cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JoeB_IG
Newcomer II

Policy Templates

Hello,

After 18 months as an auditor, I have been hired as the only cybersecurity person in a 1000+ organization. I have been tasked, among other things, to draft various security policies.

Is anyone aware of a repository of policy templates? For example, "Incident Response", "Access Control", "Configuration Management", etc. I am trying to align the org with 800-53; I don't need content, I need structure/format. Does that make sense?

Thanks!

16 Replies
LixtoSezcano
Viewer II

+1 for the SANS Templates 

ApusJ
Viewer II

You have enough information in this post to prompt chatgpt write the drafts for you.
ericgeater
Community Champion

@ApusJ Do you have enough trust that the policies you receive from ChatGPT will align to your enterprise, though?

-----------
A claim is as good as its veracity.
ApusJ
Viewer II

As an AI language model, I don't have any specific policies or alignment with any enterprise. I'm designed to provide information and assist with a wide range of topics based on the data I've been trained on. My responses are generated based on patterns and information contained in that data, as well as general knowledge up until September 2021.

 

If your enterprise has specific policies or guidelines, it's important to consult those directly to ensure alignment with your organization's standards and requirements. While I strive to provide accurate and helpful information, it's always a good idea to verify the information I provide with trusted sources and apply your own judgment and expertise.

ericgeater
Community Champion

"I'm designed"?! "I've been trained on"?!  "...verify the information I provide"?!

Is someone feeding AI responses in this forum?  Is this some kind of Turing test?

-----------
A claim is as good as its veracity.
Steve-Wilme
Advocate II

It's probably a good idea to avoid just downloading another organisation's policies over the internet.  I recall asking for and reviewing a suppliers policies as part of a supplier assessment process, only to find they seemed awfully familiar.  I kept thinking I've read this before.  It was only when I came across 'the Trust' that it occurred to me that they simply copied the NHS security policies verbatim, despite much of the material being very health care specific.

 

So they got a pretty low rating in terms of their security posture, as they could not possibly have implemented the policies that they claimed and denied having plagiarised them.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS