Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Champion

Reading suggestions on governance and policy creation

Greetings, everyone.  As a "novitiate" in cybersecurity (having only recently passed the CISSP exam), I am looking for some guidance on policy evolution.  My employer currently has policies, but they require some review.  As a "committee of one", I am looking to shore up my narrative before approaching the executives to propose a policy change.

The SANS policy templates are fantastic for policy ideas, but they don't convey the executive urgency for creating a policy with teeth.  So I'm looking for articles or books that will speak "executive" toward policy formation and GRC.  Are there any suggestions?




p.s. My employer is privately owned, and our initial compliance issues surround SLAs for select customers, but that's all.  There's nothing that requires SOX or GDPR, for example.

A claim is as good as its veracity.
10 Replies
Contributor I

A history of the Cybersecurity Framework that underpins governance can be found on the US Government's NIST site and NIST has great resources for small business as well.  Having served in cybersecurity in both industry and government (to include military service) for decades, I find NIST a good source of unbiased guidance that is not driven by trying to sell a product or consulting services.  Here is the link that explins how the cybersecurity framework evolved


This link to the NIST Report for Cybersecurity Fundamentals for Small Business Owners, is a little gem that can really help with framing policy development for a small business, NIST has guides for several types of businesses. 


This link provides a National Cybersecurity and Communications Integration Center’s (NCCIC) historical perspective going bak to 1963 and up to the present day: 


Here is a Washington Post Article that outlines the history of Internet Security going back to its inception and up to the present day:  there are even comments to his article that are relevant as well.



Francis (Frank) Mayer, CISSP EMERITUS