Recently, I took on the role of Director of Cyber Security and Compliance. This position required guiding my company towards compliance with industry frameworks, a daunting task given our starting point. We decided to begin with the CIS (Center for Internet Security) controls, aiming to achieve Level 2 of the Cybersecurity Maturity Model Certification (CMMC). This would allow us to better support manufacturers aiming to work with government agencies.
As I delved into the CIS controls, I quickly noted a recurring theme: the constant references to policies. Unfortunately, while we had security controls in place, our company lacked comprehensive policies that would establish procedures for these controls. Essentially, I was faced with the challenge of creating an entire security policy from scratch.
After undertaking a Mastering GRC (Governance, Risk and Compliance) course from TCM Academy, taught by industry expert Gerald Auger, I felt well-equipped to tackle this daunting task. I began by examining some existing policy templates and examples from other companies. That’s when I remembered ChatGPT.
I had previously used ChatGPT to polish my emails, lending them a more professional tone. I wondered: Could this AI assist me in crafting our policy from the ground up?
Armed with knowledge from my GRC course and a clear understanding of our company’s needs, I set out to use ChatGPT to create our policies. Here are a few insights and tips that I picked up along the way:
- Feed ChatGPT as much information as possible: Start by setting the context for ChatGPT.
- Be Specific: Aim for specificity in your policies. While generic policies can provide a starting point, a truly effective security policy should be tailored to your specific technology and company needs.
- Engage with ChatGPT: Ask it what information it needs to create a comprehensive policy. Answer its queries as thoroughly as possible; this will lead to a more complete policy.
- Be mindful of privacy and confidentiality: While using ChatGPT, be cautious about not disclosing any confidential or sensitive information.
- Critically examine ChatGPT’s suggestions: Reading what ChatGPT suggests helps in curating policies that your company will actually follow.
With these tips, ChatGPT and I managed to draft over forty pages of our security policy. With each control question answered, the policy expanded, gradually forming into a comprehensive document that we could confidently stand by.
In conclusion, ChatGPT is an invaluable tool. Not only can it save some wear and tear on your keyboard, but it can also assist you in generating well-informed, detailed, and personalized policies for your company’s cybersecurity needs.
Leave a Comment