As promised, here is the second blog post of this week regarding the pitfalls from my eBook, Security Program Pitfalls and Prescription to Avoid Them. This pitfall is “Pitfall #8 – Documentation Management.”
Security program documentation and supporting artifacts or evidentiary files required by the controls adopted by your organization should be appropriately managed. This documentation includes, but is not limited to, policies, plans, procedures, call trees, assessment reports, exception requests, incident reports, control artifacts, metrics, corrective action plans, and strategy documents.
Controls should be in place to ensure that documentation is available for use, when and where it is needed. Your organization should control the distribution, access, retrieval, use, storage, modification of, and preservation of documentation. At a minimum, documentation should be protected from loss of confidentiality, loss of availability, improper use, and loss of integrity.
Documentation used by your organization that was developed externally but has been deemed to be necessary for the planning or operation of your organization’s security program should also be appropriately controlled. Examples of this “external” documentation may include, but is not limited to, regulatory guidance, special publications, bulletins, alerts, or other outside information that drives or otherwise supports your security program. The integrity of this documentation needs to be maintained even though it was not developed by your organization.
To learn more about this pitfall, and 99 more, get my eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or, register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.