cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion

Reading suggestions on governance and policy creation

Greetings, everyone.  As a "novitiate" in cybersecurity (having only recently passed the CISSP exam), I am looking for some guidance on policy evolution.  My employer currently has policies, but they require some review.  As a "committee of one", I am looking to shore up my narrative before approaching the executives to propose a policy change.

The SANS policy templates are fantastic for policy ideas, but they don't convey the executive urgency for creating a policy with teeth.  So I'm looking for articles or books that will speak "executive" toward policy formation and GRC.  Are there any suggestions?

 

Thanks!

eg

p.s. My employer is privately owned, and our initial compliance issues surround SLAs for select customers, but that's all.  There's nothing that requires SOX or GDPR, for example.

---
10 Replies
Frank_Mayer
Contributor I

A history of the Cybersecurity Framework that underpins governance can be found on the US Government's NIST site and NIST has great resources for small business as well.  Having served in cybersecurity in both industry and government (to include military service) for decades, I find NIST a good source of unbiased guidance that is not driven by trying to sell a product or consulting services.  Here is the link that explins how the cybersecurity framework evolved https://www.nist.gov/cyberframework/online-learning/history-and-creation-framework

 

This link to the NIST Report for Cybersecurity Fundamentals for Small Business Owners, is a little gem that can really help with framing policy development for a small business, NIST has guides for several types of businesses. https://csrc.nist.gov/publications/detail/nistir/7621/rev-1/final 

 

This link provides a National Cybersecurity and Communications Integration Center’s (NCCIC) historical perspective going bak to 1963 and up to the present day:

 

https://www.us-cert.gov/about-us 

 

Here is a Washington Post Article that outlines the history of Internet Security going back to its inception and up to the present day: https://www.washingtonpost.com/graphics/national/security-of-the-internet/history/?noredirect=on  there are even comments to his article that are relevant as well.

 

Respectfully,

Francis (Frank) Mayer, CISSP