Security policies are crucial for robust cybersecurity programs, providing direction, defining roles, and setting controls. However, they often suffer from neglect, leading to unclear strategies and weakened programs. Join our session to understand the vital role of security policies, avoid common pitfalls, and learn to craft them effectively within frameworks like FISMA, ISO 27001/2, and COBIT 2019. Discover strategies for gaining acceptance through training and socialization, with real-world examples and a case study from the Arizona Department of Administration. Leave equipped with actionable insights and resources to strengthen your cybersecurity program with well-crafted policies.

Learning Objectives:

• Create policies within a framework. We will discuss different levels of policy types (security program policies, system policies, user policies, and organization policies) and policy frameworks (FISMA, ISO 27001/2, COBIT 2019, and others)
• Understand how to training and socializing policy within their organization. This includes socializing a new or changed security policy sets, identifying SMEs and organizational best practices, performing multi-level reviews, policy training, and policy collateral
• Know how to avoid security policy mistakes with clear examples of policies that do not work well include excessive prose (unclear requirements), mixed audience and level (policies and procedures in one document), out of date policies, and “policies in a box”