Policy and Procedure References

by John Bandler

I have done considerable research about policies and procedures, especially regarding information governance and cybersecurity. I work and write on this area, and then I did additional research and thought to build a course for InfoSec Skills titled "Corporate Security Policies" and then wrote a book called "Policies and Procedures for Your Organization: Build solid governance documents on any topic ... including cybersecurity".

This article (and the next) help share those resources with you, and give credit for the work that helped influence my thoughts and work.

John's Major works on policies and procedures

John Bandler, Policies and Procedures for Your Organization: Build solid governance documents on any topic ... including cybersecurity (John Bandler, 2024)

John Bandler, Corporate Security Policies, online learning path for Infosec Skills, a Cengage company.

My framework and workBandlers Five Components for Policy Work 2022 (1) All

I came up with the Five Components for Policy Work which involve evaluating:

  • Mission and business goals and needs
  • External rules (laws, regulations, contract, and negligence)
  • Internal rules
  • External guidance
  • Practice (action).

I built out articles on all of these areas and a book too. I believe these incorporate the best and most practical advice from other work.

My research

I did a lot of research, read a lot, consulted many people. I asked about:

  • Resources that are good (books, articles, etc.)
  • Methods and practices that work
  • What to avoid.

I have compiled some of that research here. I don't pretend the research is "done" or the most exhaustive anyone has done, but it's a good start. I also created an online course on the topic and many resources on this website.

External references

I moved the details and all the external references to another page, otherwise this page would become unwieldy and unmanageable. So after you have digested the references on this page and site, go check out the details.

My online courses on policies and proceduresCorporate Security Policies first slide at Infosec Cengage

That is what I have built for Infosec Skills (part of Cengage Group).

The entire work is called a "learning path" and is made up of these seven courses:

  1. Foundations and a framework
  2. Mission and business needs
  3. External rules (laws, regulations, etc.)
  4. External guidance (frameworks, samples, etc.)
  5. Planning the security document project
  6. Managing and completing the security document project
  7. Using and maintaining your documents

What organizations should do

Bandlers Five Components for Policy Work 2022 (1) All

Organizations should follow a logical process to evaluate all five components, plan a document project (to create or update documents), then properly manage the project to completion, then train on, use, and manage their documents. Documents matter, and so does the process to create and improve them. Documents should never be just for show, nor "shelf-ware" that is never used or referred to.

Organizations should avoid this

Organizations must avoid creating documents that are just for show. They should also avoid copying and pasting other documents assuming those documents are good, or are otherwise appropriate for their organization.

This probably doesn't need to be said, but they should also avoid hiring an infinite number of monkeys to type random text hoping a great policy will result.

Conclusion and disclaimer

Organizations need good policy documents, including for cybersecurity, privacy, and many other areas.

Of course this is not legal advice nor consulting advice, and is not tailored to your organization or circumstances.

This page is a draft and work-in-progress. I am not endorsing any other materials at this point but merely compiling a list for further research.

Additional reading and references

Posted to https://johnbandler.com/policy-and-procedure-references. Copyright John Bandler, all rights reserved.

Posted 3/21/2022. Updated 2/5/2024.