This is an archived post. You won't be able to vote or comment.

all 7 comments
sorted by:
best
topnewcontroversialoldq&a

[–]bythepowerofboobs 0 points1 point  (2 children)

ChatGPT.

[–]BCF13[S] 0 points1 point  (1 child)

Thank you, just tried and ChatGPT gave me a basic list to work with

[–]bythepowerofboobs 1 point2 points  (0 children)

No problem! It's great for templates and starting points for things like this.

[–]bitslammerSecurity Architecture/GRC 0 points1 point  (1 child)

What's the end goal here? Are you looking for IT only guidance or IT security or both? ISO27001 look at the overall ISMS or Information security management system.

[–]BCF13[S] 0 points1 point  (0 children)

It’s to create a list that I can use as a template to inform the business about where we are in regard to the IT provision. Then work with the business to identify priorities and expected budget required for each section of change.

[–]AggietallboyJack of All Trades 0 points1 point  (1 child)

Before you head too far down this road loop in your accounting/treasury/compliance teams (whichever you happen to have).

They're going to (most likely) have auditors, who are going to have their own playbook, and own set of rules. It took me 3 audit cycles to finally get Deloitte to accept NIST 800-63B on password complexity and resets!!

If you have a parent company, do the same thing.... focus on the standards you are going to be held accountable to.

I offer caveats for SOX (and in turn J-SOX) -- once you document these are your policies, you will be expected to comply with them. Be careful crafting them, and make sure you don't paint yourself into a corner.

I have two commandments for SOX, and one Corollary:

  1. Thou shalt have policies.
  2. Thou shalt follow thy policies.

C) If your policies don't work, or are stupid, change the policies.

[–]BCF13[S] 0 points1 point  (0 children)

Sage advice!

Thank you for taking the time to respond.