Policy and Procedure References

Policy and Procedure References

by John Bandler

I did a lot of research on policies, procedures, and governance, especially regarding information systems and cybersecurity.

After writing a book and building some online courses, I aligned the most helpful references to my book in this Polices and Procedures resources and links article.

If you are conducting your own research, see at bottom the link to the reference details article which points you to the work of others and gives credit for the work that helped influence my thoughts and work.

John's Major works on policies and procedures

• Book titled "Policies and Procedures for Your Organization: Build solid governance documents on any topic ... including cybersecurity"
• Reference article which aligns with the organization of my book
• Online course at Udemy that parallels the book, see my Udemy page for more.
• Online course for information security professionals titled "Corporate Security Policies" for Infosec Skills, a Cengage company.

My framework concept

I came up with the Five Components for Policy Work which involve evaluating:

• Mission and business goals and needs
• External rules (laws, regulations, contract, and negligence)
• Internal rules
• External guidance
• Practice (action).

I built out articles on all of these areas and a book too. I believe these incorporate the best and most practical advice from other work.

• Policies and Procedures Book
• Policies and Procedures Book Resources
• Five Components for Policy Work
  • Bandler's Three Platforms to Connect for Compliance (the compliance components: external rules, internal rules, practice)
  • Bandler's Fourth Platform to Connect  (adding business needs and mission)
• Internal Rules
  • Rules (laying out the concept of a "rule", in the context of personal, organizational, and government rules)
  • Policies and Procedures (and all other governance documents)
  • Internal Rules Planning (planning to create or improve internal rules of organizations, my four platforms plus a fifth "cloud")
  • Internal Rules Building (a construction concept to build and improve rules that applies to any type of organization)
  • Rethinking the Rules Pyramid (the rules pyramid analogy only goes so far, and my platform analogy has benefits)
  • Policy Checklist (a checklist for building, reviewing, and updating governance documents)
  • Free Cybersecurity Policy (for very small organizations that cannot afford to hire anyone)
  • Policies, Procedures, and Governance of an Organization (discusses the Three Platforms and ENTER concepts, and management)
  • Policy and Procedure References (This article)
• External Rules
  • Rules (laying out the concept of a "rule", in the context of personal, organizational, and government rules)
  • Law
  • Cyberlaw
  • Cybersecurity Laws and Regulations Part 1 (general legal overview)
  • Cybersecurity Laws and Regulations Part 2 (getting into the details!)
    • Financial sector cyber laws and regulations
    • Health sector laws and regulations
  • Privacy
  • Contract Law - An Introduction
  • Cyber insurance
  • Negligence Law
  • Introduction to Law (Outline)
• External Guidance 
  • Cybersecurity Frameworks and Guidance
  • NIST Cybersecurity Framework
  • Bandlers Four Pillars of Cybersecurity
• Mission and business needs
• Practice

My research

I did a lot of research, read a lot, consulted many people. I asked about:

• Resources that are good (books, articles, etc.)
• Methods and practices that work
• What to avoid.

I have compiled some of that research here. I don't pretend the research is "done" or the most exhaustive anyone has done, but it's a good start. I also created an online course on the topic and many resources on this website.

External references

I moved the details and all the external references to another page, otherwise this page would become unwieldy and unmanageable. So after you have digested the references on this page and site, go check out the details.

My online courses on policies and procedures at Infosec Skills

This course is for information security professionals at Infosec Skills (part of Cengage Group).

The entire work is called a "learning path" and is made up of these seven courses:

1. Foundations and a framework
2. Mission and business needs
3. External rules (laws, regulations, etc.)
4. External guidance (frameworks, samples, etc.)
5. Planning the security document project
6. Managing and completing the security document project
7. Using and maintaining your documents

My online courses on policies and procedures at Udemy

This course is for anyone and is hosted at Udemy.

The course structure aligns to my book, one short video to correspond to each chapter.

See my page on my Udemy courses, remember to look for coupon codes and sales to get yourself the best deal.

What organizations should do

Organizations should follow a logical process to evaluate all five components, plan a document project (to create or update documents), then properly manage the project to completion, then train on, use, and manage their documents. Documents matter, and so does the process to create and improve them. Documents should never be just for show, nor "shelf-ware" that is never used or referred to.

Organizations should avoid this

Organizations must avoid creating documents that are just for show. They should also avoid copying and pasting other documents assuming those documents are good, or are otherwise appropriate for their organization.

This probably doesn't need to be said, but they should also avoid hiring an infinite number of monkeys to type random text hoping a great policy will result.

Conclusion and disclaimer

Organizations need good policy documents, including for cybersecurity, privacy, and many other areas.

Of course this is not legal advice nor consulting advice, and is not tailored to your organization or circumstances.

This page is now somewhat obsolete and duplicative of other pages on this website.

Additional reading and references

• This entire article is about additional reading, so please see above which lists my blog articles.
• Policies and Procedures Book
• Policies and Procedures Book Resources
• Policy and Procedure Reference Details (more external references than you can shake a policy at)
• My online course at InfoSec Skills
  • Public landing page at Infosec, https://www.infosecinstitute.com/skills/learning-paths/corporate-security-policies/
  • Learning portal page, https://app.infosecinstitute.com/portal/skills/path/18623
  • My author page at Infosec
  • Bandler50 is my 50% off coupon at Infosec, learn more
• My online course at Udemy
  • My Udemy courses
• Five Components for Policy Work
  • Internal Rules
  • External Rules
  • External Guidance (including cybersecurity frameworks)
  • Mission and business needs
  • Practice 

Posted to https://johnbandler.com/policy-and-procedure-references. Copyright John Bandler, all rights reserved.

Posted 3/21/2022. Updated 12/05/2024.