CMMC (cyber security maturity model ) => USA == we plan to follow that to improve security .

Many task to achieve that

1. Laptop Configuration Standard Compliance ( Compliance, we use Microsoft action pack for licensing
SME ie sql server, visuals tudio etc it has many restrictions that includes geographical restrictions)

2. Centralized device management system make sure all laptops and phones are patched ( heruey
working on it) minimum security achivement

3. organization procedure and policeis :

FISMA, CIS , etc
All iteranl employe off boarding and on boarding process should be documented .

accounts , bamboo , sales acc , complete list of on boarding

List of things to do when off boarding :

Remove privillages etc access removal AWS access removal. Remove risk

We have bunch of documents that we can update and then we have many things that we have but there
are many that we don’t have .

Mike is cyber security expert he does the auditing on cyber security topics . he and javaid identified
list of things that we need to do………..

1 incident response: search it look for some templates online maybe available freely and buy them
(incident response policy and data privay policy) skymap vs

What should happen in case of security incident . Corporate env main (online env office, sage etc) we
dnt have internal network , we have skymap product used by customer.

2 angles :

1 corporate and our internal (different software as service etc issue )

2 skymap issue ( separate section)
we can make 2 document 1 for internarl it and one for skymap
2 data privacy policy
1 for corporate and 1 for skymap . we can compile them in one document in 2 section. Its up to
us how we organize both topic ( skymap and internal corporate matters)
2 Iam is 1 part of on boarding process, step of identity and access management (office 365 in our
case to give access to teams etc) bamboo hr , jira , sage we have many systems.
3 Skymap identity and access mgt. How you manage iam policies for skymap. How we assign
groups and permission to user there . and how do we decide when should we remove the user
 from skymap.

every organization has its own policy

Policy exist and should be written and the check box gets checked and we also practice it helps us to
achieve success in audit

CMMC Compliance ( go for it eventually)

consent is checked in data privacy policy:

skymap => discovery and we get all information which is very critical and vulnerable

Internal => teams for projects such as imodal you have information on teams of solution doc , script
same for other clients (Share point also have data) how we keep such data private?? Do we share this
data? This data is also critical and harmful we have to protect it in our eq corporate . so our policy
should ensure that . email attachment, should be save etc

Data should be controlled , every one should not have access to everything.

To research and find template for incident response:

Udemy video what are policies , what is incident response .

Eq does not have CISO officer , every product and project has ISO who manages security. We don’t have
any such person but our plan is to hire some one who will be incharge of security and personal it. Who
will be responsible for personal it and security and he will be wearing a security hat as well.

To research and find template for privacy policy :

NIST:

So on Friday altaz need the shibboleth ami and I came to know that some one deleted that ami In my
account so I worked on that and created a new ami and shared it with altaz account. Other then that I
worked on the incident response policy and would like to connect with Javaid to get some inputs on
that.