenting its current state provides many benefits:
Components can be configured as planned to optimize performance and security
Proper configurations persist through change and maintenance procedures
Ability to provide for Continuity of Operations
Facilitates successfully passing assessments
Let’s take a closer look at each of these benefits.
The ability to configure components as planned to optimize performance and security. A lot of architecting and engineering goes in to designing an IT system. It’s important that the actual construction of the system follows the plan to ensure security measures are implemented correctly. As engineers configure operating systems, software, and components, knowing the proper settings is critical. A simple example is that of installing a new server. We all know default settings aren’t going to cut it. You should have step-by-step instructions for configuring new servers, and your implementation procedures should provide the details on user and network configuration, package management, NTP configuration, firewalls and IP tables, securing SSH, service configuration, hardening, logging, etc.
The ability to maintain proper configuration through change and maintenance procedures. It’s the weekend and a server bites the dust. The on call technician is able to replace the server and get the system back online. Is it configured properly? Again, detailed implementation procedures will feed the build for the server, especially for final manual configurations that may be required.
The ability to provide for Continuity of Operations. When things go south, having detailed procedures will help rebuild and recreate systems. The hurricane force winds have subsided, the flood waters are receding, you finally get into your business and realize there’s nothing left. You need to quickly establish a new base of operations and stand up a new IT system. Hopefully you took your implementation procedures with you! With a properly documented system, recreating and rebuilding will go much smoother.
Facilitation of successful assessments. One thing I learned during my 22 years in the Marine Corps was that if you can quickly answer an inspector’s questions they will generally move on to the next question. If you stumble or can’t provide an adequate answer, they tend to start digging. Having detailed and accurate implementation procedures will allow you to answer an assessor’s questions and demonstrate you know what you’re doing quickly and accurately.
So how do you go about writing solid implementation procedures? The first step is to understand what the control objective requirements are and then to ensure you answer all the requirements with enough information to allow a stranger to pick up the procedures and recreate your original environment.
Here’s is how not to do it:
Control: AT.L2-3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Objective: 3.2.3.a Potential indicators associated with insider threats are identified;
Implementation Procedure: Ajax IT has identified potential indicators associated with insider threats.
Objective: 3.2.3.b Security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
Implementation Procedure: Ajax IT conducts security training.
As you can see these procedures don’t provide any detail on how to implement the control. A solid procedure will detail the who, what, where, when, and how of steps needed to be accomplished. Remember, you are writing to an unknown third party, your replacement, an assessor, a coworker, etc. that could possibly be coming into this without prior knowledge.
Here’s how it should be done:
AT.L2-3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.
3.2.3.a Potential indicators associated with insider threats are identified;
Implementation Procedure: The Information System Security Manager (who) will insure all annual (when) insider threat training includes a listing of potential insider threat indicators (what) as listed in the Center for Development of Security Excellence (CDSE) Insider Threat Potential Risk Indicators (PRI) JOB AID available at https://www.cdse.edu/Portals/124/Documents/jobaids/insider/INTJ0181-insider-threat-indicators-job-aid.pdf (where and how).
3.2.3.b Security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
Implementation Procedure: All users (who) will annually (when) complete online training (what) on recognizing and reporting potential indicators of insider threats (including managers, senior executives, and contractors) in the following instances:
Prior to accessing the System as initial training for new users, and
Annually thereafter
Users will complete the online Insider Threat Awareness course provided by the USA Learning website available at:
https://securityawareness.usalearning.gov/itawareness/index.htm. (how)
The completion Certificate will be maintained by the Information Owner (who) for as long (when) as the user has access to the system (where).
Insider threat information will be included in the quarterly (when) security updates.
This level of detail allows both you and the assessor assurances that steps are in place to meet the objectives of the control. It directs the assessor to the artifact, in this case the training rosters, that proves the objective is being met.
As you write your implementation procedures, keep in mind the who, what, where, when, and how level of detail and point readers to the solution with easy-to-follow procedures. If you need a helping hand, consider Ascolta’s CMMC Documentation Templates as a great starting point.