topic Re: Reading suggestions on governance and policy creation in Governance, Risk, Compliance

Reading suggestions on governance and policy creation

ericgeater — Mon, 09 Oct 2023 09:12:11 GMT

Greetings, everyone. As a "novitiate" in cybersecurity (having only recently passed the CISSP exam), I am looking for some guidance on policy evolution. My employer currently has policies, but they require some review. As a "committee of one", I am looking to shore up my narrative before approaching the executives to propose a policy change.

The SANS policy templates are fantastic for policy ideas, but they don't convey the executive urgency for creating a policy with teeth. So I'm looking for articles or books that will speak "executive" toward policy formation and GRC. Are there any suggestions?

Thanks!

eg

p.s. My employer is privately owned, and our initial compliance issues surround SLAs for select customers, but that's all. There's nothing that requires SOX or GDPR, for example.

Re: Reading suggestions on governance and policy creation

emb021 — Mon, 13 May 2019 16:02:02 GMT

I like "Information Security Policies, Procedures, and Standards: A Practitioner's Reference" by Douglas J. Landoll, 2016.

He also has a great book on doing security risk assessments.

Re: Reading suggestions on governance and policy creation

ericgeater — Mon, 13 May 2019 18:31:59 GMT

Thanks for the suggestion. It was nicely reviewed at Amazon, so I ordered it.

I'll also point out another suggestion seen elsewhere about the "Cybersecurity Canon", which seems like an interesting list of titles.

Re: Reading suggestions on governance and policy creation

dcontesti — Mon, 13 May 2019 22:37:49 GMT

Here is a free resource from Peerlyst (BTW: they have many good references)

https://www.peerlyst.com/posts/resource-free-comprehensive-information-security-policy-template-for-small-business-smb-sme-claus-cramon

Regards

Re: Reading suggestions on governance and policy creation

Steve-Wilme — Tue, 14 May 2019 09:24:35 GMT

It generally works better from a buy in perspective to involve the stakeholders in policies in developing them rather than take a 'best' practice policy from a book or collection of policies. Obviously it's right to be informed by good practice, but you'll need to work on making in appropriate for your organisation.

I'd start by looking at the risks your organisation faces and the controls currently in place before introducing any additional controls.

Re: Reading suggestions on governance and policy creation

ericgeater — Tue, 14 May 2019 12:39:56 GMT

We'll definitely begin at the top and work our way down for sure. Any reading material will help to inform decisions we make along the way.

Re: Reading suggestions on governance and policy creation

Chuxing — Tue, 14 May 2019 14:25:39 GMT

@ericgeater

I have been teaching college senior and grad level I&T security policy courses, and have developed full I&T governance as well as ITSM courseworks, if you need a few pointers, you can pm me.

Re: Reading suggestions on governance and policy creation

AppDefects — Tue, 14 May 2019 15:59:42 GMT

The biggest motivator for executives is for you to empress upon them risk. That risk can take the dimensions of being quantitative (numbers, the best option) or qualitative (for the more subjective determinations and what-if scenarios).What risk will most disrupt the bottom line? Is it business continuity? What are the policies you'll propose to prevent a disaster and what are the procedures to recover from it?

Re: Reading suggestions on governance and policy creation

ericgeater — Fri, 17 May 2019 03:14:03 GMT

Thank you very much! I hope to establish traction on this project very quickly.

regards

eric

@Chuxing wrote:
@ericgeater
I have been teaching college senior and grad level I&T security policy courses, and have developed full I&T governance as well as ITSM courseworks, if you need a few pointers, you can pm me.

Re: Reading suggestions on governance and policy creation

CraginS — Mon, 20 May 2019 14:17:55 GMT

@ericgeater wrote:
Greetings, everyone. As a "novitiate" in cybersecurity (having only recently passed the CISSP exam), I am looking for some guidance on policy evolution. My employer currently has policies, but they require some review. As a "committee of one", I am looking to shore up my narrative before approaching the executives to propose a policy change.

Eric,

Please allow me to toot my own horn, and suggest you watch my 25 minute presentation, Maybe It's the Boss's Fault, on YouTube. My message is to be sure the security policies are in line with the way the workforce ACTUALLY works. Too many security polices are not realistic, and cannot be followed or enforced, because they interfere with the primary work, and make no sense to the employees. This is a direct result of letting security techies, alone, drive the policies. Password policies are only one example of the mess we have created.

I'd be happy to have further direct discussion on this topic.

Regards,

Re: Reading suggestions on governance and policy creation

Frank_Mayer — Mon, 20 May 2019 16:03:50 GMT

A history of the Cybersecurity Framework that underpins governance can be found on the US Government's NIST site and NIST has great resources for small business as well. Having served in cybersecurity in both industry and government (to include military service) for decades, I find NIST a good source of unbiased guidance that is not driven by trying to sell a product or consulting services. Here is the link that explins how the cybersecurity framework evolved https://www.nist.gov/cyberframework/online-learning/history-and-creation-framework

This link to the NIST Report for Cybersecurity Fundamentals for Small Business Owners, is a little gem that can really help with framing policy development for a small business, NIST has guides for several types of businesses. https://csrc.nist.gov/publications/detail/nistir/7621/rev-1/final

This link provides a National Cybersecurity and Communications Integration Center’s (NCCIC) historical perspective going bak to 1963 and up to the present day:

https://www.us-cert.gov/about-us

Here is a Washington Post Article that outlines the history of Internet Security going back to its inception and up to the present day: https://www.washingtonpost.com/graphics/national/security-of-the-internet/history/?noredirect=on there are even comments to his article that are relevant as well.