STANDARDIZED OPERATING

PROCEDURES (SOP)

[Official Company Name]

 TABLE OF CONTENTS

OVERVIEW, INSTRUCTIONS & EXAMPLE 12

KEY TERMINOLOGY 12
OVERVIEW 12
CUSTOMIZATION GUIDANCE 12
VALIDATING NEEDS FOR PROCEDURES / CONTROL ACTIVITIES 12
UNDERSTANDING CONTROL OBJECTIVES & CONTROLS 12
PROCEDURES DOCUMENTATION 13
NIST NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION (NICE) CYBERSECURITY WORKFORCE FRAMEWORK 14
EXAMPLE 14
SUPPORTING POLICIES & STANDARDS 17
CYBERSECURITY & PRIVACY FUNCTION OVERVIEW 18
TEAM STRUCTURE 18
MISSION 18
VALUE PROPOSITION 18
KNOWN COMPLIANCE REQUIREMENTS 19
STATUTORY REQUIREMENTS 19
REGULATORY REQUIREMENTS 19
CONTRACTUAL REQUIREMENTS 19
DIGITAL SECURITY GOVERNANCE (GOV) 20
P-GOV-01: DIGITAL SECURITY GOVERNANCE PROGRAM 20
P-GOV-02: PUBLISHING SECURITY & PRIVACY POLICIES 20
P-GOV-03: PERIODIC REVIEW & UPDATE OF CYBERSECURITY DOCUMENTATION 21
P-GOV-04: ASSIGNED SECURITY RESPONSIBILITIES 22
P-GOV-05: MEASURES OF PERFORMANCE 23
P-GOV-05(A): MEASURES OF PERFORMANCE | KEY PERFORMANCE INDICATORS (KPIS) 24
P-GOV-05(B): MEASURES OF PERFORMANCE | KEY RISK INDICATORS (KRIS) 24
P-GOV-06: CONTACTS WITH AUTHORITIES 25
P-GOV-07: CONTACTS WITH SECURITY GROUPS & ASSOCIATIONS 26
ASSET MANAGEMENT (AST) 27
P-AST-01: ASSET GOVERNANCE 27
P-AST-02: ASSET INVENTORIES 28
P-AST-02(G): ASSET INVENTORIES | SOFTWARE LICENSING RESTRICTIONS 28
P-AST-03: ASSIGNING OWNERSHIP OF ASSETS 29
P-AST-04: NETWORK DIAGRAMS & DATA FLOW DIAGRAMS (DFDS) 30
P-AST-05: SECURITY OF ASSETS & MEDIA 31
P-AST-06: UNATTENDED END-USER EQUIPMENT 32
P-AST-06(A): UNATTENDED END-USER EQUIPMENT | LAPTOP STORAGE IN AUTOMOBILES 32
P-AST-07: KIOSKS & POINT OF SALE (POS) DEVICES 33
P-AST-09: SECURE DISPOSAL OR RE-USE OF EQUIPMENT 34
P-AST-10: RETURN OF ASSETS 35
P-AST-11: REMOVAL OF ASSETS 36
P-AST-15: TAMPER PROTECTION 36
P-AST-15(A): TAMPER RESISTANCE & DETECTION | INSPECTION OF SYSTEMS, COMPONENTS & DEVICES 38
BUSINESS CONTINUITY & DISASTER RECOVERY (BCD) 39
P-BCD-01: CONTINGENCY PLAN 39
P-BCD-01(A): CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS 40
P-BCD-01(B): CONTINGENCY PLAN | COORDINATE WITH EXTERNAL SERVICE PROVIDERS 40
P-BCD-04: CONTINGENCY PLAN TESTING & EXERCISES 41
P-BCD-04(A): CONTINGENCY PLAN TESTING | COORDINATED TESTING WITH RELATED PLANS 42
P-BCD-05: CONTINGENCY PLAN ROOT CAUSE ANALYSIS (RCA) & LESSONS LEARNED 43
P-BCD-06: CONTINGENCY PLAN UPDATE 43
P-BCD-08: ALTERNATE STORAGE SITE 44
P-BCD-08(A): ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE 45

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 2 of 406

 P-BCD-08(B): ALTERNATE STORAGE SITE | ACCESSIBILITY 45
P-BCD-09: ALTERNATE PROCESSING SITE 46
P-BCD-09(A): ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE 47
P-BCD-09(B): ALTERNATE PROCESSING SITE | ACCESSIBILITY 48
P-BCD-09(C): ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE 49
P-BCD-11: DATA BACKUPS 49
P-BCD-11(A): DATA BACKUPS | TESTING FOR RELIABILITY & INTEGRITY 50
P-BCD-11(B): DATA BACKUPS | SEPARATE STORAGE FOR CRITICAL INFORMATION 51
P-BCD-11(C): DATA BACKUPS | INFORMATION SYSTEM IMAGING 52
P-BCD-11(D): DATA BACKUPS | CRYPTOGRAPHIC PROTECTION 52
P-BCD-12: INFORMATION SYSTEM RECOVERY & RECONSTITUTION 53
P-BCD-12(A): INFORMATION SYSTEM RECOVERY & RECONSTITUTION | TRANSACTION RECOVERY 54
P-BCD-12(B): INFORMATION SYSTEM RECOVERY & RECONSTITUTION | FAILOVER CAPABILITY 54
P-BCD-12(C): INFORMATION SYSTEM RECOVERY & RECONSTITUTION | ELECTRONIC DISCOVERY (EDISCOVERY) 55
CAPACITY & PERFORMANCE PLANNING (CAP) 56
P-CAP-01: CAPACITY & PERFORMANCE MANAGEMENT 56
CHANGE MANAGEMENT (CHG) 56
P-CHG-01: CHANGE MANAGEMENT PROGRAM 57
P-CHG-02: CONFIGURATION CHANGE CONTROL 58
P-CHG-02(B): CONFIGURATION CHANGE CONTROL | TEST, VALIDATE & DOCUMENT CHANGES 58
P-CHG-03: SECURITY IMPACT ANALYSIS FOR CHANGES 59
CLOUD SECURITY (CLD) 60
P-CLD-01: CLOUD SERVICES 60
COMPLIANCE (CPL) 62
P-CPL-01: STATUTORY, REGULATORY & CONTRACTUAL COMPLIANCE 62
P-CPL-02: SECURITY CONTROLS OVERSIGHT 63
P-CPL-03: SECURITY ASSESSMENTS 64
P-CPL-03(A): SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS 65
P-CPL-03(B): SECURITY ASSESSMENTS | FUNCTIONAL REVIEW OF SECURITY CONTROLS 65
P-CPL-04: AUDIT ACTIVITIES 66
CONFIGURATION MANAGEMENT (CFG) 68
P-CFG-01: CONFIGURATION MANAGEMENT PROGRAM 68
P-CFG-02: SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS 69
P-CFG-02(D): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS | DEVELOPMENT & TEST ENVIRONMENTS 70
P-CFG-03: LEAST FUNCTIONALITY 71
P-CFG-03(A): LEAST FUNCTIONALITY | PERIODIC REVIEW 72
CONTINUOUS MONITORING (MON) 73
P-MON-01: CONTINUOUS MONITORING 73
P-MON-01(B): CONTINUOUS MONITORING | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS 74
P-MON-01(E): CONTINUOUS MONITORING | WIRELESS INTRUSION DETECTION SYSTEM (WIDS) 75
P-MON-01(G): CONTINUOUS MONITORING | FILE INTEGRITY MONITORING (FIM) 76
P-MON-02: CENTRALIZED EVENT LOG COLLECTION 77
P-MON-02(A): CENTRALIZED SECURITY EVENT LOG COLLECTION | CORRELATE MONITORING INFORMATION 78
P-MON-03: CONTENT OF AUDIT RECORDS 78
P-MON-03(B): CONTENT OF AUDIT RECORDS | AUDIT TRAILS 79
P-MON-03(C): CONTENT OF AUDIT RECORDS | PRIVILEGED FUNCTIONS LOGGING 80
P-MON-06: MONITORING REPORTING 81
P-MON-06(A): MONITORING REPORTING | QUERY PARAMETER AUDITS OF PERSONAL INFORMATION (PI) 81
P-MON-07: TIME STAMPS 83
P-MON-07(A): TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE 84
P-MON-08: PROTECTION OF AUDIT INFORMATION 84
P-MON-08(A): PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS 85
P-MON-08(B): PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS 86
P-MON-10: AUDIT RECORD RETENTION 87
P-MON-16: ANOMALOUS BEHAVIOR 87

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 3 of 406

 P-MON-16(A): ANOMALOUS BEHAVIOR | INSIDER THREATS 88
P-MON-16(B): ANOMALOUS BEHAVIOR | THIRD-PARTY THREATS 89
P-MON-16(C): ANOMALOUS BEHAVIOR | UNAUTHORIZED ACTIVITIES 89
CRYPTOGRAPHIC PROTECTIONS (CRY) 91
P-CRY-01: USE OF CRYPTOGRAPHIC CONTROLS 91
P-CRY-01(B): USE OF CRYPTOGRAPHIC CONTROLS | EXPORT-CONTROLLED TECHNOLOGY 92
P-CRY-02: CRYPTOGRAPHIC MODULE AUTHENTICATION 92
P-CRY-03: TRANSMISSION CONFIDENTIALITY 94
P-CRY-04: TRANSMISSION INTEGRITY 95
P-CRY-05: ENCRYPTING DATA AT REST 95
P-CRY-05(A): ENCRYPTING DATA AT REST | STORAGE MEDIA 96
P-CRY-06: NON-CONSOLE ADMINISTRATIVE ACCESS 97
P-CRY-07: WIRELESS ACCESS AUTHENTICATION & ENCRYPTION 98
P-CRY-09: CRYPTOGRAPHIC KEY MANAGEMENT 98
P-CRY-09(C): CRYPTOGRAPHIC KEY MANAGEMENT | CRYPTOGRAPHIC KEY LOSS OR CHANGE 100
P-CRY-09(D): CRYPTOGRAPHIC KEY MANAGEMENT | CONTROL & DISTRIBUTION OF CRYPTOGRAPHIC KEYS 100
DATA CLASSIFICATION & HANDLING (DCH) 101
P-DCH-01: DATA PROTECTION 101
P-DCH-01(A): DATA PROTECTION | DATA STEWARDSHIP 102
P-DCH-02: DATA & ASSET CLASSIFICATION 103
P-DCH-03: MEDIA ACCESS 104
P-DCH-03(B): MEDIA ACCESS | MASKING DISPLAYED DATA 105
P-DCH-04: MEDIA MARKING 105
P-DCH-04(A): MEDIA MARKING | AUTOMATED MARKING 106
P-DCH-06: MEDIA STORAGE 107
P-DCH-06(A): MEDIA STORAGE | PHYSICALLY SECURE ALL MEDIA 108
P-DCH-06(B): MEDIA STORAGE | SENSITIVE DATA INVENTORIES 108
P-DCH-06(D): MEDIA STORAGE | MAKING SENSITIVE DATA UNREADABLE IN STORAGE 109
P-DCH-06(E): MEDIA STORAGE | STORING AUTHENTICATION DATA 110
P-DCH-07: MEDIA TRANSPORTATION 111
P-DCH-07(A): MEDIA TRANSPORTATION | CUSTODIANS 112
P-DCH-08: PHYSICAL MEDIAL DISPOSAL 112
P-DCH-09: DIGITAL MEDIA SANITIZATION 113
P-DCH-09(A): MEDIA SANITIZATION | MEDIA SANITIZATION DOCUMENTATION 114
P-DCH-09(C): MEDIA SANITIZATION | DESTRUCTION OF PERSONAL INFORMATION (PI) 115
P-DCH-10: MEDIA USE 115
P-DCH-10(A): MEDIA USE | LIMITATIONS ON USE 116
P-DCH-12: REMOVABLE MEDIA SECURITY 117
P-DCH-14: INFORMATION SHARING 118
P-DCH-18: MEDIA & DATA RETENTION 118
P-DCH-18(A): MEDIA & DATA RETENTION | LIMIT PERSONAL INFORMATION (PI) ELEMENTS 119
P-DCH-18(B): MEDIA & DATA RETENTION | LIMIT PERSONAL INFORMATION (PI) IN TESTING, TRAINING & RESEARCH 120
P-DCH-24: INFORMATION LOCATION 121
P-DCH-24(A): INFORMATION LOCATION | AUTOMATED TOOLS TO SUPPORT INFORMATION LOCATION 122
P-DCH-25: TRANSFER OF PERSONAL INFORMATION 122
EMBEDDED TECHNOLOGY (EMB) 124
P-EMB-01: EMBEDDED TECHNOLOGY SECURITY PROGRAM 124
ENDPOINT SECURITY (END) 125
P-END-01: WORKSTATION SECURITY 125
P-END-02: ENDPOINT PROTECTION MEASURES 126
P-END-03: PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS 127
P-END-03(B): PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS | ACCESS RESTRICTION FOR CHANGE 127
P-END-04: MALICIOUS CODE PROTECTION (ANTI-MALWARE) 128
P-END-04(A): MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES 129
P-END-04(B): MALICIOUS CODE PROTECTION | DOCUMENTED PROTECTION MEASURES 130
P-END-04(F): MALICIOUS CODE PROTECTION | EVOLVING MALWARE THREATS 130

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 4 of 406

 P-END-04(G): MALICIOUS CODE PROTECTION | ALWAYS ON PROTECTION 131
P-END-05: SOFTWARE FIREWALL 132
P-END-06: FILE INTEGRITY MONITORING (FIM) 133
P-END-06(A): FILE INTEGRITY MONITORING | INTEGRITY CHECKS 134
P-END-06(B): FILE INTEGRITY MONITORING | INTEGRATION OF DETECTION & RESPONSE 135
P-END-10: MOBILE CODE 135
P-END-13: SENSOR CAPABILITY 136
P-END-13(A): SENSOR CAPABILITY | AUTHORIZED USE 137
P-END-13(B): SENSOR CAPABILITY | NOTICE OF COLLECTION 138
P-END-13(C): SENSOR CAPABILITY | COLLECTION MINIMIZATION 138
P-END-16: SECURITY FUNCTION ISOLATION 139
P-END-16(A): SECURITY FUNCTION ISOLATION | HOST-BASED SECURITY FUNCTION ISOLATION 140
HUMAN RESOURCES SECURITY (HRS) 142
P-HRS-01: HUMAN RESOURCES SECURITY MANAGEMENT 142
P-HRS-02: POSITION CATEGORIZATION 142
P-HRS-02(A): POSITION CATEGORIZATION | USERS WITH ELEVATED PRIVILEGES 143
P-HRS-03: ROLES & RESPONSIBILITIES 144
P-HRS-03(A): ROLES & RESPONSIBILITIES | USER AWARENESS 145
P-HRS-03(B): ROLES & RESPONSIBILITIES | COMPETENCY REQUIREMENTS FOR SECURITY-RELATED POSITIONS 146
P-HRS-04: PERSONNEL SCREENING 147
P-HRS-04(A): PERSONNEL SCREENING | ROLES WITH SPECIAL PROTECTION MEASURES 148
P-HRS-04(B): PERSONNEL SCREENING | FORMAL INDOCTRINATION 148
P-HRS-05: TERMS OF EMPLOYMENT 149
P-HRS-05(A): TERMS OF EMPLOYMENT | RULES OF BEHAVIOR 149
P-HRS-05(D): TERMS OF EMPLOYMENT | USE OF CRITICAL TECHNOLOGIES 150
P-HRS-06: ACCESS AGREEMENTS 151
P-HRS-06(A): ACCESS AGREEMENTS | CONFIDENTIALITY AGREEMENTS 152
P-HRS-07: PERSONNEL SANCTIONS 153
P-HRS-07(A): PERSONNEL SANCTIONS | WORKPLACE INVESTIGATIONS 155
P-HRS-09: PERSONNEL TERMINATION 156
P-HRS-09(A): PERSONNEL TERMINATION | ASSET COLLECTION 157
P-HRS-09(B): PERSONNEL TERMINATION | HIGH-RISK TERMINATIONS 157
P-HRS-09(C): PERSONNEL TERMINATION | POST-EMPLOYMENT REQUIREMENTS 158
P-HRS-11: SEPARATION OF DUTIES 159
P-HRS-12: INCOMPATIBLE ROLES 161
P-HRS-12(A): INCOMPATIBLE ROLES | TWO-PERSON RULE 161
IDENTIFICATION & AUTHENTICATION (IAC) 163
P-IAC-01: IDENTITY & ACCESS MANAGEMENT (IAM) 163
P-IAC-02: IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS 163
P-IAC-02(A): IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS | GROUP AUTHENTICATION 164
P-IAC-02(B): IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS | NETWORK ACCESS TO PRIVILEGED
ACCOUNTS - REPLAY RESISTANT 165
P-IAC-02(C): IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS | ACCEPTANCE OF PIV CREDENTIALS 166
P-IAC-06: MULTIFACTOR AUTHENTICATION (MFA) 166
P-IAC-06(A): MULTI-FACTOR AUTHENTICATION (MFA) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS 167
P-IAC-06(B): MULTI-FACTOR AUTHENTICATION (MFA) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS 168
P-IAC-06(C): MULTI-FACTOR AUTHENTICATION (MFA) | LOCAL ACCESS TO PRIVILEGED ACCOUNTS 168
P-IAC-07: USER PROVISIONING & DE-PROVISIONING 169
P-IAC-07(A): USER PROVISIONING & DE-PROVISIONING | CHANGE OF ROLES & DUTIES 170
P-IAC-07(B): USER PROVISIONING & DE-PROVISIONING | TERMINATION OF EMPLOYMENT 171
P-IAC-08: ROLE-BASED ACCESS CONTROL (RBAC) 172
P-IAC-09: IDENTIFIER MANAGEMENT (USER NAMES) 173
P-IAC-09(A): IDENTIFIER MANAGEMENT | USER IDENTITY (ID) MANAGEMENT 175
P-IAC-09(F): IDENTIFIER MANAGEMENT | PAIRWISE PSEUDONYMOUS IDENTIFIERS 175
P-IAC-10: AUTHENTICATOR MANAGEMENT (PASSWORDS) 176
P-IAC-10(H): AUTHENTICATOR MANAGEMENT | VENDOR-SUPPLIED DEFAULTS 177
P-IAC-12: CRYPTOGRAPHIC MODULE AUTHENTICATION 178

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 5 of 406

 P-IAC-14: RE-AUTHENTICATION 178
P-IAC-15: ACCOUNT MANAGEMENT 179
P-IAC-15(A): ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT 181
P-IAC-15(B): ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS 181
P-IAC-15(C): ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS 182
P-IAC-15(D): ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS 183
P-IAC-15(E): ACCOUNT MANAGEMENT | RESTRICTIONS ON SHARED GROUPS / ACCOUNTS 183
P-IAC-15(F): ACCOUNT MANAGEMENT | ACCOUNT DISABLING FOR HIGH RISK INDIVIDUALS 184
P-IAC-15(G): ACCOUNT MANAGEMENT | SYSTEM ACCOUNTS 185
P-IAC-16: PRIVILEGED ACCOUNT MANAGEMENT (PAM) 185
P-IAC-16(A): PRIVILEGED ACCOUNT MANAGEMENT (PAM) | PRIVILEGED ACCOUNT INVENTORIES 186
P-IAC-18: USER RESPONSIBILITIES FOR ACCOUNT MANAGEMENT 187
P-IAC-19: CREDENTIAL SHARING 188
P-IAC-20: ACCESS ENFORCEMENT 188
P-IAC-20(A): ACCESS ENFORCEMENT | ACCESS TO SENSITIVE DATA 189
P-IAC-20(B): ACCESS ENFORCEMENT | DATABASE ACCESS 191
P-IAC-20(C): ACCESS ENFORCEMENT | USE OF PRIVILEGED UTILITY PROGRAMS 192
P-IAC-21: LEAST PRIVILEGE 192
P-IAC-21(D): LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS 193
P-IAC-22: ACCOUNT LOCKOUT 195
P-IAC-25: SESSION TERMINATION 195
INCIDENT RESPONSE (IRO) 196
P-IRO-01: INCIDENTS RESPONSE OPERATIONS 196
P-IRO-02: INCIDENT HANDLING 198
P-IRO-02(A): INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES 199
P-IRO-02(B): INCIDENT HANDLING | IDENTITY THEFT PROTECTION PROGRAM (ITPP) 199
P-IRO-03: INDICATORS OF COMPROMISE (IOC) 200
P-IRO-04: INCIDENT RESPONSE PLAN (IRP) 201
P-IRO-04(A): INCIDENT RESPONSE PLAN (IRP) | PERSONAL INFORMATION (PI) PROCESSES 202
P-IRO-04(B): INCIDENT RESPONSE PLAN (IRP) | IRP UPDATE 203
P-IRO-05: INCIDENT RESPONSE TRAINING 204
P-IRO-06: INCIDENT RESPONSE TESTING 204
P-IRO-06(A): INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS 205
P-IRO-07: INTEGRATED SECURITY INCIDENT RESPONSE TEAM (ISIRT) 206
P-IRO-08: CHAIN OF CUSTODY & FORENSICS 207
P-IRO-09: INCIDENT MONITORING & TRACKING 207
P-IRO-09(A): INCIDENT MONITORING & TRACKING | AUTOMATED TRACKING, DATA COLLECTION & ANALYSIS 208
P-IRO-10: INCIDENT REPORTING 209
P-IRO-10(A): INCIDENT REPORTING | AUTOMATED REPORTING 210
P-IRO-10(B): INCIDENT REPORTING | CYBER INCIDENT REPORTING FOR COVERED DEFENSE INFORMATION (CDI) 211
P-IRO-10(C): INCIDENT REPORTING | VULNERABILITIES RELATED TO INCIDENTS 212
P-IRO-10(D): INCIDENT REPORTING | SUPPLY CHAIN COORDINATION 212
P-IRO-11: INCIDENT REPORTING ASSISTANCE 213
P-IRO-11(B): INCIDENT REPORTING ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS 214
P-IRO-13: ROOT CAUSE ANALYSIS (RCA) & LESSONS LEARNED 215
P-IRO-14: REGULATORY & LAW ENFORCEMENT CONTACTS 217
INFORMATION ASSURANCE (IAO) 218
P-IAO-01: INFORMATION ASSURANCE (IA) OPERATIONS 218
P-IAO-02: SECURITY ASSESSMENTS 219
P-IAO-02(A): SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS 220
P-IAO-02(B): SECURITY ASSESSMENTS | SPECIALIZED ASSESSMENTS 220
P-IAO-02(C): SECURITY ASSESSMENTS | EXTERNAL ORGANIZATIONS 221
P-IAO-04: THREAT ANALYSIS & FLAW REMEDIATION DURING DEVELOPMENT 223
P-IAO-07: SECURITY AUTHORIZATION 224
MAINTENANCE (MNT) 225
P-MNT-01: MAINTENANCE OPERATIONS 225
P-MNT-02: CONTROLLED MAINTENANCE 225

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 6 of 406

 P-MNT-05: NON-LOCAL MAINTENANCE 226
P-MNT-05(C): NON-LOCAL MAINTENANCE | CRYPTOGRAPHIC PROTECTION 227
MOBILE DEVICE MANAGEMENT (MDM) 228
P-MDM-02: ACCESS CONTROL FOR MOBILE DEVICES 228
P-MDM-04: TAMPER PROTECTION & DETECTION 229
P-MDM-05: REMOTE PURGING 230
NETWORK SECURITY (NET) 231
P-NET-01: NETWORK SECURITY MANAGEMENT 231
P-NET-02: LAYERED DEFENSES 232
P-NET-02(B): LAYERED DEFENSES | GUEST NETWORKS 233
P-NET-03: BOUNDARY PROTECTION 233
P-NET-03(C): BOUNDARY PROTECTION | INTERNAL NETWORK ADDRESS SPACE 235
P-NET-04: DATA FLOW ENFORCEMENT – ACCESS CONTROL LISTS (ACLS) 235
P-NET-04(A): DATA FLOW ENFORCEMENT | DENY TRAFFIC BY DEFAULT & ALLOW TRAFFIC BY EXCEPTION 237
P-NET-04(F): DATA FLOW ENFORCEMENT | HUMAN REVIEWS 238
P-NET-05: SYSTEM INTERCONNECTIONS 238
P-NET-05(A): SYSTEM INTERCONNECTIONS | EXTERNAL SYSTEM CONNECTIONS 239
P-NET-07: NETWORK DISCONNECT 240
P-NET-08: NETWORK INTRUSION DETECTION & PREVENTION SYSTEMS (NIDS / NIPS) 241
P-NET-08(A): NETWORK INTRUSION DETECTION & PREVENTION SYSTEMS (NIDS / NIPS) | DMZ NETWORKS 241
P-NET-08(B): NETWORK INTRUSION DETECTION & PREVENTION SYSTEMS (NIDS / NIPS) | WIRELESS INTRUSION DETECTION
/ PREVENTION SYSTEMS (WIDS / WIPS) 242
P-NET-12: SAFEGUARDING DATA OVER OPEN NETWORKS 243
P-NET-12(A): SAFEGUARDING DATE OVER OPEN NETWORKS | WIRELESS LINK PROTECTION 244
P-NET-12(B): SAFEGUARDING DATE OVER OPEN NETWORKS | END-USER MESSAGING TECHNOLOGIES 245
P-NET-13: ELECTRONIC MESSAGING 246
P-NET-14: REMOTE ACCESS 246
P-NET-14(E): REMOTE ACCESS | TELECOMMUTING 247
P-NET-14(F): REMOTE ACCESS | THIRD-PARTY REMOTE ACCESS GOVERNANCE 248
P-NET-15: WIRELESS NETWORKING 249
P-NET-15(A): WIRELESS ACCESS | AUTHENTICATION & ENCRYPTION 249
P-NET-15(E): WIRELESS ACCESS | ROGUE WIRELESS DETECTION 250
P-NET-16: INTRANETS 251
P-NET-17: DATA LOSS PREVENTION (DLP) 252
P-NET-18: CONTENT FILTERING 252
P-NET-18(A): CONTENT FILTERING | ROUTE TRAFFIC TO PROXY SERVERS 253
PHYSICAL & ENVIRONMENTAL SECURITY (PES) 255
P-PES-01: PHYSICAL & ENVIRONMENTAL PROTECTIONS 255
P-PES-02: PHYSICAL ACCESS AUTHORIZATIONS 255
P-PES-02(A): PHYSICAL ACCESS AUTHORIZATIONS | ROLE-BASED PHYSICAL ACCESS 256
P-PES-03: PHYSICAL ACCESS CONTROL 257
P-PES-03(A): PHYSICAL ACCESS CONTROL | CONTROLLED INGRESS & EGRESS POINTS 258
P-PES-03(C): PHYSICAL ACCESS CONTROL | PHYSICAL ACCESS LOGS 259
P-PES-04: PHYSICAL SECURITY OF OFFICES, ROOMS & FACILITIES 260
P-PES-04(A): PHYSICAL SECURITY OF OFFICES, ROOMS & FACILITIES | WORKING IN SECURE AREAS 260
P-PES-05: MONITORING PHYSICAL ACCESS 261
P-PES-05(A): MONITORING PHYSICAL ACCESS | INTRUSION ALARMS / SURVEILLANCE EQUIPMENT 262
P-PES-06: VISITOR CONTROL 263
P-PES-06(A): VISITOR CONTROL | DISTINGUISH VISITORS FROM ON-SITE PERSONNEL 264
P-PES-06(B): VISITOR CONTROL | IDENTIFICATION REQUIREMENT 264
P-PES-06(C): VISITOR CONTROL | RESTRICT UNESCORTED ACCESS 265
P-PES-07: SUPPORTING UTILITIES 266
P-PES-07(A): SUPPORTING UTILITIES | AUTOMATIC VOLTAGE CONTROLS 267
P-PES-07(B): SUPPORTING UTILITIES | EMERGENCY SHUTOFF 267
P-PES-07(C): SUPPORTING UTILITIES | EMERGENCY POWER 268
P-PES-07(D): SUPPORTING UTILITIES | EMERGENCY LIGHTING 269
P-PES-07(E): SUPPORTING UTILITIES | WATER DAMAGE PROTECTION 270

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 7 of 406

 P-PES-10: DELIVERY & REMOVAL 270
P-PES-12: EQUIPMENT SITING & PROTECTION 271
P-PES-12(A): EQUIPMENT SITING & PROTECTION | ACCESS CONTROL FOR TRANSMISSION MEDIUM 272
P-PES-13: INFORMATION LEAKAGE DUE TO ELECTROMAGNETIC SIGNALS EMANATIONS 273
PRIVACY (PRI) 273
P-PRI-01: PRIVACY PROGRAM 274
P-PRI-01(A): PRIVACY PROGRAM | CHIEF PRIVACY OFFICER (CPO) 274
P-PRI-01(D): PRIVACY PROGRAM | DATA PROTECTION OFFICER (DPO) 275
P-PRI-02: NOTICE 276
P-PRI-02(A): NOTICE | PURPOSE SPECIFICATION 277
P-PRI-02(B): NOTICE | AUTOMATION 277
P-PRI-03: CHOICE & CONSENT 278
P-PRI-03(A): CHOICE & CONSENT | ATTRIBUTE MANAGEMENT 279
P-PRI-03(B): CHOICE & CONSENT | JUST-IN-TIME NOTICE & CONSENT 279
P-PRI-04: COLLECTION 280
P-PRI-04(A): COLLECTION | AUTHORITY TO COLLECT 281
P-PRI-05: USE, RETENTION & DISPOSAL 282
P-PRI-05(A): USE, RETENTION & DISPOSAL | INTERNAL USE 282
P-PRI-05(B): USE, RETENTION & DISPOSAL | DATA INTEGRITY 283
P-PRI-05(C): USE, RETENTION & DISPOSAL | DATA MASKING 284
P-PRI-05(D): USE, RETENTION & DISPOSAL | USAGE RESTRICTIONS OF PERSONAL INFORMATION (PI) 284
P-PRI-06: RIGHT OF ACCESS 285
P-PRI-06(A): RIGHT OF ACCESS | REDRESS 286
P-PRI-06(B): RIGHT OF ACCESS | NOTICE OF CORRECTION OF AMENDMENT 287
P-PRI-06(C): RIGHT OF ACCESS | APPEAL 287
P-PRI-06(D): RIGHT OF ACCESS | USER FEEDBACK MANAGEMENT 288
P-PRI-06(E): RIGHT OF ACCESS | RIGHT TO ERASURE 289
P-PRI-06(F): RIGHT OF ACCESS | DATA PORTABILITY 290
P-PRI-07: INFORMATION SHARING WITH THIRD PARTIES 290
P-PRI-07(A): INFORMATION SHARING WITH THIRD PARTIES | PRIVACY REQUIREMENTS FOR CONTRACTORS & SERVICE
PROVIDERS 292
P-PRI-08: TESTING, TRAINING & MONITORING 293
P-PRI-09: SYSTEM OF RECORDS NOTICE (SORN) 293
P-PRI-10: DATA QUALITY MANAGEMENT 294
P-PRI-10(A): DATA QUALITY MANAGEMENT | AUTOMATION 295
P-PRI-12: UPDATING PERSONAL INFORMATION (PI) 296
P-PRI-13: DATA MANAGEMENT BOARD 296
P-PRI-14: PRIVACY REPORTING 297
P-PRI-14(A): PRIVACY REPORTING | ACCOUNTING OF DISCLOSURES 298
P-PRI-15: REGISTER DATABASE 299
PROJECT & RESOURCE MANAGEMENT (PRM) 301
P-PRM-01: SECURITY PORTFOLIO MANAGEMENT 301
P-PRM-03: ALLOCATION OF RESOURCES 301
P-PRM-04: SECURITY IN PROJECT MANAGEMENT 302
P-PRM-05: SECURITY REQUIREMENTS DEFINITION 303
P-PRM-07: SECURE DEVELOPMENT LIFE CYCLE (SDLC) MANAGEMENT 304
RISK MANAGEMENT (RSK) 306
P-RSK-01: RISK MANAGEMENT PROGRAM 306
P-RSK-01(A): RISK MANAGEMENT PROGRAM (RMP) | RISK FRAMING 307
P-RSK-02: RISK-BASED SECURITY CATEGORIZATION 307
P-RSK-03: RISK IDENTIFICATION 308
P-RSK-04: RISK ASSESSMENT 309
P-RSK-04(A): RISK ASSESSMENT | RISK REGISTER 310
P-RSK-05: RISK RANKING 311
P-RSK-06: RISK REMEDIATION 311
P-RSK-06(A): RISK REMEDIATION | RISK RESPONSE 312
P-RSK-07: RISK ASSESSMENT UPDATE 313

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 8 of 406

 P-RSK-08: BUSINESS IMPACT ANALYSIS (BIA) 313
P-RSK-09: SUPPLY CHAIN RISK MANAGEMENT PLAN 314
P-RSK-09(A): SUPPLY CHAIN RISK MANAGEMENT PLAN | SUPPLY CHAIN RISK ASSESSMENT 315
P-RSK-10: DATA PROTECTION IMPACT ASSESSMENT (DPIA) 316
SECURE ENGINEERING & ARCHITECTURE (SEA) 318
P-SEA-01: SECURE ENGINEERING PRINCIPLES 318
P-SEA-01(A): SECURE ENGINEERING PRINCIPLES | CENTRALIZED MANAGEMENT OF CYBERSECURITY & PRIVACY CONTROLS 319
P-SEA-02: ALIGNMENT WITH ENTERPRISE ARCHITECTURE 320
P-SEA-02(A): ALIGNMENT WITH ENTERPRISE ARCHITECTURE | STANDARDIZED TERMINOLOGY 321
P-SEA-03: DEFENSE-IN-DEPTH (DID) ARCHITECTURE 321
P-SEA-03(B): DEFENSE-IN-DEPTH (DID) ARCHITECTURE | APPLICATION PARTITIONING 322
P-SEA-04: PROCESS ISOLATION 323
P-SEA-04(A): PROCESS ISOLATION | SECURITY FUNCTION ISOLATION 324
P-SEA-07: PREDICTABLE FAILURE ANALYSIS 325
P-SEA-07(B): PREDICTABLE FAILURE ANALYSIS | FAIL SECURE 325
P-SEA-15: DISTRIBUTED PROCESSING & STORAGE 326
P-SEA-17: SECURE LOG-ON PROCEDURES 327
P-SEA-20: CLOCK SYNCHRONIZATION 327
SECURITY OPERATIONS (OPS) 329
P-OPS-01: OPERATIONS SECURITY 329
P-OPS-01(A): OPERATIONS SECURITY | STANDARDIZED OPERATING PROCEDURES (SOP) 329
P-OPS-02: SECURITY CONCEPT OF OPERATIONS (CONOPS) 330
SECURITY AWARENESS & TRAINING (SAT) 331
P-SAT-01: SECURITY & PRIVACY-MINDED WORKFORCE 331
P-SAT-02: SECURITY & PRIVACY AWARENESS 332
P-SAT-02(A): SECURITY AWARENESS | PRACTICAL EXERCISES 333
P-SAT-02(B): SECURITY AWARENESS | SOCIAL ENGINEERING & MINING 334
P-SAT-03: SECURITY & PRIVACY TRAINING 335
P-SAT-03(C): SECURITY & PRIVACY TRAINING | SENSITIVE INFORMATION STORAGE, HANDLING & PROCESSING 335
P-SAT-03(E): SECURITY & PRIVACY TRAINING | PRIVILEGED USERS 337
P-SAT-04: TRAINING RECORDS 337
TECHNOLOGY DEVELOPMENT & ACQUISITION (TDA) 339
P-TDA-01: TECHNOLOGY DEVELOPMENT & ACQUISITION 339
P-TDA-01(A): TECHNOLOGY DEVELOPMENT & ACQUISITION | PRODUCT MANAGEMENT 339
P-TDA-01(B): TECHNOLOGY DEVELOPMENT & ACQUISITION | INTEGRITY MECHANISMS FOR SOFTWARE / FIRMWARE
UPDATES 340
P-TDA-01(C): TECHNOLOGY DEVELOPMENT & ACQUISITION | MALWARE TESTING PRIOR TO RELEASE 342
P-TDA-06: SECURE CODING 343
P-TDA-06(A): SECURE CODING | CRITICALITY ANALYSIS 344
P-TDA-07: SECURE DEVELOPMENT ENVIRONMENTS 344
P-TDA-08: SEPARATION OF DEVELOPMENT, TESTING & OPERATIONAL ENVIRONMENTS 345
P-TDA-09: SECURITY & PRIVACY TESTING THROUGHOUT DEVELOPMENT 346
P-TDA-09(B): SECURITY & PRIVACY TESTING THROUGHOUT DEVELOPMENT | STATIC CODE ANALYSIS 347
P-TDA-10: USE OF LIVE DATA 348
P-TDA-10(A): USE OF LIVE DATA | TEST DATA INTEGRITY 348
P-TDA-14: DEVELOPER CONFIGURATION MANAGEMENT 349
P-TDA-14(A): DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION 350
P-TDA-15: DEVELOPER THREAT ANALYSIS & FLAW REMEDIATION 351
P-TDA-20: ACCESS TO PROGRAM SOURCE CODE 352
THIRD-PARTY MANAGEMENT (TPM) 353
P-TPM-01: THIRD-PARTY MANAGEMENT 353
P-TPM-02: THIRD-PARTY CRITICALITY ASSESSMENTS 354
P-TPM-03: SUPPLY CHAIN PROTECTION 354
P-TPM-03(A): SUPPLY CHAIN PROTECTION | ACQUISITION STRATEGIES, TOOLS & METHODS 356
P-TPM-03(B): SUPPLY CHAIN PROTECTION | LIMIT POTENTIAL HARM 357
P-TPM-03(C): SUPPLY CHAIN PROTECTION | PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES 357

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 9 of 406

 P-TPM-04: THIRD-PARTY SERVICES 358
P-TPM-04(A): THIRD-PARTY SERVICES | THIRD-PARTY RISK ASSESSMENTS & APPROVALS 359
P-TPM-04(D): THIRD-PARTY SERVICES | THIRD-PARTY PROCESSING, STORAGE AND SERVICE LOCATIONS 360
P-TPM-05: THIRD-PARTY CONTRACT REQUIREMENTS 362
P-TPM-06: THIRD-PARTY PERSONNEL SECURITY 363
P-TPM-08: REVIEW OF THIRD-PARTY SERVICES 363
P-TPM-10: MANAGING CHANGES TO THIRD-PARTY SERVICES 364
P-TPM-11: THIRD-PARTY INCIDENT RESPONSE & RECOVERY CAPABILITIES 365
THREAT MANAGEMENT (THR) 367
P-THR-01: THREAT AWARENESS PROGRAM 367
P-THR-03: THREAT INTELLIGENCE FEEDS 367
VULNERABILITY & PATCH MANAGEMENT (VPM) 368
P-VPM-01: VULNERABILITY & PATCH MANAGEMENT PROGRAM 368
P-VPM-03: VULNERABILITY RANKING 369
P-VPM-04: CONTINUOUS VULNERABILITY REMEDIATION ACTIVITIES 370
P-VPM-04(B): CONTINUOUS VULNERABILITY REMEDIATION ACTIVITIES | FLAW REMEDIATION WITH PERSONAL INFORMATION
(PI) 371
P-VPM-05: SOFTWARE PATCHING 372
P-VPM-05(A): SOFTWARE PATCHING | CENTRALIZED MANAGEMENT 373
P-VPM-06: VULNERABILITY SCANNING 374
P-VPM-06(F): VULNERABILITY SCANNING | EXTERNAL VULNERABILITY ASSESSMENT SCANS 375
P-VPM-06(G): VULNERABILITY SCANNING | INTERNAL VULNERABILITY ASSESSMENT SCANS 375
P-VPM-07: PENETRATION TESTING 376
P-VPM-07(A): PENETRATION TESTING | INDEPENDENT PENETRATION AGENT OR TEAM 377
P-VPM-10: RED TEAM EXERCISES 378
WEB SECURITY (WEB) 380
P-WEB-01: WEB SECURITY 380
P-WEB-02: USE OF DEMILITARIZED ZONES (DMZ) 380
CYBERSECURITY OPERATING PROCEDURES (CSOP) APPENDICES 381
APPENDIX A: GUIDE TO WRITING PROCEDURES 381
A-1: NECESSARY COMPONENTS FOR WRITTEN PROCEDURES 382
A-2: PROCEDURE MAPPING – BREAKING OUT THE REQUIREMENTS 383
A-3: EXAMPLE PROCEDURE (HOW IT ALL COMES TOGETHER) 383
A-4: CONSIDERATIONS WHEN SCOPING PROCEDURES 383
APPENDIX B: AVAILABLE TOOLS & SERVICES 385
B-1: TOOL / SERVICE 1 385
B-2: TOOL / SERVICE 2 385
B-3: TOOL / SERVICE 3 385
B-4: TOOL / SERVICE 1 385
B-5: TOOL / SERVICE 2 385
B-6: TOOL / SERVICE 3 385
APPENDIX C: KEY STAKEHOLDERS 386
C-1: CYBERSECURITY 386
C-2: INFORMATION TECHNOLOGY (IT) 386
C-3: RETAIL SUPPORT 386
C-4: VENDORS / SERVICE PROVIDERS 387
C-5: LEGAL 387
C-6: PROCUREMENT 388
C-7: HUMAN RESOURCES 388
C-8: PHYSICAL SECURITY 389
APPENDIX D: CYBERSECURITY ROLES & RESPONSIBILITIES 390
D-1: INFORMATION SECURITY ROLE CATEGORIES 390
D-2: INFORMATION SECURITY SPECIALTY AREAS (ROLES) 391
D-3: INFORMATION SECURITY WORK ROLES & RESPONSIBILITIES 394
APPENDIX E: SYSTEM HARDENING 401
E-1: SERVER-CLASS SYSTEMS 401

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 10 of 406

 E-2: WORKSTATION-CLASS SYSTEMS 401
E-3: NETWORK DEVICES 401
E-4: MOBILE DEVICES 401
E-5: DATABASES 402
APPENDIX F: USER NAME TAX ONOMY (GUIDANCE ON TYPES OF USER NAMES) 403
F-1: INDIVIDUAL USER NAMES 403
F-2: GROUP & SHARED ACCOUNT USER NAMES 404
GLOSSARY: ACRONYMS & DEFINITIONS 405
ACRONYMS 405
DEFINITIONS 405
RECORD OF CHANGES 406

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 11 of 406

OVERVIEW, INSTRUCTIONS & EXAMPLE

KEY TERMINOLOGY
With the Cybersecurity Standardized Operating Procedures (CSOP), it is important to understand a few key terms:
 Procedure / Control Activity: Procedures represent an established way of doing something, such as a series of actions
conducted in a specified order or manner. Some organizations refer to procedures as “control activities” and the terms
essentially synonymous. In the CSOP, the terms procedure or control activity can be used interchangeably.
 Process Owner: This is the name of the individual or team accountable for the procedure being performed. This identifies
the accountable party to ensure the procedure is performed. This role is more oversight and managerial.
o Example: The Security Operations Center (SOC) Supervisor is accountable for his/her team to collect log files,
perform analysis and escalate potential incidents for further investigation.
 Process Operator: This is the name of the individual or team responsible to perform the procedure’s tasks. This identifies
the responsible party for actually performing the task. This role is a “doer” and performs tasks.
o Example: The SOC analyst is responsible for performing daily log reviews, evaluating anomalous activities and
responding to potential incidents in accordance with the organization’s Incident Response Plan (IRP).

OVERVIEW
The Cybersecurity Standardized Operating Procedures (CSOP) is a catalog of procedure/control activity statements. These are
templates that require slight modification to suit the specific needs of the organization,

CUSTOMIZATION GUIDANCE
The content of the CSOP does require a certain level of customization by
any organization, since every organization has some difference in
available people, processes or technology that can be leveraged to
perform these procedures/control activities.

Essentially, we’ve done the heavy lifting in developing the template and
pre-populating a significant amount of content. Our target is about 80%
of the content as part of the template that would leave the remaining 20%
for customization with specifics that only the organization would know,
such as the organization calls the change management group the Change
Advisory Board (CAB) instead of the Change Control Board (CCB). Those
little changes in roles, titles, department naming, technologies in use are
all content that just needs to be filled into the template to finalize the
procedures/control activities.

VALIDATING NEEDS FOR PROCEDURES / CONTROL ACTIVITIES

Procedures are not meant to be documented for the sake of generating paperwork - procedures are meant to satisfy a specific
operational need that are complied with:
 If procedures exist and are not tied to a standard, then management should review why the procedure is in place.
 A procedure that lacks a mapping to a standard may indicate “mission creep” and represent an opportunity to reassign the
work or cease performing the procedure.

