Policy and Procedure Reference Details

Policy and Procedure Reference DETAILS

by John Bandler

Here are the details, hopefully you have already been to my main article with the general overview.

I have done considerable research about policies and procedures, especially regarding information governance and cybersecurity. I work and write on this area, and then needed to take it to the next level as I built a course for InfoSec Skills titled "Corporate Security Policies" which covers security documentation for all types of organizations.

1. Recapping the framework

I came up with the Five Components for Policy Work which involve evaluating:

• Mission and business needs
• External Rules (laws, regulations, contract, and negligence)
• Internal Rules
• External Guidance 
• Practice (action)
  

  

I did a lot of research, read a lot, consulted many people.

I created an online course on the topic.

Then I created a book on the topic.

I have many resources on this website which are totally free, modular, and written in plain English.

After that, your next research steps are below.

2. Introducing the external references

Below is a list of some external references you can add to your research list. Some are short blog articles, some longer academic type papers, and some are books

Remember too that many cybersecurity frameworks offer guidance on organizing your controls and the types of documents needed.

3. Books on policies and procedures for information security, cybersecurity, data security, information technology

• Bandler, John, Policies and Procedures for Your Organization: Build solid governance documents on any topic ... including cybersecurity (has a part dedicated to cybersecurity, the rest is general) ✔
• Raggad, Bel G, Information Security Management, Concepts and Practice 
• Landoll, Douglas J, Information Security Policies, Procedures, and Standards: A Practitioner's Reference
• Charles Cresson Wood, Information Security Policies Made Easy Version, Version 14 (V 14 has a hefty price tag of $795! I have an earlier version)
• Peltier, Thomas, Information Security Policies and Procedures: A Practitioner's Reference, Second Edition ✓
• Peltier, Thomas, Policies and Procedures for Data Security: A Complete Manual for Computer Systems and Networks ✓

I've read others but will not list them here. Have a book to suggest? Let me know.

4. Books on policies and procedures as a general matter (not focused on infosec)

• Bandler, John, Policies and Procedures for Your Organization: Build solid governance documents on any topic ... including cybersecurity (has a part dedicated to cybersecurity, the rest is general) ✔
• Campbell, Nancy, Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication 
• Brumby, Kirsten, How to Write Effective Policies and Procedures: The System that Makes the Process of Developing Policies and Procedures Easy ✓
• Peabody, Larry, How to Write Policies, Procedures & Task Outlines: Sending Clear Signals in Written Directions ✓
• Green, Scott M., Policy & Procedure System: A Demystification Guide ✓
• Harris, Michelle, Policies and Procedures Manual: The Complete Manual ✓

Yes, I've read others but will not list them here. Let me know if you have a suggestion.

5. Articles on policies and procedures

There are approximately five million articles (kidding) touching on policies, procedures, and security governance out there. There is no way to list them all, and nor should they all be listed. Remember first there are lots of articles on this site to get you started and which are probably easier reads.

