Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion
‎05-13-2019 11:41 AM
‎05-13-2019 11:41 AM

Reading suggestions on governance and policy creation

Greetings, everyone.  As a "novitiate" in cybersecurity (having only recently passed the CISSP exam), I am looking for some guidance on policy evolution.  My employer currently has policies, but they require some review.  As a "committee of one", I am looking to shore up my narrative before approaching the executives to propose a policy change.

The SANS policy templates are fantastic for policy ideas, but they don't convey the executive urgency for creating a policy with teeth.  So I'm looking for articles or books that will speak "executive" toward policy formation and GRC.  Are there any suggestions?

 

Thanks!

eg

p.s. My employer is privately owned, and our initial compliance issues surround SLAs for select customers, but that's all.  There's nothing that requires SOX or GDPR, for example.

-----------
A claim is as good as its veracity.
Labels
Reply
0 Kudos
10 Replies
emb021
Advocate I
‎05-13-2019 12:02 PM
‎05-13-2019 12:02 PM

I like "Information Security Policies, Procedures, and Standards: A Practitioner's Reference" by Douglas J. Landoll, 2016.  

 

He also has a great book on doing security risk assessments.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Reply
ericgeater
Community Champion
‎05-13-2019 02:31 PM
‎05-13-2019 02:31 PM

Thanks for the suggestion.  It was nicely reviewed at Amazon, so I ordered it.

I'll also point out another suggestion seen elsewhere about the "Cybersecurity Canon", which seems like an interesting list of titles.

-----------
A claim is as good as its veracity.
Reply
0 Kudos
dcontesti
Community Champion
‎05-13-2019 06:37 PM
‎05-13-2019 06:37 PM

Here is a free resource from Peerlyst (BTW: they have many good references)

 

https://www.peerlyst.com/posts/resource-free-comprehensive-information-security-policy-template-for-...

 

Regards

 

 

Reply
Steve-Wilme
Advocate II
‎05-14-2019 05:24 AM
‎05-14-2019 05:24 AM

It generally works better from a buy in perspective to involve the stakeholders in policies in developing them rather than take a 'best' practice policy from a book or collection of policies.  Obviously it's right to be informed by good practice, but you'll need to work on making in appropriate for your organisation.

 

I'd start by looking at the risks your organisation faces and the controls currently in place before introducing any additional controls.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Reply
ericgeater
Community Champion
‎05-14-2019 08:39 AM
‎05-14-2019 08:39 AM

We'll definitely begin at the top and work our way down for sure.  Any reading material will help to inform decisions we make along the way.

-----------
A claim is as good as its veracity.
Reply
0 Kudos
Chuxing
Community Champion
‎05-14-2019 10:25 AM
‎05-14-2019 10:25 AM

@ericgeater 

I have been teaching college senior and grad level I&T security policy courses, and have developed full I&T governance as well as ITSM courseworks, if you need a few pointers, you can pm me.

 

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Reply
AppDefects
Community Champion
‎05-14-2019 11:59 AM
‎05-14-2019 11:59 AM

The biggest motivator for executives is for you to empress upon them risk. That risk can take the dimensions of being quantitative (numbers, the best option) or qualitative (for the more subjective determinations and what-if scenarios).What risk will most disrupt the bottom line? Is it business continuity? What are the policies you'll propose to prevent a disaster and what are the procedures to recover from it?

Reply
ericgeater
Community Champion
‎05-16-2019 11:14 PM
‎05-16-2019 11:14 PM

Thank you very much!  I hope to establish traction on this project very quickly.

 

regards

eric

@Chuxing wrote:

@ericgeater 

I have been teaching college senior and grad level I&T security policy courses, and have developed full I&T governance as well as ITSM courseworks, if you need a few pointers, you can pm me.

-----------
A claim is as good as its veracity.
Reply
0 Kudos
CraginS
Defender I
‎05-20-2019 10:17 AM
‎05-20-2019 10:17 AM

@ericgeater wrote:

Greetings, everyone.  As a "novitiate" in cybersecurity (having only recently passed the CISSP exam), I am looking for some guidance on policy evolution.  My employer currently has policies, but they require some review.  As a "committee of one", I am looking to shore up my narrative before approaching the executives to propose a policy change.

Eric,

Please allow me to toot my own horn, and suggest you watch my 25 minute presentation, Maybe It's the Boss's Fault, on YouTube. My message is to be sure the security policies are in line with the way the workforce ACTUALLY works. Too many security polices are not realistic, and cannot be followed or enforced, because they interfere with the primary work, and make no sense to the employees. This is a direct result of letting security techies, alone, drive the policies. Password policies are only one example of the mess we have created.

 

I'd  be happy to have further direct discussion on this topic.

 

Regards,

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Reply