September 8, 2020
Cybersecurity Verification: Say What You Do & Do What You Say
by Geoff Pierce, CISO
Written policies and procedures are great, but only when they’re consistently executed. Demonstrating maturity of your cybersecurity program starts with my favorite adage – “Say what you do, then do what you say.”
With CMMC’s third-party assessment requirement on the horizon, extending your cybersecurity practices to collect verification evidence is important too. An easy example is password policy. It is common to find a password policy, namely password complexity, documented in the employee handbook. The security plan will document the technical implementation of password complexity.
We’re done, right? Not quite.
How will you prove to a 3PAO that your implementation actually matches what was said in your policies and procedures? You don’t want to be surprised during an assessment to learn that your implemented password policy doesn’t match your documented policy.
I recommend gathering and updating implementation evidence for your verification playbook every time you update your system security plan. Evidence can include:
- Screen shots from configurations
- A sample report
- A demonstration script, to include expected results
Organizing and maintaining your evidence artifacts does not have to be time-consuming or challenging. When you are ready to move out of spreadsheets to track compliance status, I suggest looking at ESM Cybersecurity. With ESM Cybersecurity, I have a place to organize and maintain my verification playbooks for each client as well as dashboards to show detailed status for my team as well as high-level status for company executives.
Looking for more on cybersecurity verification? Contact the Centauri Security & Cyber Services team using the form below.