Efficiently implement a cybersecurity effort within plant documentation is critical to the long-term success of a project. Cybersecurity documentation could be anything from a new policy or operational procedure, to risk assessment or a record of process performance. These types of cybersecurity documents are only as good as their accuracy; which is why we must make sure they stay up to date. As cybersecurity becomes more engrained in our daily tasks, more documentation is required and that needs to be updated regularly. How are we supposed to remember the vast number of documents that we have developed along the way?
It can be challenging to not have the right documentation when you need it. Whether an employee is out of office or no longer with the company, it’s important to always keep documentation current and accessible to your team. The first step in keeping documentation current is to create the documentation in the first place. If your organization has standard procedures for requesting a new system be implemented or a system procurement procedure, make sure that any required documentation is created at the initial point of implementation. Depending on the requirements dictated within your industry these documents may be departmentally, organizationally, or regulatory required so the documentation types will vary.
Once we have created our initial documentation for our systems, we should never have to modify them again, right? Wrong! Even though changes in our control systems environment are made much less frequently than in the IT environment, they will still occur. Therefore, as part of any good change management procedure, there should always be a step that verifies if documentation needs to be updated with the change. There is a chance that no documentation changes are needed, but it is good practice to confirm.
For the most part, things stay static in the controls system world. However, we should still have an annual review of documentation. With any procedure, such as change management, it is the responsibility of an individual to follow the procedure and review existing documentation for updates. You can eliminate the risk of human error by utilizing software that will remind you to review documentation. Document Management software can be used to upload documents and send review reminders. Alternatively, calendar invites can be created in advance based on the required review schedule with a link to the storage location of the document. Based on the sensitivity of the document, you could also attach the current version of the document to the meeting invite.
Finally, to ensure documentation is kept up to date, try not to leave the task to one individual. The review can be done by one system owner, but have a dedicated group review and approve the document after the document review period. Once the group has reviewed and approved any changes, the lifecycle of documentation review should start all over again for the review.
Ensuring that documentation is up to date is a critical part of a successful cybersecurity program within an organization. These tips should assist you in assuring your organization uses the most accurate documents.
Brandon Bohle, Interstates MIT Analyst III