Procedures

There are 194 documents separately referenced in the CMMC Assessment Guide.  After separating those that are procedures and FutureFeed's deduplication for those that have similar titles but slight variances in naming, 27 remain.

Documented Procedures Listing

The current CMMC Assessment Guide identifies the following procedures or groups of procedures as it describes the sorts of documents an assessor may look to review.  To be clear, this isn't a list of specific procedures.  Many are groups of them.  But you can use the list to make sure that the procedure documentation that you have addresses as many of these areas as possible:

1. Access Control Procedures - Including Mobile and Privileged
2. Asset Management Procedures
3. Audit Procedures - Events, Record Generation, Record Reduction, Analysis, Review, Reporting, Retention, Protection, and Access
4. Audit and Accountability Procedures – High Level
5. Authenticator Management Procedures
6. Change Management Procedures - Security Impact Analysis and System Configuration
7. Configuration Management Procedures
8. Data Protection Procedures
9. External Systems Use Procedures
10. Identification and Authentication Procedures
11. Information Flow Enforcement Procedures
12. Information Security Procedures
13. Insider Threat Procedures
14. Investigation of and Response to Suspicious Activities
15. Least Privilege, Divisions of Responsibility and Separation of Duties Procedures
16. Plan of Action (POA&M) Procedures
17. Publicly Accessible Content Procedures
18. Remote Access Procedures
19. Security Assessment Planning and Implementation Procedures
20. Security Awareness Training Implementation Procedures
21. Session Control Procedures - Lock, Termination Etc.
22. System Inventory Procedures
23. SSP Development and Management Procedures
24. System Use Notification Procedures
25. Time Stamp Generation Procedures
26. Unsuccessful Logon Attempts Procedures
27. User Installed Software Procedures

Organizations need not have exactly this list of procedures but should have a set of procedures that address these items.  Future versions of FutureFeed will allow tagging of uploaded procedures with the above list.

Why Do It? The Importance of Process Documentation

Source: Process Documentation Guide: Learn How to Document Processes (creately.com)

Documenting a process will help you achieve 5 key things:

1. Helps improve processes. Identify bottlenecks and inefficiencies by documenting the exact processes. You’ll quickly see what processes that you need to improve or get rid of.
2. Compliance.  Following documented process proves a pattern of compliance, especially if checklists are used and kept as a record.
3. Helps train employees. You can use process documents to help new employees understand their job roles and familiarize themselves with the processes they’ll be involved in.  Even experienced employees can still refer to these documents whenever they want to make sure that they are executing the process right.
4. Helps preserve company knowledge. Keep a record of processes known only to a few people specialized in doing them. That way even when they leave, the newcomers can resume the work easily.
5. Helps mitigate risks and maintain operational consistency.

 

Tips and Tricks: Process Documentation Best Practices

• Keep the document simple and concise. While it should be technically accurate, it should be easy to follow.
• Have a proper plan in place to update the documents when/if the process would change. Make sure to review them at least once a year.  Note the review date in the document.
• Assign a process owner (Accountability in FutureFeed) who can do regular reviews and notify others of the changes.
• When documenting processes for the first time, avoid covering the entire organization at once. Start from a single process within a department or a major process common to the entire organization.
• Store the documents in FutureFeed or a location that is easy to be accessed by anyone who is looking for it.
• Make sure that it is easy to be revised when needed and the new version can easily be distributed to everyone involved.  FutureFeed will be adding functionality in the future to help get this done.
• Use appropriate examples, graphics, color coding, screenshots, multiple platforms etc. as necessary.
• Add swimlanes to your business process flowcharts to distinguish different process roles, timelines etc.
• Create a process documentation guide, which anyone can refer to as a standard template for documenting a process.
• Make use of existing documentary material, records, interviews, case studies, field-diaries of project staff and the knowledge of employees to gather information for process documentation.