Documenting an Information Security Program

Cybersecurity students must do a Semester in Residence (SiR) project to fulfill the requirements for the Master of Science in Cybersecurity. The main objective of my project was to develop the proper documentation and identify the security requirements to be in compliance with government regulations and contractual obligations. Therefore, security policies and procedures must include controls and safeguards to offset potential threats, as well as to ensure accountability, availability, integrity, and confidentiality of the data. Security measures must be taken to guard unauthorized access to, alteration, disclosure or destruction of data and systems, including against accidental loss or destruction. To comply with reasonably-expected security requirements the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations was used to create the proper documentation of security policies and procedures. One accomplishment of having a documented evidence is that Company X is more likely to win a lawsuit by demonstrating that reasonable precautions were used to protect its data and information systems among many other benefits. The security program documentation must be a living document and compliance is an ongoing effort that requires future work. Therefore, it is recommended to continue with technical compliance audits, conducting periodic risk assessments, and performing periodic reviews to be compliant and protect the business regardless of its size or resources and the most important aspect is to monitor the security of the program’s effectiveness and make changes as necessary.