Everyday companies ask "what is the most cost-effective way to ensure that my enterprise is secure?" My answer is always the same, "build on what you've got". That means completing a self-assessment and here's how you do it.
1. Decide what security framework you're going to use to assess against. In this case we'll use NIST 800-171 which is generally considered the "godfather of compliance" and the framework most copied by others. NIST 800-171 contains110 controls broken down into 14 control families.
2. Decide what software package you'll use to document your assessment. While some people will develop some type of spreadsheet for this purpose, others will choose a self-assessment package which contains all the controls.
3. If you performed a security assessment or have the results of an old audit, load that data into the spreadsheet and create new columns labeled "current (as-is),new (to-be), gaps (difference in as-is and to-be), and plan of action(how you'll sure up the gaps.
4. Conduct interviews with your staff, your network partners, your network host, any cloud platforms that store your data; first read them the controls and then document how their enterprise treats your data completing as much of the assessment as possible.
5. Ask your development staff, your DBA, your CIO, your webmaster, etc. how to respond to any controls you don't have an answer to and document their responses.
6. Once you've completed as much of the assessment as possible, create your policies and procedures from the data. Describe in detail how you'll enforce passwords, control access, and limit exposure to your most sensitive data and archive those policies and procedures in your HR files. Distribute to all your employees and contractor staff who have access to your network.
7. Create a "Plan of Action and Milestones - POA&M" that addresses all the areas you are weak or "not up to snuff" and how you'll sure up the gaps.
8. Create a "System Security PLAN - SSP" which in its purest form is a booklet that contains and executive summary, the findings of your self-assessment broken down by control family and controls under that family, policies and procedures, and evidence that supports your findings (attachments such as screenshots, reports, memorandums, schemas, etc.).
9. For any gaps that you have in the self-assessment you should call a certified assessment firm that specializes in cybersecurity audits and have them weigh in and add to your SSP,
10. Submit your findings or a statement of compliance to Supplier Performance Risk System - SPRS and once a year, GO BACK TO STEP ONE.
And, if you want to make all of this much simpler, get ReadyCert and build on what you've got!
5 Tips to Help you comply with NIST 800-171 and stay competitive in the DoD acquisition process.
Before you can improve, you must take an honest, in-depth look at where you’re at.