UNDERSTANDING CONTROL OBJECTIVES & CONTROLS

As part of the CSOP, you will see Control Objectives and Controls for each of the CSOP procedures:
 The origin of the Control Objective is the Information Security Program (ISP) that consolidates multiple statutory, regulatory
and contractual requirements into a single control objective.
 The origin of the Controls is the Secure Controls Framework (SCF) that is an open source set of cybersecurity and privacy
controls.

Note - The footnotes at the bottom of the page and the accompanying Excel spreadsheet provide mapping between the control
objectives, controls and leading frameworks, including statutory, regulatory and contractual obligations.

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 12 of 406

PROCEDURES DOCUMENTATION
The objective of the CSOP is to provide management direction and support for cybersecurity in accordance with business
requirements, as well as relevant laws, regulations and contractual obligations.

Procedures should be both clearly-written and concise.

 Procedure documentation is meant to provide evidence of due diligence that standards are complied with.
 Well-managed procedures are critical to a security program, since procedures represents the specific activities that are
performed to protect systems and data.

Procedures service a critical function in cybersecurity. Most other documentation produces evidence of due care considerations,
but procedures are unique where procedures generate evidence of due diligence.

From a due care and due diligence perspective, it can be thought of this way:
 Certain standards require processes to exist (due care – evidence demonstrates standards exist).
 Performing the activities outlined in a procedure and documenting the work that was performed satisfies the intent of the
standard (due diligence – evidence demonstrates the standard is operating effectively).

The diagram shown below helps visualize the linkages in documentation that involve written procedures:
 CONTROL OBJECTIVES exist to support POLICIES;
 STANDARDS are written to support CONTROL OBJECTIVES;
 PROCEDURES are written to implement the requirements that STANDARDS establish;
 CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their
capabilities are implemented and/or functioning; and
 METRICS exist as a way to measure the performance of CONTROLS.

Documentation Flow Example.

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 13 of 406

NIST NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION (NICE) CYBERSECURITY WORKFORCE FRAMEWORK
The CSOP leverages the NIST NICE Cybersecurity Workforce Framework. 1 The purpose of this framework is that work roles have an
impact on an organization’s ability to protect its data, systems and operations. By assigning work roles, it helps direct the work of
employees and contractors to minimize assumptions about who is responsible for certain cybersecurity and privacy tasks.

The CSOP uses the work roles identified in the NIST NICE Cybersecurity Workforce Framework to help make assigning the tasks
associated with procedures/control activities more efficient and manageable. Keep in mind these are merely recommendations and
are fully editable for every organization – this is just a helpful point in the right direction!

NIST NICE Cybersecurity Workforce Framework – Work Categories

EXAMPLE
This example is a configuration procedure P-CFG-02 (System Hardening Through Baseline Configurations)

PLEASE NOTE THE PROCESS CRITERIA SECTION SHOWN BELOW CAN BE DELETED & IS NOT PART OF THE PROCEDURE

The process criteria sections exist only to be a useful tool to help build out the procedures by establishing criteria and creating a
working space to capture key components that impacts the procedure.

Process Criteria:
 Process Owner: name of the individual or team accountable for the procedure being performed
o Example: The process owner for system hardening at ACME is the cybersecurity director, John Doe.
 Process Operator: name of the individual or team responsible to perform the procedure’s tasks.
o Example: The process operator for system hardening at ACME is split between several teams:
 Network gear is assigned to network admins.
 Servers are assigned to server admins.
 Laptops, desktops and mobile devices are assign to the End User Computing (EUC) team.
 Occurrence: how often does the procedure need to be conducted? is it something that needs to be performed annually,
semi-annually, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed?
o Example: Generally, system hardening is an “as needed” process that happens when new operating systems are
released or when new technology is purchased. However, there should still be an annual review to ensure that
appropriate baseline configurations exist and are current to what is deployed at ACME.
 Scope of Impact: what is the potential impact of the procedure? does it affect a system, application, process, team,
department, user, client, vendor, geographic region or the entire company?
o Example: The scope affects the entire company. Any deviations to the secure baselines are handled on an
individual basis.
 Location of Additional Documentation: if applicable, is there a server, link or other repository where additional
documentation is stored or can be found
o Example: Baseline configurations, benchmarks and STIGs are located on server XYZ123 in the folder called “Secure
Baselines” and it is available for read-only for all users.
 Performance Target: if applicable, is there a Service Level Agreement (SLA) or targeted timeline for the process to be
completed?
o Example: There are no SLAs associated with baseline configurations.
 Technology in Use: if applicable, what is the name of the application/system/service used to perform the procedure?
o Example: The following classes of systems and applications are in scope for this procedure:
 Server-Class Systems
 Workstation-Class Systems
 Network Devices
 Databases

1 NIST NICE Cybersecurity Workforce Framework - https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-

framework

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 14 of 406

Control Objective: The organization develops and controls configuration standards for all system components that are consistent
with industry-accepted system hardening standards. 2 [the control objective is meant to address the statutory, regulatory and
contractual requirements identified in the footnote (see bottom of page in the footer section)]

Control: Mechanisms exist to develop, document and maintain secure baseline configurations for technology platform that are
consistent with industry-accepted system hardening standards. [control wording comes directly from the Secure Controls Framework
(SCF) control #CFG-02. The SCF is a free resource that can be downloaded from https://www.securecontrolsframework.com]

Procedure / Control Activity: Systems Security Developer [SP-SYS-001], in conjunction with the Technical Support Specialist [OM-
STS-001] and Security Architect [SP-ARC-002]:
(1) Uses vendor-recommended settings and industry-recognized secure practices to ensure baseline system hardening
configuration for all ACME-owned or managed assets comply with applicable legal, statutory, and regulatory compliance
obligations.
(2) Where technically feasible, technology platforms align with industry-recommended hardening recommendations, including
but not limited to:
a. Center for Internet Security (CIS) benchmarks;
b. Defense Information Systems Agency (DISA) Secure Technical Implementation Guides (STIGs); or
c. Original Equipment Manufacturer (OEM) security configuration guides.
(3) Ensures that system hardening includes, but is not limited to:
a. Technology platforms that include, but are not limited to:
i. Server-Class Systems
1. Microsoft Server 2003
2. Microsoft Server 2008
3. Microsoft Server 2012
4. Microsoft Server 2016
5. Red Hat Enterprise Linux (RHEL)
6. Unix
7. Solaris
ii. Workstation-Class Systems
1. Microsoft XP
2. Microsoft 7
3. Microsoft 8
4. Microsoft 10
5. Apple
6. Fedora (Linux)
7. Ubuntu (Linux)
8. SuSe (Linux)
iii. Network Devices
1. Firewalls
2. Routers
3. Load balancers
4. Virtual Private Network (VPN) concentrators
5. Wireless Access Points (WAPs)
6. Wireless controllers
7. Printers
8. Multi-Function Devices (MFDs)
iv. Mobile Devices
1. Tablets
2. Mobile phones
3. Other portable electronic devices
v. Databases
1. MySQL
2. Windows SQL Server
3. Windows SQL Express

2NIST 800-53 rev4 CM-2 & CM-6 | FedRAMP | NIST 800-171 3.4.1 & 3.4.2 | PCI DSS 1.1 & 1.1.1 | NIST CSF PR.IP-1 | DFARS 252.204-7008 | CSC
3.1 | CCM GRM-01 & IVS-07 | COBIT5 BAI10.02 | NISPOM 8-202, 8-311 & 8-610

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 15 of 406

 4. Oracle
5. DB2
b. Enforcing least functionality, which includes but is not limited to:
i. Allowing only necessary and secure services, protocols, and daemons;
ii. Removing all unnecessary functionality, which includes but is not limited to:
1. Scripts;
2. Drivers;
3. Features;
4. Subsystems;
5. File systems; and
6. Unnecessary web servers.
c. Configuring and documenting only the necessary ports, protocols, and services to meet business needs;
d. Implementing security features for any required services, protocols or daemons that are considered to be
insecure, which includes but is not limited to using secured technologies such as Secure Shell (SSH), Secure File
Transfer Protocol (S-FTP), Transport Layer Security (TLS), or IPSec VPN to protect insecure services such as
NetBIOS, file-sharing, Telnet, and FTP;
e. Installing and configuring appropriate technical controls, such as:
i. Antimalware;
ii. Software firewall;
iii. Event logging; and
iv. File Integrity Monitoring (FIM), as required; and
f. As applicable, implementing only one primary function per server to prevent functions that require different
security levels from co-existing on the same server (e.g., web servers, database servers, and DNS should be
implemented on separate servers).
(4) Documents and validates security parameters are configured to prevent misuse.
(5) Authorizes deviations from standard baseline configurations in accordance with ACME’s change management processes,
prior to deployment, provisioning, or use.
(6) Validates and refreshes configurations on a regular basis to update their security configuration in light of recent
vulnerabilities and attack vectors. Unless a technical or business reason exists, standardized images are used to represent
hardened versions of the underlying operating system and the applications installed on the system.
(7) On at least an annual basis, during the 2nd quarter of the calendar year, reviews the process for non-conforming instances.
As needed, revises processes to address necessary changes and evolving conditions. Whenever the process is updated:
a. Distributes copies of the change to key personnel; and
b. Communicates the changes and updates to key personnel.
(8) If necessary, requests corrective action to address identified deficiencies.
(9) If necessary, validates corrective action occurred to appropriately remediate deficiencies.
(10) If necessary, documents the results of corrective action and notes findings.
(11) If necessary, requests additional corrective action to address unremediated deficiencies.

