Hello, welcome to the NIST 800-171 Learning Path. My name is Dave Harrod, I'm your instructor for this class and this is Course 3, understand and create policies and plans. In this course, we will do an overview of policies, standards and the procedures, and then we'll take a look at policies and plans you should have for compliance. One of the things that I've always found confusing in the world of IT is that sometimes there's confusion between policies, procedures, and standards. I think sometimes people use these terms interchangeably. So I wanted to spend a little time and frame up what a policy is in this context versus what a procedure or standard is in this context so that's clear as we move forward and talk about the policies and plans that you're going to need to be in compliance with NIST 800-171. According to the Merriam Webster's dictionary, a policy is a high-level overall plan, embracing the general goals and acceptable procedures, especially of a governmental body. They're requirements established by senior management. They provide strategy and direction to guide decisions by lower-level management and frontline workers. They're designed to achieve positive outcomes. It's a statement of expectation enforced by standards and further implemented by procedures. Again, we see here the term standards and procedures. We're going to take a look at a definition of each of those. But essentially, a policy is enforced by standards and implemented through procedures. It's a living document that should change to reflect conditions and policies are mandatory once approved by senior management. Let's talk about procedures. According to Merriam Webster, a procedure is a series of steps followed in a regular definite order. Procedures are based on experience. They define the required outcome. They are designed to achieve a specific objective. They should be under change control so that procedures are only changed through an approved change process and they're mandatory as well. Again, procedures are one of the ways that policies get implemented. Then we have standards. According to Merriam Webster, a standard is something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality. Standards define acceptable behavior, might specify what hardware or software solutions are available and supported in the context of IT. Standards are also mandatory. Then let's talk about plans. What's a plan? According to Merriam Webster's dictionary, a method for achieving an end. So a plan may have many policies, and then policies may use standards and procedures to define how to implement that policy. Let's talk about good security policies. They are consistent with applicable laws and regulations, especially important in the government world. They're clear and concise. They're reasonable. They're enforceable. They're focused on the CIA triad, which is confidentiality, integrity, and availability. They're technology and vendor independent. They're reviewed regularly and they're updated as needed, which is especially important in today's world, where you have the security landscape and the business landscape changing constantly. Here's a list of common security policies. I'm not going to read all these to you. As you can see, it's a long list. Some of the common ones you're going to run across: acceptable use policy, access control policy, identification and authentication policy, email policy, retention policies also potentially very important in the world of government contracting, wireless communication policies, password policies. You can see. This is not to indicate that you need every single one of these policies. These are just common policies you may run across in the world of IT. Chances are your organization may have some of these already. The good news as you'll see in a minute is, many of these policies, once you determine the right ones for your organization in terms of compliance with NIST 800-171, there are templates out there from reputable organizations, you don't have to make these things from scratch. You can get a leg up and a significant boost in terms of being able to create the policies that you need. Now, let's talk about security plans. What's a good security plan? They're simple, specific, practical, realistic, complete, also reviewed regularly and also updated as needed. Again, plans need to change to be in alignment with the current business situation and the current security situation. So reviewed regularly and updated as needed. Some common security oriented plans that you'll see out there in the modern world; Business Continuity Plan, Disaster Recovery Plan, Incident Response Plan, Information Security Plan, Risk Management Plan, and the System Security Plan, which is something we'll delve into in much more detail. How to create the System Security Plan that you'll need to be in compliance with NIST 800-171 when we get to Course 4. These are common plans that many organizations will have and I would argue should have, especially in order to be in compliance with NIST 800-171. These plans will then often be comprised of various policies that we'll come and talk about. Next. Here's a few resources, as I mentioned, you don't have to start in most cases, writing these policies or plans from scratch. There are great organizations out there who've done a lot of the heavy lifting for you. SANS in particular has a lot of great resources, CIS, the Center for Internet Security has a lot of great resources. I wanted to link to this document because you'll see when we get into the next video where we dig down into various policies that you're going to need in order to be in compliance. This does a good job of mapping the SANS and CIS policy templates for NIST 800-171. Again, there's an enormous amount out there already. You don't have to do this yourself. Then in conjunction with the NIST cybersecurity framework to 800-171 mappings document, you can basically use these two documents to cross-reference to all of the policies that have already been created that you can attempt to tailor to fit your organization. Then ComplianceForge they have a lot of great resources and there's other companies like that out there that have all kinds of plan documents and so forth. They're not free, you'll have to pay for them. But they have some great insight and can save you a lot of money. Thanks for watching this video and I will see you in the next video.
