Back to Basics: How to Create Effective Information...
Transcript of Back to Basics: How to Create Effective Information...
![Page 1: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/1.jpg)
BACK TO BASICS: HOW TO CREATE EFFECTIVE
INFORMATION SECURITY POLICIES CHUCK KESLER
CHIEF INFORMATION SECURITY OFFICER
PENDO.IO
@CHUCK_KESLER
STEVE CARDINAL
MANAGER, SECURITY TECHNOLOGY
MUSC
@SGCARDINAL
(former CISO @ Duke Health)
![Page 2: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/2.jpg)
WHAT’S WORSE?
having a poorly executed policy that no one follows -or-
having no policy at all?
![Page 3: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/3.jpg)
WHAT’S WORSE?
being granted permission to publish whatever policy you want -or-
having to explain and justify the policies you want to implement
![Page 4: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/4.jpg)
AGENDA
The Foundation for Good Policies
Writing Effective Policies
Communicating Policies
![Page 5: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/5.jpg)
THE FOUNDATION FOR GOOD POLICIES
![Page 6: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/6.jpg)
WHY DO POLICIES FAIL?
C-Suite doesn’t buy-in
The “why” isn’t understood
Too complex
Lack of monitoring and enforcement
Re-using someone else’s policy
Can’t implement the way it’s written
![Page 7: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/7.jpg)
FIRST… WHAT ARE THE DIFFERENCES BETWEEN POLICIES, STANDARDS, PROCEDURES, AND GUIDELINES?
Purpose Approved By Frequency of Update
Policy Defines management intent for addressing risk; provide support for other controls
Executives Infrequent
Standards Provides technical details to support policy implementation
Directors Occasional
Procedures Step-by-step directions for implementing one or more aspects of a policy
Managers Often
Guidelines User-focused tips that support the objectives of a policy
Managers Often
7 Note: most of what is presented here can be applied equally to policies, standards, procedures, and guidelines
![Page 8: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/8.jpg)
FOUNDATION FOR GOOD POLICIES
Setting a clear tone from the top
Gaining broad-based input and support
Focusing on adding value, not just checking a box
Aligning with the business & its risk appetite
![Page 9: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/9.jpg)
ELEMENTS OF POLICY ALIGNMENT
REGULATIONS FRAMEWORKS ENGAGEMENT
GOVERNANCE LEADERSHIP
![Page 10: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/10.jpg)
ALIGNMENT WITH REGULATIONS AND FRAMEWORKS • Understand regulations (e.g. GDPR, HIPAA, PCI) that apply
• Identify areas of risk to address
• Provide boundary conditions where risk may/may not be acceptable
• Leverage frameworks (e.g. NIST, ISO) to guide the process • Provides best practices for creating controls
• Meet multiple regulatory requirements with a single set of controls
• Caution: not usually easy to use! Need to put in context of the business
• May need a hybrid of multiple frameworks
![Page 11: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/11.jpg)
UNDERSTAND THE BUSINESS DRIVERS
Requirements • Regulatory
• Legal
• Contractual
• Business plans
Constraints • Financial
• Operational
• Technology
• People
![Page 12: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/12.jpg)
SEEK INPUT
Stakeholders • Board • C-Suite • Compliance/Audit • Engineering/Operations • Customer-facing functions • GenOps functions • Customers
Subject Matter Experts • Peer organizations (e.g. ISACs) • Professional groups (e.g. ISC^2) • Consultants (e.g. benchmarking) • Informal networking with peers
![Page 13: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/13.jpg)
FORM A GOVERNANCE COMMITTEE
• Include representatives from all key stakeholder groups
• Right-size the group
• Have a regular meeting cadence
• Include agenda time for handling exceptions
• Maintain transparency
![Page 14: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/14.jpg)
LEADERSHIP: THE CISO’S ROLE IN POLICY MAKING
• Understand and be part of the business
• Help the business balance risk vs. value
• Educate the business on information security risks
• Act as a “choice architect” for leadership
• Understand that there will be differences of opinion on risk vs. value
• Identify and cultivate advocates for security and privacy among other leaders
![Page 15: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/15.jpg)
WRITING EFFECTIVE POLICIES
![Page 16: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/16.jpg)
THE KEYS TO WRITING EFFECTIVE POLICIES
Readability Structure Maintainability SMART Content
![Page 17: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/17.jpg)
READABILITY
Write with the audience in mind
Don’t go overboard with legalese
Keep policies to a manageable length
Remember: if the policy can’t be understood, it won’t be followed!
![Page 18: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/18.jpg)
POLICY STRUCTURE • Use consistent structure to enhance policy readability; example:
• Scope • Purpose • Policy statements • Roles and responsibilities • Exceptions • Revision history • Approvals • Definitions • Cross-references to regulatory and/or framework
requirements
![Page 19: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/19.jpg)
MAINTAINABILITY: CONSIDER USING A GLOSSARY
• Need to keep terminology definitions consistent • This is challenging when terms are repeated
across policies • Defining commonly used terms in a glossary
improves manageability
![Page 20: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/20.jpg)
SMART POLICIES
Specific: the policy addresses specific, clearly defined issues
Measurable: there is a means to measure the effectiveness of the policy
Achievable: the policy can be implemented in a reasonable manner
Relevant: the policy addresses the needs and risks of the business
Timely: the timeframe for implementing the policy is clearly communicated and understood
![Page 21: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/21.jpg)
SUCCESSFULLY COMMUNICATING POLICIES
![Page 22: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/22.jpg)
TAKING THE NEXT STEP
22
Policy is defined, now what?
Who needs to learn the policy?
How will they learn it?
![Page 23: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/23.jpg)
IDENTIFY YOUR AUDIENCES
• Complaints go up the ladder
• Support must start at the top
• Stakeholder needs • Executives must understand the risk
• Human Resources must know how to apply sanctions
• Managers must know how the policy affects performance
• End-users must know how to meet policy
![Page 24: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/24.jpg)
USING STORY TELLING TO DEVELOP YOUR MESSAGE • Stories have been used for thousands of years • Stories tell Why and How
• Why are we doing this – connect to purpose • How am I going to do this – removal of fear, uncertainty, and doubt
• Examples • Lascaux Cave Drawings: 15000-13000 BCE • Gilgamesh: 1800 BCE • Ramayana: 1500 BCE • Aesop’s Fables: 500-200 BCE
• New media • Photography: 1827 AD • Motion Pictures: 1877 AD • Video Games: 1947 AD
![Page 25: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/25.jpg)
DEVELOPING A GOOD STORY
• Single theme (not the same as plot!)
• Structure • Setting -> Inciting Incident -> Resolution/Denouement
• The Hero’s Journey
• Cause & Effect
• Plot
• Genre
![Page 26: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/26.jpg)
THE HERO’S JOURNEY
• Conceptualized by Joseph Campbell
• 17 Stages within 3 categories
• Not all stages necessary, but all 3 categories are: • Departure
• Initiation
• Return
• Not that different from classic Setting -> Incident -> Resolution
• The basis for an obscure film called Star Wars
![Page 27: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/27.jpg)
Source: http://justinswapp.com/american-masters-george-lucas-and-the-heros-journey/
![Page 28: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/28.jpg)
7 BASIC PLOTS
Overcoming the Monster – James Bond
Rags to Riches – Harry Potter
The Quest – Lord of the Rings
Voyage and Return – Back to the Future
Comedy – A Midsummer Night’s Dream
Tragedy – Thelma and Louise
Rebirth – A Christmas Carol
![Page 29: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/29.jpg)
GENRES
• Common patterns for telling stories. Examples:
• Fiction
• Mystery: Crime, exploration, confrontation
• Thriller: Race against time to prevent a bad thing
• Adventure: A risky and dangerous undertaking
• Romance: Hero must earn the love of another
• Non-fiction
• Biography: Narrative about a person’s life.
• Memoir: Focus on the writer’s relationship with a person, place, or thing
• Narrative: Focus on an event
![Page 30: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/30.jpg)
POLICY STORIES?
If you want them to be known, understood and remembered? Yes!
Stories don’t have to be novels
Let’s develop one
![Page 31: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/31.jpg)
DEVELOP A CENTRAL THEME
• Executive messaging • Availability risks – delays and loss of current business
• Regulatory risks – fines
• Reputational risks - loss of future business
• Human harm – injury or loss of life
• HR messaging • Alignment with values and mission
• Guidelines on determining appropriate sanctions
![Page 32: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/32.jpg)
CENTRAL THEME (CONTINUED)
• Management messaging • Alignment to organizational mission
• Impacts and improvements to departmental goals
• Identifying and reporting compliance concerns
• End-user messaging • Leadership commitment to the policy
• Impact on day-to-day workflow
• How to ask questions
![Page 33: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/33.jpg)
GO FROM THEME TO STORY
One Sentence – What you want to communicate? Ex. It’s important to backup your system regularly to recover from ransomware. Setting: The SYSTEM Hero: Kelly Inciting Incident: Ransomware takes the SYSTEM down! Resolution: Kelly had a backup
![Page 34: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/34.jpg)
THE SETTING
• Develop the setting
• What is it?
• What is normal?
• The SYSTEM, a payment processing application, handles thousands of student credit card transactions each day
![Page 35: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/35.jpg)
THE HERO
• Develop the hero
• Who are they?
• What do they want?
• Kelly, a system administrator in the finance department, wants to finish her work so she can go on vacation.
![Page 36: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/36.jpg)
THE INCIDENT
• Develop the incident
• Fred responds to a malicious email, triggering Locky, which…
• Encrypts critical SYSTEM files, which…
• Takes the SYSTEM down, which...
• Triggers a phone call to Kelly, which…
• Sends her into action.
![Page 37: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/37.jpg)
THE RESOLUTION
• How does it end?
• Comedy/Happy ending:
• Kelly restores the files from backup after clearing the infection.
• Tragedy/Sad ending:
• Because there were no backups, Kelly had to tell management they needed to pay the
ransom.
![Page 38: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/38.jpg)
ONE POSSIBILITY
![Page 39: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/39.jpg)
THE SUMMARY
• Connect outcome to policy • Link to leadership commitment • Identify where to learn more
![Page 40: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/40.jpg)
ONE PICTURE, ONE MESSAGE
• Sometimes the picture tells the story.
• The text is the message.
![Page 41: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/41.jpg)
START WITH A PICTURE
![Page 42: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/42.jpg)
ANOTHER PICTURE
![Page 43: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/43.jpg)
MEDIA TO CONSIDER
Memes – Image that tells a story + your message
Videos – Demonstrate the behavior you desire
Infographics – Relate statistics to your story
Blog posts – A weekly incident blotter
Podcasts – Interviews with coworkers
Anecdotes – Begin every presentation with one
![Page 44: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/44.jpg)
WRAP-UP
![Page 45: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/45.jpg)
SUMMARY
Policies usually succeed or fail based on the “tone from the top”
Policies must be aligned with the business
No one wants to read your policies – except auditors!
Write policies in a way that they can be understood and followed
Regularly review and update policies
Have reasonable consequences for non-compliance
Effectively communicating policies is key to adoption
Use storytelling to improve policy communications
![Page 46: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/46.jpg)
REFERENCES - ARTICLES
• https://www.sans.org/reading-room/whitepapers/policyissues/building-implementing-information-security-policy-509
• https://www.sans.org/security-resources/policies/
• https://frsecure.com/blog/differentiating-between-policies-standards-procedures-and-guidelines/
• https://www.csoonline.com/article/2124114/it-strategy/strategic-planning-erm-how-to-write-an-information-security-policy.html
• https://resources.infosecinstitute.com/key-elements-information-security-policy/
• https://adeliarisk.com/13-fantastic-resources-writing-information-security-policy/
![Page 47: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/47.jpg)
REFERENCES – EXAMPLE POLICIES
• https://security.duke.edu/policies-standards-procedures
• https://policylibrary.gatech.edu/information-technology
• https://policies.iu.edu/categories/information-it.html
• https://www.wisconsin.edu/uw-policies/news/information-security-policies-and-procedures/
• http://policies.vpfa.fsu.edu/policies-and-procedures/technology/information-security-policy/
![Page 48: Back to Basics: How to Create Effective Information ...nchica.org/wp-content/uploads/2019/05/kesler_cardinal_v2.pdfback to basics: how to create effective information security policies](https://reader034.fdocuments.in/reader034/viewer/2022042612/5f80f52c5118a2150d05e594/html5/thumbnails/48.jpg)
THANK YOU!
Chuck Kesler Chief Information Security Officer Pendo.io Email: [email protected] Twitter: @chuck_kesler Web: https://pendo.io
Steve Cardinal Manager, Security Technology Medical University of South Carolina Email: [email protected] Twitter: @sgcardinal Web: https://musc.edu