As promised, here is the second blog post of this week regarding the pitfalls from my eBook, Security Program Pitfalls and Prescription to Avoid Them. This pitfall is “Pitfall #8 – Security and Compliance Documentation Management.”
Stale or outdated documentation needs to be avoided to ensure both the initial and continued success of an organization’s security program. This includes ensuring all security policies, plans, and procedures are reviewed, and appropriate updates are made, at least every 12 months. Assessors, be they internal or external, need to see evidence that organizations are attentive to maintaining documentation that supports an effective security program.
Security program documentation and supporting artifacts or evidentiary files required by the controls adopted by your organization should be appropriately managed. This security and compliance documentation management includes, but is not limited to, policies, plans, procedures, call trees, assessment reports, exception requests, incident reports, control artifacts, metrics, corrective action plans, and strategy documents.
Controls should be in place to ensure that documentation is available for use, when and where it is needed. Your organization should control the distribution, access, retrieval, use, storage, modification of, and preservation of documentation. At a minimum, documentation should be protected from loss of confidentiality, loss of availability, improper use, and loss of integrity.
Documentation used by your organization that was developed externally but has been deemed to be necessary for the planning or operation of your organization’s security program should also be appropriately controlled. Examples of this “external” documentation may include, but is not limited to, regulatory guidance, special publications, bulletins, alerts, or other outside information that drives or otherwise supports your security program. The integrity of this documentation needs to be maintained even though it was not developed by your organization.