Reading suggestions on governance and policy creation
Greetings, everyone. As a "novitiate" in cybersecurity (having only recently passed the CISSP exam), I am looking for some guidance on policy evolution. My employer currently has policies, but they require some review. As a "committee of one", I am looking to shore up my narrative before approaching the executives to propose a policy change.
The SANS policy templates are fantastic for policy ideas, but they don't convey the executive urgency for creating a policy with teeth. So I'm looking for articles or books that will speak "executive" toward policy formation and GRC. Are there any suggestions?
p.s. My employer is privately owned, and our initial compliance issues surround SLAs for select customers, but that's all. There's nothing that requires SOX or GDPR, for example.
A history of the Cybersecurity Framework that underpins governance can be found on the US Government's NIST site and NIST has great resources for small business as well. Having served in cybersecurity in both industry and government (to include military service) for decades, I find NIST a good source of unbiased guidance that is not driven by trying to sell a product or consulting services. Here is the link that explins how the cybersecurity framework evolved https://www.nist.gov/cyberframework/online-learning/history-and-creation-framework