There are 194 documents separately referenced in the CMMC Assessment Guide. After separating those that are procedures and FutureFeed's deduplication for those that have similar titles but slight variances in naming, 27 remain.
Documented Procedures Listing
The current CMMC Assessment Guide identifies the following procedures or groups of procedures as it describes the sorts of documents an assessor may look to review. To be clear, this isn't a list of specific procedures. Many are groups of them. But you can use the list to make sure that the procedure documentation that you have addresses as many of these areas as possible:
- Access Control Procedures - Including Mobile and Privileged
- Asset Management Procedures
- Audit Procedures - Events, Record Generation, Record Reduction, Analysis, Review, Reporting, Retention, Protection, and Access
- Audit and Accountability Procedures – High Level
- Authenticator Management Procedures
- Change Management Procedures - Security Impact Analysis and System Configuration
- Configuration Management Procedures
- Data Protection Procedures
- External Systems Use Procedures
- Identification and Authentication Procedures
- Information Flow Enforcement Procedures
- Information Security Procedures
- Insider Threat Procedures
- Investigation of and Response to Suspicious Activities
- Least Privilege, Divisions of Responsibility and Separation of Duties Procedures
- Plan of Action (POA&M) Procedures
- Publicly Accessible Content Procedures
- Remote Access Procedures
- Security Assessment Planning and Implementation Procedures
- Security Awareness Training Implementation Procedures
- Session Control Procedures - Lock, Termination Etc.
- System Inventory Procedures
- SSP Development and Management Procedures
- System Use Notification Procedures
- Time Stamp Generation Procedures
- Unsuccessful Logon Attempts Procedures
- User Installed Software Procedures
Organizations need not have exactly this list of procedures but should have a set of procedures that address these items. Future versions of FutureFeed will allow tagging of uploaded procedures with the above list.
Why Do It? The Importance of Process Documentation
Documenting a process will help you achieve 5 key things:
- Helps improve processes. Identify bottlenecks and inefficiencies by documenting the exact processes. You’ll quickly see what processes that you need to improve or get rid of.
- Compliance. Following documented process proves a pattern of compliance, especially if checklists are used and kept as a record.
- Helps train employees. You can use process documents to help new employees understand their job roles and familiarize themselves with the processes they’ll be involved in. Even experienced employees can still refer to these documents whenever they want to make sure that they are executing the process right.
- Helps preserve company knowledge. Keep a record of processes known only to a few people specialized in doing them. That way even when they leave, the newcomers can resume the work easily.
- Helps mitigate risks and maintain operational consistency.
Tips and Tricks: Process Documentation Best Practices
- Keep the document simple and concise. While it should be technically accurate, it should be easy to follow.
- Have a proper plan in place to update the documents when/if the process would change. Make sure to review them at least once a year. Note the review date in the document.
- Assign a process owner (Accountability in FutureFeed) who can do regular reviews and notify others of the changes.
- When documenting processes for the first time, avoid covering the entire organization at once. Start from a single process within a department or a major process common to the entire organization.
- Store the documents in FutureFeed or a location that is easy to be accessed by anyone who is looking for it.
- Make sure that it is easy to be revised when needed and the new version can easily be distributed to everyone involved. FutureFeed will be adding functionality in the future to help get this done.
- Use appropriate examples, graphics, color coding, screenshots, multiple platforms etc. as necessary.
- Add swimlanes to your business process flowcharts to distinguish different process roles, timelines etc.
- Create a process documentation guide, which anyone can refer to as a standard template for documenting a process.
- Make use of existing documentary material, records, interviews, case studies, field-diaries of project staff and the knowledge of employees to gather information for process documentation.