Featured Post

Thinking Out-of-the-Box Does Not Come Out of the Box

Take a step back, change your perspective of the situation, look at the whole picture, and look for what people are ignoring. Think, out-of-...

Wednesday, October 16, 2019

NIST 800-171 Compliance - Yearly Checklist

Every once in a while you’ll need to bring in the big guns. This is one of those times. Company Management plays a key role in the yearly events.

  1. CEO, Compliance Officer, and OpsO: Conduct thorough risk assessment individually; then work together to update the risk matrix and plan implementations to mitigate or improve effectiveness of controls
  2. Compliance Officer: Conduct thorough security controls assessment with new risk mitigate plan in consideration
  3. IT Team: Conduct a social engineering exercise to help increase employees' awareness of the risk behind many common actions, habits, and natural tendencies
  4. IT Team: Conduct technical vulnerability assessment and penetration test
  5. Compliance Officer: Review access records related to employees who were terminated within last 60 days
  6. CEO or Delegate: Conduct walk-through exercises for business continuity and disaster recovery plans and evaluate the effectiveness of the planned emergency response actions
  7. Compliance Officer: Update business continuity plan after walk-through exercises and send copies to key personnel
  8. Continued:
  9. IT Team: Conduct comprehensive physical inspection of each workstation
  10. IT Team: Update requirements in GPOs, browser settings, and firewalls to ensure acceptable cryptographic standards are met by default
  11. Office Manager: Check fire extinguishers for expiration and acceptable pressure gauge reading
  12. Office Manager: Update the list of authorized maintenance organizations and personnel
  13. IT Team: Review warranty and service coverage agreements for information systems
  14. Compliance Officer: Ensure that system Mean Time Before Fail (MTBF) timelines are covered by warranty or service coverage agreements
  15. Compliance Officer: Review information systems and data risk or security categorizations. Spot check whether related policies are in place, then update company policies
  16. Compliance Officer: Request feedback on updated policies from stakeholders and responsible individuals
  17. Compliance Officer: Conduct company-wide training on policies and procedures
  18. Compliance Officer: Document and review waivers, exemptions, or exceptions to the security program and the reason for the allowances.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)