Most organizations underestimate the importance of IT security documentation.
In a basic sense, IT security documentation requires maintaining standard work instructions for common tasks, and keeping records of events, incidents and changes to IT infrastructure. Left uncontrolled, this can however easily spawn a multitude of Excel spreadsheets to log various changes, events and observations. Everything that needs documentation will be documented, but nothing will be detected or traced back easily, defeating the very purpose of documentation. All this while, the organization’s resources come under great strain, more than what is required. Very soon, the organization starts to view the entire exercise as an overly onerous burden with very little noticeable benefit.
The first step in streamlining security documentation is understanding the very purpose of the exercise. Regardless of the organization or environment, the two basic purposes would be to ensure compliance of system with organizational policies and standards, and to ensure taking timely corrective action when required. As such, the thrust of documentation, needs to be on reporting information security events and weaknesses.
A major mistake made by many organizations is duplicate entries or multiple logs, manifesting in instances such as reporting of a security weakness as a security event as well. The solution is to maintain an integrated log for all information security events, whether potential or existing, and for weakness or non-conformance, and assign category heads. Next color code and rate the problems according to severity. This makes it easier for administrators to close out issues in order of severity, and track any duplicate logs. It also allows for better co-ordination and minimizing confusion, as people from different departments and with different briefs work out of a single document