Drafting an Example GRC Policy Using NIST Cybersecurity (CSF) Framework

By | September 4, 2024
0 Comment

Below is an example project showcasing the cybersecurity (CSF) framework developed by NIST.

Information Security Policy

Last revision date: July 1, 2024 

Purpose

Information and systems are used by the company to deliver value to our customers and business partners. As such, the information has value and must be protected in accordance with its sensitivity. 

This policy outlines the expectations and behaviors of the organization to protect those systems, applications and information confidentiality, integrity and availability. 

The approach of this policy is to provide a full scope for delivering sound information security to the organization. 

Scope

This policy applies to all staff at ThreatBase and its subsidiaries, to include any third party staff contracted or providing services on behalf of ThreatBase. This policy applies to all systems, applications and data within the ThreatBase business and Information Technology (IT) systems to include Software-as-a-Service (SaaS) (aka cloud systems). 

Policy

The following statements provide the information security policy for the organization. Any exclusion to the policy statements must be explicitly documented. 

Information Security

The organization shall ensure information security is part of the overall risk management strategy. 

Access Control 

The following policies are associated with the control of access to systems and data. 

User Access

  1. Any access granted to ThreatBase systems, applications, and data shall require appropriate approval. 
  2. All access to systems, applications, and data shall be documented and reviewed for validity on Management approved frequency. 
  3. Account access to systems, applications and data shall be removed when no longer appropriate on demand, or as discovered during review. 
  4. User account types shall be appropriate for the user access required, i.e. general user, privileged user, non-staff (3rd party), guest, and emergency users. 
  5. Shared user accounts shall be explicitly approved for use by management on a case by case basis. 
  1. Adding, modifying, deleting user accounts (which user accounts: end user, priv, 3rd party, guest, emergency)

Authentication

  1. All access to organizational systems, applications, and data that are accessible via the internet (i.e. internet-facing systems) shall require multi-factor authentication. 
  2. All mobile devices (i.e. tablets, mobile phones) shall have an authentication mechanism to unlock and access the device. 

Remote Access

  1. Remote access shall be allowed using management-approved remote access solutions. 
  2. Third-party remote access shall be reviewed and approved. 
  3. Third-party remote access shall require a member of ThreatBase to explicitly authorize or approve the access on-demand. 
  4. No unattended access shall be granted to any company resources (systems, data, apps). 

Related Procedures 

  1. Access control approval procedure 
  2. Remote access approval 
  3. MDM enrollment

Non-Compliance

  1. Any individuals that this policy applies to are required to follow the policy. Non-compliance with the policy will result in appropriate management-guided sanctions.  

Management Commitment / Authority 

This policy is supported and approved by John Smith, CIO. This is the published information security policy effective August 1, 2024. 

Review Schedule

This policy shall be reviewed and updated in accordance with management defined frequency and disseminated to all applicable users as updates occur.

Definitions 

  1. Systems, applications, and data are the software, hardware, third-party, and cloud assets that the organization uses to perform business related activities. 
  2. Mobile devices are devices that “travel” and are utilized outside of the office environment. This includes but is not limited to: mobile phones, tablets and laptops.
Uncategorized