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 16 of 406

SUPPORTING POLICIES & STANDARDS
While there are no policies and standards included in the CSOP, the CSOP is designed to provide a 1-1 relationship with the
Information Security Program (ISP) that contains policies, control objectives, standards and guidelines. It also directly maps to the
Secure Controls Framework (SCF) for cybersecurity and privacy controls.

Cybersecurity documentation is comprised of six (6) main parts:

(1) Core policy that establishes management’s intent;
(2) Control objective that identifies leading practices;
(3) Standards that provides quantifiable requirements;
(4) Controls identify desired conditions that are expected to be met;
(5) Procedures / Control Activities establish how tasks are performed to meet the requirements established in standards and
to meet controls; and
(6) Guidelines are recommended, but not mandatory.

Cybersecurity Documentation Hierarchy

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 17 of 406

CYBERSECURITY & PRIVACY FUNCTION OVERVIEW

TEAM STRUCTURE
The [Company Name]’s cybersecurity department is made up of [insert #] distinct teams. Each team focuses on a specific area of
cybersecurity:
 Team X
o [insert a description of what team x does (e.g., Governance, Risk & Compliance (GRC) team)]
o [insert headcount and geographical breakdown of team x]
o [insert who is the team lead / supervisor / manager of team x]
o [insert any other pertinent facts about team x that would be relevant to this document]
 Team Y
o [insert a description of what team y does (e.g., Security Operations Center (SOC) team]
o [insert headcount and geographical breakdown of team y]
o [insert who is the team lead / supervisor / manager of team y]
o [insert any other pertinent facts about team y that would be relevant to this document]
 Team Z
o [insert a description of what team z does (e.g., engineering & architecture team]
o [insert headcount and geographical breakdown of team z]
o [insert who is the team lead / supervisor / manager of team z]
o [insert any other pertinent facts about team z that would be relevant to this document]

MISSION
To … [insert mission statement here]

Example mission statements:

 To deliver high-quality, innovative information security services and solutions that reduce risk across [Company Name].
 To ensure technical risk management functions are implemented as part of an ISO 27001-based Information Security
Management System (ISMS) in a scalable manner that supports expanding business requirements.
 To provide information security engineering and architectural expertise that ensures secure engineering principles exist to
allow for secure, scalable solutions throughout [Company Name].
 To provide 24x 7 monitoring, threat intelligence, incident response, and technical support capabilities that are focused on
achieving a high level of situational awareness to prevent, detect, respond to and recover from information security
incidents with minimal impact to [Company Name].
 To provide information security engineering support for [Company Name]’s business initiatives that ensure secure
engineering principles exist to allow for secure and scalable solutions throughout [Company Name].

VALUE PROPOSITION
Our value to [Company Name] is based on… [insert value proposition here]

Example value propositions:

 … proactively reducing risk to [Company Name] by managing internal and external threats to [Company Name]’s data and
systems.
 … maintaining evidence of compliance with [Company Name]’s statutory, regulatory and contractual obligations.
 … how cybersecurity protects the [Company Name] brand through ensuring the confidentiality, integrity, availability and
safety of assets.

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 18 of 406

KNOWN COMPLIANCE REQUIREMENTS
[Company Name] has certain compliance requirements that all team members need to be aware of:

STATUTORY REQUIREMENTS
[fill-in applicable statutory requirements]

Example statutory requirements include:

 Health Insurance Portability and Accountability Act (HIPAA)
 Fair & Accurate Credit Transactions Act (FACTA)
 Sarbanes Ox ley Act (SOX)
 Gramm Leach Bliley Act (GLBA)
 Children's Online Privacy Protection Act (COPPA)
 Family Educational Rights and Privacy Act (FERPA)
 Massachusetts 201 CMR 17.00
 Oregon Identity Theft Protection Act (ORS 646A)
 United Kingdom Data Protection Act (UK DPA)

REGULATORY REQUIREMENTS
[fill-in applicable regulatory requirements]

Example regulatory requirements include:

 Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012) – NIST 800-171
 Federal Acquisition Regulation (FAR 52.204-21)
 European Union General Data Protection Regulation (EU GDPR)
 Financial Industry Regulatory Authority (FINRA)
 National Industrial Security Program Operating Manual (NISPOM)
 Department of Defense Information Assurance Risk Management Framework (DIARMF) (DoDI 8510.01)
 Federal Risk and Authorization Management Program (FedRAMP)
 New York Department of Financial Services (NY DFS) 23 NYCCRR 500
 North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)

CONTRACTUAL REQUIREMENTS
[fill-in applicable contractual requirements]

Example contractual requirements include:

 Payment Card Industry Data Security Standard (PCI DSS)
 Generally Accepted Privacy Principles (GAPP)
 American Institute of CPAs Service Organization Control (AICPA SOC2)
 Center for Internet Security Critical Security Controls (CIS CSC)
 Cloud Security Alliance Cloud Controls Matrix (CSA CCM)

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 19 of 406

DIGITAL SECURITY GOVERNANCE (GOV)

Management Intent: The purpose of the Digital Security Governance (GOV) procedures / control activities is to specify the
development, proactive management and ongoing review of [Company Name]’s security and privacy program.

P-GOV-01: DIGITAL SECURITY GOVERNANCE PROGRAM

Process Criteria: (this process criteria section (yellow text field) can be deleted, but it will be useful in populating a System Security
Plan (SSP) or other system-related documentation – it is meant to be a useful tool to help build the procedure by establishing criteria
and creating a working space to capture key components that impacts the procedure)
 Process Owner: name of the individual or team accountable for the procedure being performed
 Process Operator: name of the individual or team responsible to perform the procedure’s tasks
 Occurrence: how often does the procedure need to be conducted? is it something that needs to be performed annually,
semi-annually, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed?
 Scope of Impact: what is the potential impact of the procedure? does it affect a system, application, process, team,
department, user, client, vendor, geographic region or the entire company?
 Location of Additional Documentation: if applicable, is there a server, link or other repository where additional
documentation is stored or can be found
 Performance Target: if applicable, is there a Service Level Agreement (SLA) or targeted timeline for the process to be
completed?
 Technology in Use: if applicable, what is the name of the application/system/service used to perform the procedure?

Control Objective: The organization develops, implements and governs processes and documentation to facilitate the
implementation of an enterprise-wide digital security policy, as well as associated standards, controls and procedures. 3

Control: Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance controls.

Procedure / Control Activity: Systems Security Manager [OV-MGT-001], in conjunction with Security Architect [SP-ARC-002] and
Executive Cyber Leadership [OV-EXL-001]:
(1) Develops an organization-wide digital security governance program to provide complete coverage for all cybersecurity and
privacy-related controls needed to address statutory, regulatory and contractual obligations, as well as to address possible
threats to data and or assets.
(2) Documents the [Company Name] digital security governance program in a single document, the Information Security
Program (ISP).
(3) On at least an annual basis, during the [1st, 2nd, 3rd, 4th] quarter of the calendar year, reviews the process for non-
conforming instances. As needed, revises processes to address necessary changes and evolving conditions. Whenever the
process is updated:
a. Distributes copies of the change to key personnel; and
b. Communicates the changes and updates to key personnel.
(4) If necessary, requests corrective action to address identified deficiencies.
(5) If necessary, validates corrective action occurred to appropriately remediate deficiencies.
(6) If necessary, documents the results of corrective action and notes findings.
(7) If necessary, requests additional corrective action to address unremediated deficiencies.

P-GOV-02: PUBLISHING SECURITY & PRIVACY POLICIES

Process Criteria: (this process criteria section (yellow text field) can be deleted, but it will be useful in populating a System Security
Plan (SSP) or other system-related documentation – it is meant to be a useful tool to help build the procedure by establishing criteria
and creating a working space to capture key components that impacts the procedure)
 Process Owner: name of the individual or team accountable for the procedure being performed
 Process Operator: name of the individual or team responsible to perform the procedure’s tasks
 Occurrence: how often does the procedure need to be conducted? is it something that needs to be performed annually,
semi-annually, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed?

3NIST 800-53 rev4 PM-1 | ISO 27002 5.1.1 | GAPP 8.2.1 | GLBA 6801(b)(1) | PCI DSS 12.1 & 12.1.1 | MA201CMR17 17.03(1), 17.04 &
17.03(2)(b)(2) | DFARS 252.204-7008 | CCM AIS-04 & GRM-05 | COBIT5 APO13.01, APO13.02 | FINRA S-P (17 CFR §248.30) | NY DFS 500.2 |
NISPOM 8-100

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 20 of 406

  Scope of Impact: what is the potential impact of the procedure? does it affect a system, application, process, team,
department, user, client, vendor, geographic region or the entire company?
 Location of Additional Documentation: if applicable, is there a server, link or other repository where additional
documentation is stored or can be found
 Performance Target: if applicable, is there a Service Level Agreement (SLA) or targeted timeline for the process to be
completed?
 Technology in Use: if applicable, what is the name of the application/system/service used to perform the procedure?

Control Objective: The organization employs Demilitarized Zones (DMZs) to restrict inbound traffic to authorized devices on certain
services, protocols and ports. 383

Control: Mechanisms exist to utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized devices on certain services,
protocols and ports.

Procedure / Control Activity: Systems Security Developer [SP-SYS-001], in conjunction with System Administrator [OM-ADM-001]
and Security Architect [SP-ARC-002]:
(1) Uses vendor-recommended settings and industry-recognized secure practices to implement and configure Demilitarized
Zones (DMZs).
(2) On at least an annual basis, during the [1st, 2nd, 3rd, 4th] quarter of the calendar year, reviews the process for non-
conforming instances. As needed, revises processes to address necessary changes and evolving conditions. Whenever the
process is updated:
a. Distributes copies of the change to key personnel; and
b. Communicates the changes and updates to key personnel.
(3) If necessary, requests corrective action to address identified deficiencies.
(4) If necessary, validates corrective action occurred to appropriately remediate deficiencies.
(5) If necessary, documents the results of corrective action and notes findings.
(6) If necessary, requests additional corrective action to address unremediated deficiencies.

CYBERSECURITY OPERATING PROCEDURES (CSOP) APPENDICES

APPENDIX A: GUIDE TO WRITING PROCEDURES

The example below shows a good amount of detail that can serve as a handy reference for writing cybersecurity procedures.

383 ISO 27002 13.1.3 | PCI DSS 1.3.1, 1.3.2 & 1.3.4

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 381 of 406

When you write procedures, focus on getting the job done – it should clearly establish the steps and concisely provide guidance to
successfully complete the requirement.

A-1: NECESSARY COMPONENTS FOR WRITTEN PROCEDURES

Good procedure documentation is concise and clear in describing the main elements that are pertinent to address the control
objective. When documenting procedures:
 Strive to show how completely the activities of the procedure meets the control objective that it is intended to address.
 Include at least the following elements:
o Why the procedure exists (what requirement compels the work to be performed?)
o Who operates the procedure (who is actually going to do the work?)
o What the assigned operator does (what is the activity intended to do?)
o How the assigned operator does it (what are the actual steps being performed?)
o When the procedure occurs (what is the event trigger or frequency?)
 Procedures documentation needs to “stand alone” in describing how the process works:
o It should not describe surrounding processes.
o It should not reference other processes or documentation.
 Use descriptive language in “present tense” grammar, as if writing a newspaper article about something occurring right
now:
o Use verbs like “is,” “does,” “tests,” “reviews,” and “approves.”
o Avoid verbs in “future tense” like “will do” or “will review” since the reader needs to know about “now.”
o Make use of simple grammar and sentence construction:
o Assigned operator first (person doing the work), followed by action verb, followed by object.
o Avoid “passive voice” grammar (e.g., object before verb, “actor” missing, etc.)
 Example passive voice sentence: “The test plan is approved.”
o There’s no “do-er” (assigned operator) identified; and
o The verb is the last two words of the sentence.
o Describe the team’s actions, not organizational structures or assertions about other teams.
o Example to avoid: “XYZ is some-other-team’s responsibility.”

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 382 of 406

A-2: PROCEDURE MAPPING – BREAKING OUT THE REQUIREMENTS
 Control Objective: Only personnel who have a valid business reason are permitted access to applications, systems and
resources.
 Standard: At the start of each quarter, managers review the list of team member access rights and documents issues that
are not appropriate for corrective action.
 Validation of needed elements to develop the procedure:
o Why: Addresses a quarterly requirement from the Access Control Policy to review access rights.
• Policy #2: Access Control Policy
• Standard #2.6.2: Periodic Review
o Who: The team manager operates the procedure / control activity.
o What: A periodic review is performed to ensure proper access rights are granted.
o How: Managers review the access permissions within the XYZ application specific to his/her team members.
o When: At the start of each quarter.

A-3: EXAMPLE PROCEDURE (HOW IT ALL COMES TOGETHER)

During the first week of each quarter, ABC Team Manager shall:
1. Review ABC team member access rights during the first week of the FY quarter and document issues that are not
appropriate for corrective action.
2. Using [company name]’s Governance, Risk & Compliance (GRC) tool, document the review occurred and note findings.
3. If necessary, requests corrective action to address inappropriate ABC team member access to XYZ application.
4. If necessary, validates corrective action occurred to appropriately modify ABC team member access rights to XYZ
application.
5. If necessary, documents the results of corrective action in [company name] GRC tool and notes findings. If necessary,
requests additional corrective action to address inappropriate ABC team member access to XYZ application.

A-4: CONSIDERATIONS WHEN SCOPING PROCEDURES

Considerations for internal reviews:
 Describe checks that are carried out to validate the data produced by measurement equipment.
 Describe checks that are carried out to confirm that the information technology system is working correctly.
 Describe how maintenance and calibration records are reviewed.
 Describe how training records are reviewed.
 Describe how the measurement and reporting procedures are reviewed.
 Describe how records of corrective actions are reviewed.

Considerations for records keeping and documentation:

 Identify all documents and records related to performing operations. This might include management procedures,
operating procedures, equipment specifications, equipment manuals, calibration and maintenance certificates and
records, responsibilities and training records of personnel, contracts for out-sourced services, data reports and logs, fault
reports.
 Describe how different versions of the documents are identified.
 Describe how current versions of documents are identified and access to outdated documents is restricted.
 Describe how documents are reviewed and updated and how new versions are authorized before use.

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 383 of 406

Considerations for segregation of duties:
 Describe the responsibilities and required competencies of all personnel involved in data flow activities.
 Describe how it is ensured that only personnel with the necessary competencies carry out the relevant responsibilities
for data flow activities.
 Describe how process responsibilities are segregated from control responsibilities (duties devolved to different persons).
 Describe how personnel changes are managed.

Considerations for information technology systems:

 Describe the measures undertaken to ensure that equipment is correctly installed and operated, in accordance with the
manufacturer’s recommendations so that it can achieve the necessary recording frequency, data storage quantity and
data processing requirements.
 Describe how individual equipment items (components) are identified and recorded so that they are traceable.
 Describe measures such as backup power supplies installed to ensure security of operation.
 Describe measures such as data back up and off-site storage to ensure data security.
 Describe the arrangements for maintenance, including how maintenance is scheduled and recorded and how it is ensured
that scheduled maintenance activities are carried out.
 Describe backup data recording and processing arrangements that can be used if the information technology system
malfunctions.

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 384 of 406

APPENDIX B: AVAILABLE TOOLS & SERVICES

Note: The section below is purposely blank. It requires [Company Name] personnel to document the tools & services that are
available to operationalize the CSOP.

Consider this section a “living document” where it is expected to change, as business processes and technologies change. Think of
it as a cheat sheet to bring staff members up to speed quickly on what is available.

The XXXX team has the following tool(s) available to it:

B-1: TOOL / SERVICE 1

Tool/service description

B-2: TOOL / SERVICE 2

Tool/service description

B-3: TOOL / SERVICE 3

Tool/service description

B-4: TOOL / SERVICE 1

Tool/service description

B-5: TOOL / SERVICE 2

Tool/service description

B-6: TOOL / SERVICE 3

Tool/service description

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 385 of 406

APPENDIX C: KEY STAKEHOLDERS

Note: The section below is purposely blank. It requires [Company Name] personnel to document who the key stakeholders for the
CSOP are – including departments and individuals.

Consider this section a “living document” where it is expected to change, as business processes change. Think of it as a cheat sheet
to bring staff members up to speed quickly on who the key players are for cybersecurity and privacy at [Company Name].

C-1: CYBERSECURITY

C-1.1: Vulnerability Management

The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-2: INFORMATION TECHNOLOGY (IT)

C-2.1: End User Devices

The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-2.2: Infrastructure Support

The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-2.3: Application Support

The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-3: RETAIL SUPPORT

C-3.1: eCommerce
The primary contacts within this team are:
 Name

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 386 of 406

 o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-3.2: Retail
The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-3.3: Business To Business (B2B)

The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-3.4: Business To Suppliers (B2S)

The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-4: VENDORS / SERVICE PROVIDERS

C-4.1: Vendor 1
The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-4.2: Vendor 2
The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-5: LEGAL

C-5.1: Contract Review

The primary contacts within this team are:

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 387 of 406

  Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-5.2: Privacy
The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-6: PROCUREMENT

C-6.1: Contracts
The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-6.2: Vendor Management

The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-7: HUMAN RESOURCES

C-7.1: Employee Relations

The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-7.2: Awareness & Training

The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 388 of 406

C-8: PHYSICAL SECURITY

C-8.1: Facilities Management

The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

C-8.2: Security Office

The primary contacts within this team are:
 Name
o Title
o Description of interaction.
 Name
o Title
o Description of interaction.

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 389 of 406