Well-developed security policies and plans are at the heart of any effective cybersecurity posture. These documents are created to outline how a company protects itself and its information technology assets. To maintain these critical resources and ensure compliance, our Documentation Policy Advisors provide a Quarterly Cybersecurity Review to enhance your business’s focus and attentiveness on security and continuity needs by delivering the following: 

  • Information Security Policy: defining the standards and processes your business uses to secure your network and data.
  • Technology Acceptable Use Agreement: articulating acceptable employee uses of your business’s technology, in addition to the consequences of misuse.
  • Business Continuity Plan: demonstrating to your clients, shareholders and partners that your business is prepared for the worst.
  • Tabletop Business Continuity Exercise: challenging the integrity of your plan in a safe environment, with a written recap advising opportunities for improvement.
  • System Security Plan: provides an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system.

DevilDog will create, review and update all cybersecurity documentation to help your business meet any required compliance regulations. Our policy team includes subject matter experts who specialize in creating compliance documentation. As part of our service, we document policies, processes, procedures, and controls to create thorough evidence of your cybersecurity program. In the end, your organization will have a well-organized and documented System Security Plan (SSP) that you can present to any auditor.

Cybersecurity Policy

  • Cyber Policy Development
  • Protocol Development
  • Attestation Reporting
  • Cybersecurity Modeling
  • RMF – Risk Management Frameworks
  • Quantitative Risk Analysis
  • Qualitative Risk Analysis
  • Risk Mitigation
  • Risk Reporting
  • BCP – Business Continuity Planning
  • DRP – Disaster Recovery Planning
  • Certification
  • Accreditation
  • Maintenance
  • CMMI
  • RACI
  • Common Criteria
  • EAL – Evaluation Assurance Levels 1-7
  • Object Subject Classification
  • CNSSP – Committee on National Security Systems Policy
  • SSAA – System Security Authorization Agreement


Access ControlPolicy (ACP)
The ACP states employee access to a firm’s information systems and data. Topics typically included in the policy are access control standards such as NIST’s Access Control and Implementation Guides. Additional subjects covered in this policy are standards for network access controls, user access, operating system software controls and the complexity of corporate passwords. Other items can include methods for monitoring how corporate systems are accessed and used; how unattended workstations should be secured; and how access is removed when an employee leaves the organization.

Acceptable Use Policy (AUP)
An AUP specifies the restrictions and practices that an employee using organizational IT assets must adhere to in order to access to the corporate network and/or the internet. It is standard onboarding policy for all new personnel. They are given an AUP to read and sign before being granted network access. Your firm’s IT, legal, security, and HR divisions need to collaborate on what content is included in this policy. 

Information Security Policy
An organization’s information security policies are high-level guidelines that can cover a large number of security controls. The principal Information Security Policy is issued by the firm to ensure that all employees who use information technology assets within the span of the company, or its networks, comply with its stated rules and guidelines.

Incident Response (IR) Policy
The Incident Response Policy is a firm’s methodology to how the company will manage an incident and remediate the effects. The objective of this plan is to describe the methodical process of handling an incident to minimize the damage to business operations, customers and decrease recovery time and overall cost.

Remote Access Policy
A Remote Access Policy is a plan that defines suitable methods of remotely connecting to a company’s networks. This policy is a requirement for organizations that have dispersed networks with the ability to extend into insecure network locations, such as hotels or unmanaged home networks.

Change Management Policy
A change management policy is the formal process for making changes to IT, software development and security services/operations. The objective of a change management program is to increase the awareness and understanding of proposed changes across a firm, and to ensure that all changes are conducted systematically to reduce any unfavorable impact on services and clients.

Email/Communication Policy
An Email/Communication Policy is deployed to formally state how employees can use electronic communication mediums, including email, blogs, social media and chat technologies. The objective of this policy is to provide rules to staff on what is considered the acceptable and unacceptable use of any company communication.

Disaster Recovery Policy
A Disaster Recovery Plan includes cybersecurity along with IT and is part of a much larger business continuity plan. The cybersecurity team will manage incidents through the Incident Response Policy. If an incident has significant impact, then the Business Continuity Plan will be deployed.

Business Continuity Plan (BCP)
A BCP coordinates actions across a firm.  These actions will use the Disaster Recovery Plan to restore hardware, applications and essential data for business continuity. BCP’s are distinctive to every different business. A BCP explains how a company will operate in an emergency.