Writing Good Policies

old.reddit.com / @/u/TheRealTimbo_Slice, https://old.reddit.com/user/TheRealTimbo_Slice

Hey all,

Working on 800-53 policies and an SSP in preparation for going for FedRAMP authorization and I'm tripping up over the actual purpose of policies. I've written policies so far that are basically just a copy/paste of the controls saying "we must do x or y". I think these will get through audit, but I'm not totally satisfied they're good policies.

For example, AC-2 (a) - "Define and document the types of accounts allowed and specifically prohibited for use within the system".

The simple policy is - "The types of accounts allowed or prohibited from accessing the system must be defined and documented". Great, but this doesn't actually define the types of accounts that are allowed/prohibited. Isn't this just the same as a policy saying "We need to implement [control]" 400 times?

In this way, I see pieces of documentation doing the following things, with some overlaps:

  • 800-53 controls - this is what you must do.
  • Policies - this is what we must do.
  • Procedures - this is how we do things.
  • SSP - this is what we do, who does the thing, and how it meets the control.

A different policy is - "[Company] allows individual and service accounts. Shared, group, and emergency accounts are prohibited in [System]". Ok, so the types of accounts are defined, but now the policy doesn't say what we have to do. Is that ok if the whole point is complying with 800-53, which already defines what we have to do?

In this way I see documentation doing the following things, still with overlaps:

  • 800-53 controls - this is what you must do.
  • Policies - this is what we do.
  • Procedures - this is how we do things.
  • SSP - this is what we do, who does the thing, and how it meets the control.

Either way there's overlap between roles of documentation.

Or are the controls themselves not technically considered and it all has to be "in house" so to speak?

  • Policies - this is what we must do.
  • Procedures - this is how we do things.
  • SSP - this is what we do, who does the thing, and how it meets the policy.

This feel quite rambly and might not make any sense, hopefully it's clear enough though.

submitted by /u/TheRealTimbo_Slice
[link] [comments]

published 4 months ago


Previous

FISMA & Legislative Branch
published 4 months ago

Next

Which STIG/SRG to use for securing docker container?
published 4 months ago
See all items from the same source