Policy and Procedure References

Policy and Procedure References

by John Bandler

I have researched policies, procedures, and governance, especially regarding information systems and cybersecurity. I work and write on this area, and then I did additional research and thought to build a course for InfoSec Skills titled "Corporate Security Policies" and then wrote a book called "Policies and Procedures for Your Organization: Build solid governance documents on any topic ... including cybersecurity".

This article (and the next) help share those resources with you, and give credit for the work that helped influence my thoughts and work.

John's Major works on policies and procedures

John Bandler, Policies and Procedures for Your Organization: Build solid governance documents on any topic ... including cybersecurity (John Bandler, 2024)

John Bandler, Corporate Security Policies, online learning path for Infosec Skills, a Cengage company.

My framework concept

I came up with the Five Components for Policy Work which involve evaluating:

• Mission and business goals and needs
• External rules (laws, regulations, contract, and negligence)
• Internal rules
• External guidance
• Practice (action).

I built out articles on all of these areas and a book too. I believe these incorporate the best and most practical advice from other work.

• Policies and Procedures Book
• Five Components for Policy Work
  • Bandler's Three Platforms to Connect for Compliance (the compliance components: external rules, internal rules, practice)
  • Bandler's Fourth Platform to Connect  (adding business needs and mission)
• Internal Rules
  • Rules (laying out the concept of a "rule", in the context of personal, organizational, and government rules)
  • Policies and Procedures (and all other governance documents)
  • Internal Rules Planning (planning to create or improve internal rules of organizations, my four platforms plus a fifth "cloud")
  • Internal Rules Building (a construction concept to build and improve rules that applies to any type of organization)
  • Rethinking the Rules Pyramid (the rules pyramid analogy only goes so far, and my platform analogy has benefits)
  • Policy Checklist (a checklist for building, reviewing, and updating governance documents)
  • Free Cybersecurity Policy (for very small organizations that cannot afford to hire anyone)
  • Policies, Procedures, and Governance of an Organization (discusses the Three Platforms and ENTER concepts, and management)
  • Policy and Procedure References (This article)
• External Rules
  • Rules (laying out the concept of a "rule", in the context of personal, organizational, and government rules)
  • Law
  • Cyberlaw
  • Cybersecurity Laws and Regulations Part 1 (general legal overview)
  • Cybersecurity Laws and Regulations Part 2 (getting into the details!)
    • Financial sector cyber laws and regulations
    • Health sector laws and regulations
  • Privacy
  • Contract Law - An Introduction
  • Cyber insurance
  • Negligence Law
  • Introduction to Law (Outline)
• External Guidance 
  • Cybersecurity Frameworks and Guidance
  • NIST Cybersecurity Framework
  • Bandlers Four Pillars of Cybersecurity
• Mission and business needs
• Practice

My research

I did a lot of research, read a lot, consulted many people. I asked about:

• Resources that are good (books, articles, etc.)
• Methods and practices that work
• What to avoid.

I have compiled some of that research here. I don't pretend the research is "done" or the most exhaustive anyone has done, but it's a good start. I also created an online course on the topic and many resources on this website.

External references

I moved the details and all the external references to another page, otherwise this page would become unwieldy and unmanageable. So after you have digested the references on this page and site, go check out the details.

My online courses on policies and procedures

That is what I have built for Infosec Skills (part of Cengage Group).

The entire work is called a "learning path" and is made up of these seven courses:

1. Foundations and a framework
2. Mission and business needs
3. External rules (laws, regulations, etc.)
4. External guidance (frameworks, samples, etc.)
5. Planning the security document project
6. Managing and completing the security document project
7. Using and maintaining your documents

What organizations should do

Organizations should follow a logical process to evaluate all five components, plan a document project (to create or update documents), then properly manage the project to completion, then train on, use, and manage their documents. Documents matter, and so does the process to create and improve them. Documents should never be just for show, nor "shelf-ware" that is never used or referred to.

Organizations should avoid this

Organizations must avoid creating documents that are just for show. They should also avoid copying and pasting other documents assuming those documents are good, or are otherwise appropriate for their organization.

This probably doesn't need to be said, but they should also avoid hiring an infinite number of monkeys to type random text hoping a great policy will result.

Conclusion and disclaimer

Organizations need good policy documents, including for cybersecurity, privacy, and many other areas.

Of course this is not legal advice nor consulting advice, and is not tailored to your organization or circumstances.

This page is a draft and work-in-progress. I am not endorsing any other materials at this point but merely compiling a list for further research.

Additional reading and references

• This entire article is about additional reading, so please see above which lists my blog articles.
• Policies and Procedures Book
• Policy and Procedure Reference Details (more external references than you can shake a policy at)
• My online course at InfoSec Skills
  • Public landing page at Infosec, https://www.infosecinstitute.com/skills/learning-paths/corporate-security-policies/
  • Learning portal page, https://app.infosecinstitute.com/portal/skills/path/18623
  • My author page at Infosec
  • Bandler50 is my 50% off coupon at Infosec, learn more
• Five Components for Policy Work
  • Internal Rules
  • External Rules
  • External Guidance (including cybersecurity frameworks)
  • Mission and business needs
  • Practice 

Posted to https://johnbandler.com/policy-and-procedure-references. Copyright John Bandler, all rights reserved.

Posted 3/21/2022. Updated 3/14/2024.