Updated: 8 April 2025
Got to Know The Security Policies / Security Rules Before You Break Them
I have worked with, read many, edited many, audited reams of them, written from scratch, maybe even violated a few, investigated countless, and trained on countless sets of security rules and policies, in all types of organizations around the world. The most common title of these sets of rules is “our Security Policy”, which I promote this term in my security governance training, but to help all types of organizations that have struggled with these types of rules/policies, I am going back to 3rd grade and just call them, “rules.” for now. If your organization decides to call them “Rules” or “Policies” or “Requirements” or _____, you call, just make sure its a term that fits the culture is a enforcable. It is about accountability of “I”, the individual human reading them, that they understand and will follow…..
I can’t tell you how many times I have seen rules/policies that, some of which I helped write, were close to impossible to determine who (individually) was accountable.
They read like a company was writing to a company and not to an individual.
The ones below and in the future are my attempts to 1. Provide a free resource to people that have little or no rules/policies or resources to make them, and 2. provide a new direction for industry security rules / security policies that is written from the organization to the individuals to mature to maximum accountability. Determining who is accountable comes in the form of a RACI exercise that is independent of these rules/policies. Ultimately, it’s the CEO-level person if no one else is assigned, but guess what, the CEO-level person should be equally accountable and sign these same documents.
This collection is not meant to cover every need, but will support any size organization (NGO to SMB to Fortune ### to Government), it is meant to simplify these rules/policies into literally one page and hyper-focus on individual accountability. Yes, you will have some overlap as some organizations only need specific documents vs. all of them.
Good Luck, and if we can be of service to help you enhance these documents or help you with implementation, we would be honored to service you and your organization.
Jim McConnell
info@askmcconnell.com
Ask McConnell, LLC
https://askmcconnell.com

A New Direction for Security Policies
Updated: 23 March 2025
A short note (okay, more than 1 page) about what we believe should be a new direction for security (and safety) rules/policies in organizations. A move toward more mature accountability.

The Security Commitment
Updated: 20 March 2025
An example agreement between the organization and the individual about these rules and policies and the consequences

Definitions
Updated: 18 March 2025
Though the graphic says “Small Business(es)”, these definitions and all of the resources will work from NGOs/Churches to the federal government, small businesses to large enterprises.

Cyber Security – Center for Internet Security 18 Critical Controls
Sorry it’s a 2 Pager……Based on CISecurity.org great work on the 18 Critical Controls
Updated: 03 April 2025

Jim, I wish you had one on ______
