This project develops a comprehensive cybersecurity policy framework for an organization. It addresses the gap between technical security controls and the governance structures that make those controls enforceable, consistent, and auditable. The policy covers acceptable use, access control, incident response, data handling, and compliance obligations.
What the policy covers
- Acceptable use policy scoping employee and contractor behavior on organizational systems.
- Access control policy enforcing least privilege, role-based access, and periodic review.
- Data classification and handling requirements tied to sensitivity levels.
- Incident response policy defining roles, escalation paths, and communication requirements.
- Compliance alignment with relevant frameworks and regulatory expectations.
Policy development approach
- Mapped organizational risks to policy controls using a gap analysis framework.
- Grounded each policy section in NIST SP 800-53 and ISO 27001 control families.
- Wrote policies to be actionable for IT staff and understandable to non-technical employees.
- Included enforcement language, exception handling, and policy review schedules.
Governance structure
| Policy Area | Owner | Review Cycle |
|---|---|---|
| Acceptable use | HR / IT jointly | Annual |
| Access control | IT Security | Annual or after incidents |
| Data classification | Data Governance / Legal | Annual |
| Incident response | IT Security / Leadership | After each major incident |
Why this project matters
Security policies are the connective tissue between technical controls and organizational behavior. I designed this project to show that I understand security as a governance problem, not just a technical one. Effective policy reduces risk through clarity, accountability, and enforceable expectations — not just firewalls and monitoring tools.