• Christopher E. Hart, "The Importance of Written Information Security Policies in Data
  Governance," Boston Bar Journal 63, no. 4 (Fall 2019): 13-16
• Rees, Jackie and Bandyopadhyay, Subhajyoti, "A Life Cycle Approach to Information Security Policy for Electronic Commerce"
  (2000). AMCIS 2000 Proceedings.
• Fayez Hussain Alqahtani, Developing an Information Security Policy: A Case Study Approach, 4th Information Systems International Conference 2017, ISICO 2017, 6-8 November 2017, Bali, Indonesia
• Ismail, Ahmad, Widyarto, Ghani, A Generic Framework for Information Security Policy Development, Proc. EECSI 2017, Yogyakarta, Indonesia, 19-21 September 2017
• Sengupta, Mazumdar, Bagchi, A Methodology for Conversion of Enterprise-Level Information Security Policies to Implementation-Level Policies/Rule, 2011 Second International Conference on Emerging Applications of Information Technology
• T. Tuyikeze and D. Pottas, An Information Security Policy Development Life Cycle, Proceedings of the South African Information Security Multi-Conference (SAISMC 2010)
• Mauricio Rocha Lyra and Jose Carlos Ferrer Simoes, Checking the Maturity of Security Policies for Information and Communication, ISACA Journal 3/1/2015
• Steven De Haes, Roger Debreceny, and Wim Van Grembergen, IT Policy Framework based on COBIT 5, ISACA Journal 1/1/2013
• Sattarova Feruza Yusufovna, Advanced Security Policy Implementation for Information Systems, 2008 International Symposium on Ubiquitous Multimedia Computing
• Rossouw Von Solms, Kerry-Lynn Thomson, Mvikeli Maninjwa, Information security governance control through comprehensive policy architectures, 2011 IEEE
• A Business Framework for the Governance and Management of Enterprise IT, ISACA 2012
• COBIT for Small and Medium Enterprises: Using COBIT 2019
• NAVEX Global, Definitive Guide to Policy & Procedure Management, 2nd Edition
• Yuri Braz, Exceptions to Security Policy - What are they and how to deal with them? (ISC)² Blog 2/11/2021.
• (ISC)² Management, How Do Security Controls Help Implement a Corporate Security Policy? (ISC)² Blog, 10/11/2020.
• Zoran Cosic and Marija Boban, Information Security Management - Defining Approaches to Information Security Policies in ISMS, 2010 IEEE 8th International Symposium on Intelligent Systems and Informatics • September 10-11, 2010, Subotica, Serbia
• Joanna Grama, Information Security Policy Lifecycle, Vantage Technology Consulting Group
• Yazeed Alkhurayyif, George R S Weir, Readability as a Basis for Information Security Policy Assessment, 2017 Seventh International Conference on Emerging Security Technologies (EST), IEEE
• Anna Johannson, Network Security Policies Your Organization Needs To Adopt Today, ISACA NOW BLOG, 9/28/2017
• Patrick Lindley, Technical Writing for IT Security Policies in Five Easy Steps, SANS Institute White Paper, 9/20/2001
• Ahmad Al-Omari, Omar El-Gayar, Amit Deokar, Security Policy Compliance: User Acceptance Perspective, 2012 45th Hawaii International Conference on System Sciences
• Loren Lachapelle, The Information Security Policy Lifecycle, Tyler Cybersecurity, 1/29/2020 (excerpted from
  Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene
• Molly Mullinger, Elliott Bostelman, Six Steps to a Mature Policy Management Program, ISACA NOW BLOG, 11/29/2021
• W. Alec Cram, John D’Arcy, Jeffrey G. Proudfoot, Seeing the Forest and The Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance, MIS Quarterly Vol. 43 No. 2, pp. 525-554/June 2019

6. Sample policies

There are lots of sample policies out there that are publicly available, including from

• Educational institutions
• Government organizations
• SANS Institute
• Me (for smaller organizations)

There are also plenty of samples you can purchase.

Don't assume that sample you obtain is either "good" or right for your organization. Remember not to copy and paste, and there is no one-sized-fits-all for these documents. The process of building documents is as important as the final product.

7. Acknowledgements

I would like to thank the many people who helped and provided guidance during the process of brainstorming and building out my course on Corporate Security Policies for Infosec Skills (part of Cengage Group). Those people include:

• Rob Bandler, former Deputy Director of IT Security at Cornell University and career IT professional
• Mitchell Fink, compliance and technology professional
• Professor Bel Raggad, Pace University (see his book cited above too)
• John Bates
• Many who are not named yet
• Some who prefer not to be named

8. Conclusion and disclaimer

Organizations need good policy documents, including for cybersecurity, privacy, and many other areas.

Of course this is not legal advice nor consulting advice, and is not tailored to your organization or circumstances.

Other resources are listed for your research convenience, no endorsement is implied.

This page is a work-in-progress.

9. Additional reading and references

• This entire article is about additional reading, so please see above which lists my blog articles.
• Policies and Procedures Book
• Policy and Procedure References (main article without the excruciating detail
• Five Components for Policy Work
  • Internal Rules
  • External Rules
  • External Guidance (including cybersecurity frameworks)
  • Mission and business needs
  • Practice

• My online course at InfoSec Skills, course link https://www.infosecinstitute.com/skills/learning-paths/corporate-security-policies/
• See my author page at InfoSec Skills at https://www.infosecinstitute.com/authors/john-bandler/

Posted to https://johnbandler.com/policy-and-procedure-references-details. Copyright John Bandler, all rights reserved.

Posted 12/03/2022 based on my March 2022 article. Updated 2/5/2024.