cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer III

Reading suggestions on governance and policy creation

Greetings, everyone.  As a "novitiate" in cybersecurity (having only recently passed the CISSP exam), I am looking for some guidance on policy evolution.  My employer currently has policies, but they require some review.  As a "committee of one", I am looking to shore up my narrative before approaching the executives to propose a policy change.

The SANS policy templates are fantastic for policy ideas, but they don't convey the executive urgency for creating a policy with teeth.  So I'm looking for articles or books that will speak "executive" toward policy formation and GRC.  Are there any suggestions?

 

Thanks!

eg

p.s. My employer is privately owned, and our initial compliance issues surround SLAs for select customers, but that's all.  There's nothing that requires SOX or GDPR, for example.

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
10 Replies
Contributor II

Re: Reading suggestions on governance and policy creation

I like "Information Security Policies, Procedures, and Standards: A Practitioner's Reference" by Douglas J. Landoll, 2016.  

 

He also has a great book on doing security risk assessments.

Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, GSLC, GSTRT, ISSA Fellow
Newcomer III

Re: Reading suggestions on governance and policy creation

Thanks for the suggestion.  It was nicely reviewed at Amazon, so I ordered it.

I'll also point out another suggestion seen elsewhere about the "Cybersecurity Canon", which seems like an interesting list of titles.

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Community Champion

Re: Reading suggestions on governance and policy creation

Here is a free resource from Peerlyst (BTW: they have many good references)

 

https://www.peerlyst.com/posts/resource-free-comprehensive-information-security-policy-template-for-...

 

Regards

 

 

Contributor III

Re: Reading suggestions on governance and policy creation

It generally works better from a buy in perspective to involve the stakeholders in policies in developing them rather than take a 'best' practice policy from a book or collection of policies.  Obviously it's right to be informed by good practice, but you'll need to work on making in appropriate for your organisation.

 

I'd start by looking at the risks your organisation faces and the controls currently in place before introducing any additional controls.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP M.Inst.ISP
Newcomer III

Re: Reading suggestions on governance and policy creation

We'll definitely begin at the top and work our way down for sure.  Any reading material will help to inform decisions we make along the way.

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Community Champion

Re: Reading suggestions on governance and policy creation

@ericgeater 

I have been teaching college senior and grad level I&T security policy courses, and have developed full I&T governance as well as ITSM courseworks, if you need a few pointers, you can pm me.

 

 


______________________________
Chuxing Chen, Ph.D., CISSP
Highlighted
Contributor III

Re: Reading suggestions on governance and policy creation

The biggest motivator for executives is for you to empress upon them risk. That risk can take the dimensions of being quantitative (numbers, the best option) or qualitative (for the more subjective determinations and what-if scenarios).What risk will most disrupt the bottom line? Is it business continuity? What are the policies you'll propose to prevent a disaster and what are the procedures to recover from it?

Newcomer III

Re: Reading suggestions on governance and policy creation

Thank you very much!  I hope to establish traction on this project very quickly.

 

regards

eric


@Chuxing wrote:

@ericgeater 

I have been teaching college senior and grad level I&T security policy courses, and have developed full I&T governance as well as ITSM courseworks, if you need a few pointers, you can pm me.



---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Advocate I

Re: Reading suggestions on governance and policy creation


@ericgeater wrote:

Greetings, everyone.  As a "novitiate" in cybersecurity (having only recently passed the CISSP exam), I am looking for some guidance on policy evolution.  My employer currently has policies, but they require some review.  As a "committee of one", I am looking to shore up my narrative before approaching the executives to propose a policy change.


Eric,

Please allow me to toot my own horn, and suggest you watch my 25 minute presentation, Maybe It's the Boss's Fault, on YouTube. My message is to be sure the security policies are in line with the way the workforce ACTUALLY works. Too many security polices are not realistic, and cannot be followed or enforced, because they interfere with the primary work, and make no sense to the employees. This is a direct result of letting security techies, alone, drive the policies. Password policies are only one example of the mess we have created.

 

I'd  be happy to have further direct discussion on this topic.

 

Regards,

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile