cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion

Reading suggestions on governance and policy creation

Greetings, everyone.  As a "novitiate" in cybersecurity (having only recently passed the CISSP exam), I am looking for some guidance on policy evolution.  My employer currently has policies, but they require some review.  As a "committee of one", I am looking to shore up my narrative before approaching the executives to propose a policy change.

The SANS policy templates are fantastic for policy ideas, but they don't convey the executive urgency for creating a policy with teeth.  So I'm looking for articles or books that will speak "executive" toward policy formation and GRC.  Are there any suggestions?

 

Thanks!

eg

p.s. My employer is privately owned, and our initial compliance issues surround SLAs for select customers, but that's all.  There's nothing that requires SOX or GDPR, for example.

-----------
A claim is as good as its veracity.
10 Replies
emb021
Advocate I

I like "Information Security Policies, Procedures, and Standards: A Practitioner's Reference" by Douglas J. Landoll, 2016.  

 

He also has a great book on doing security risk assessments.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
ericgeater
Community Champion

Thanks for the suggestion.  It was nicely reviewed at Amazon, so I ordered it.

I'll also point out another suggestion seen elsewhere about the "Cybersecurity Canon", which seems like an interesting list of titles.

-----------
A claim is as good as its veracity.
dcontesti
Community Champion

Here is a free resource from Peerlyst (BTW: they have many good references)

 

https://www.peerlyst.com/posts/resource-free-comprehensive-information-security-policy-template-for-...

 

Regards

 

 

Steve-Wilme
Advocate II

It generally works better from a buy in perspective to involve the stakeholders in policies in developing them rather than take a 'best' practice policy from a book or collection of policies.  Obviously it's right to be informed by good practice, but you'll need to work on making in appropriate for your organisation.

 

I'd start by looking at the risks your organisation faces and the controls currently in place before introducing any additional controls.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
ericgeater
Community Champion

We'll definitely begin at the top and work our way down for sure.  Any reading material will help to inform decisions we make along the way.

-----------
A claim is as good as its veracity.
Chuxing
Community Champion

@ericgeater 

I have been teaching college senior and grad level I&T security policy courses, and have developed full I&T governance as well as ITSM courseworks, if you need a few pointers, you can pm me.

 

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
AppDefects
Community Champion

The biggest motivator for executives is for you to empress upon them risk. That risk can take the dimensions of being quantitative (numbers, the best option) or qualitative (for the more subjective determinations and what-if scenarios).What risk will most disrupt the bottom line? Is it business continuity? What are the policies you'll propose to prevent a disaster and what are the procedures to recover from it?

ericgeater
Community Champion

Thank you very much!  I hope to establish traction on this project very quickly.

 

regards

eric


@Chuxing wrote:

@ericgeater 

I have been teaching college senior and grad level I&T security policy courses, and have developed full I&T governance as well as ITSM courseworks, if you need a few pointers, you can pm me.



-----------
A claim is as good as its veracity.
CraginS
Defender I


@ericgeater wrote:

Greetings, everyone.  As a "novitiate" in cybersecurity (having only recently passed the CISSP exam), I am looking for some guidance on policy evolution.  My employer currently has policies, but they require some review.  As a "committee of one", I am looking to shore up my narrative before approaching the executives to propose a policy change.


Eric,

Please allow me to toot my own horn, and suggest you watch my 25 minute presentation, Maybe It's the Boss's Fault, on YouTube. My message is to be sure the security policies are in line with the way the workforce ACTUALLY works. Too many security polices are not realistic, and cannot be followed or enforced, because they interfere with the primary work, and make no sense to the employees. This is a direct result of letting security techies, alone, drive the policies. Password policies are only one example of the mess we have created.

 

I'd  be happy to have further direct discussion on this topic.

 

Regards,

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts