# Policy Management [[Policy Management]] is a [[Control Development]] capability. The word policy has shifted quite a bit with technology advancements. Instead of simply recording organization decisions in a document, technology has provided a layer of policy enforcement points that enact policies at the technology layer. For this reason, organizations need a list of must do requirements that enable adversary resilience and allow for compliance with regulatory requirements. As part of defensive planning, developing policies enables business alignment and supports distributed decision making with a set of vetted constraints that provide the tone of adversary resilience. Policies may also extend into code and this capability must vet and track policies as they transcend into technology. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- B[[Control Development]] B --- B.1[[Defense Modeling]] B --- B.2[[Standards Management]] B --- B.3[[Policy Management]] B --- B.4[[Test Plan Management]] B --- B.5[[Threshold Management]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class B.3 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition >[!cm-definition] Definition Policy management encompasses creating policies aligned with security goals, ensuring compliance, enforcing adherence, and regularly reviewing policy effectiveness. ## Goals >[!cm-goal] Goal 1 > **Provide Clarity** - >[!cm-goal] Goal 2 > **Establish Security Culture** - Setting expectations for practices and procedures involving: ·         Protecting informational assets from misuse and abuse ·         Ensuring adherence to legal, regulatory, and industry best practices ·         Mitigating security risks and vulnerabilities ·         Cultivating a culture of security awareness and accountability ·         Streamlining incident response and recovery procedures for security breaches or incidents. ## Scope ## Process ```mermaid flowchart LR A[Business <br /> Strategy as Input] --> B[1. Identify <br /> Controls] B --> C[2. Analyze <br /> Dwell] C --> D[3. Predict <br /> Targets] D --> E[4. Manage <br /> Exploits] E --> F[5. Share <br /> Intelligence] F -.->|Informs| A F --> Stakeholders ``` ## Metrics >[!cm-metric] Metric: [[% of Workforce Adherence to Corporate Policies]] >[!cm-metric] Metric: [[% of Workforce Experimenting outside of Policies]] ## Inspiration & Resources + ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.