Making Information Security Policy Happen
I ran across this the other day and thought about how the ability to create policies and standards are still topics of conversation. One thing I learned early in my career is to document processes and requirements, not as a means to take creativity or flexibility from an organization. Rather, it sets the expectation or what we used to call “Commander’s Intent” in the Marine Corps. This doesn’t mean you shouldn’t follow your processes and policies though as you need a way to handle documenting the exclusions for tracking. All these things together form a foundation for situational awareness.
Here’s a link to the 2008 audio interview with Julia Allen at Carnegie Mellon University called “Making Information Security Policy Happen” – https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=34450