Leveling Up Policy Management

In the previous article, we discussed how to setup a new policy set but that is only a small part of a policy lifecycle. ChatGPT can continue to be your policy sidekick throughout the entire life of a policy, not just at its creation. Let's dive into a few areas of policy management around annual reviews, reviewing contracts, and updating your policies based on the latest incident reports.

Before we get started though, let's lay down the foundation so we are all starting at the same place. Since this exercise will involve policies, you should either use your own or use the network security policy you built up in my previous article. If nothing else, run this prompt below to get a half-way decent policy.

I need a comprehensive network infrastructure information security policy that focuses on cloud-based infrastructure. The policy should reflect a moderate level of maturity in our security program, indicating that we have established foundational security practices but are continuing to evolve and improve. The policy must include clear guidelines and procedures that are easy to audit and measure for success. It must include a scoping statement, regulatory applicability, risk management, access control, and a schedule for policy reviews.        

You can then save that off as a markdown file or as a PDF to insert into the prompts in this article.

Your Annual Check-Up

Every security framework I've come across includes a requirement to review your policies annually at a minimum, and every reviewer I've met dreads this task. A handful of the tasks that need to be accomplished include incorporating changes from applicable laws and regulations, breaking up the policies into batches relevant to each reviewer, creating maturity plans for the coming year, and communicating changes out to the whole company. So much tedious work that took me away from more hands on security work. Of course, ChatGPT can make all of those tasks trivial.

For making sure that your policies are up to date with laws and regulations, let's first gather what regulations our fictional company falls under:

• They are a US-only public company, so the SEC
• They are a money transmitter, so all of the various MT regulators around the US plus the CFPB
• They collect and use consumer data, so all of the various data privacy laws in the US.

With that in mind, we can ask ChatGPT for a summary of what happened over the last 12 months:

My company is a US-only, public financial institution with money transmitter licenses. We deal with consumer data and loans. What applicable state and federal laws and regulations have changed in last 12 months that would affect my information security policies? Compare those changes to the attached policies and suggest language changes to meet those new or updated requirements.        

Using the policy from the introduction, we can see that the SEC and NYDFS among others have issued updates in the 12 months prior to this article being written. ChatGPT will helpfully suggest language changes and even give you back a modified policy. Be sure to still run this by your legal and compliance teams for a sanity check. If you want it more tailored to your specific company, give it a longer company description with the types of regulations you comply with.

Part of any good annual check-up for a security program is to plan out where you want your team to be in the next 12 months. There are a few ways ChatGPT can help with this. The first is to ask it what the upcoming threats are that it sees in the headlines:

What are the emerging cybersecurity threats we should prioritize in the next year? How would a small security team of 8 people tackle these problems? Provide links to sources for these recommendations.        

There are a ton of tweaks you can do to that prompt as well. Try telling it not only the number of people you have on your team but their roles and skills. That will help it tailor the recommendations to what you and your team can actually accomplish. Another tweak would be to give it a description of your company and the industry you are in. You wouldn't want vulnerabilities mentioned that affect water treatment plants if you run a bank!

You can tackle cobbling those recommendations into a roadmap or keep in that same thread and let the bots do some of the translation for you. Try this prompt next:

What investments in technology or training will yield the highest return on investment for our security posture in the next 12 months?        

That will take into account any adjustments you made to the first prompt in order to properly tailor the roadmap to what will best serve you. The initial output might be too high level for anything actionable, but keep asking questions in the thread to clarify and give it examples of what you want. The bots will do some amazing work to make you look like the most well prepared manager at your organization.

Contractual Obligations

With a growing focus on third-party risk, companies are attaching onerous security requirements to every service or product they purchase. This can be a pain point for lawyers who may not be technical enough t o understand the requirements in the contracts. Plus, the lawyer writing the addendum may not know the technical jargon and will be creative in their writing style. All of these add up to a lot of work. With ChatGPT, you don't need to worry about that.

To start, let's assume our network security policy does not include a requirement that all services employ MFA. If your sample policy has that already, strike that clause. We can ask ChatGPT to build us a standard security addendum to play with:

Generate a security contract addendum that requires the signing party to meet industry standard information security practices and ensures that all admin interfaces and accounts are protected by MFA.        

That will give you a decent addendum to work with for this exercise. In a future article, I may go into how you can get ChatGPT or Harvey.ai to give you better contract language.

In a new thread, pre-load your policy as shown in the introduction to this article. Now in a new message, give the prompt the addendum you generated and this prompt:

I need to know if all requirements in this contract addendum are accounted for in the policy. Summarize what requirements are not met that pertain to network infrastructure security specifically.        

Great! You can now see exactly what gaps you have in your program compared to that future contract. Note that in the real world you would want to give it your full policy set, but this gives us a glimpse into what you can accomplish. ChatGPT can take things one step further and suggest edits to your policies:

For each identified gap, please suggest language changes to the original policy that would plug the gap.        

If you want to take your laziness (or efficiency depending on your point-of-view) to the fullest extent, you can change that prompt to ask it to rewrite the policy itself.

Don't Fear the Breaches

With data breaches happening nearly every day, no one can blame you for forgetting about what exactly happened over the last 12 months. Yet somehow auditors still expect you and your team to incorporate lessons learned from the pain of those other organizations. You could probably hire an intern to painfully comb through endless headlines to accomplish this, but we should save them from the worst summer internship ever and let ChatGPT do this for us.

ChatGPT is fantastic at reviewing news sources and can pull together summaries of thousands of articles in seconds. Better yet, it can draw up lessons to be learned from those incidents. Run the prompt below after you preload your policy.

Review the past 12 months of news of cybersecurity incidents and data breaches. Based off lessons learned from those incidents, are there any suggested changes for the attached policy? Use threat modeling to determine if my company is vulnerable based off our current policy. Give each change a high, medium, low priority based off the criticality of the gap.        

Before you rush off and implement each one of its suggestions, do your own research to see if you have the capacity to implement these suggestions. If you don't have that capacity, these findings can serve as a good report to hand over to your budget committee for requesting an increase in your allowance. You can modify that prompt to include language like "Give each change a high/medium/low rating for the complexity of implementing the change." While its guess may not be perfect, it can give you a ballpark estimate.

As with most prompts in ChatGPT, it may not be entirely comprehensive. Give it a nudge to shake out a few more findings.

Are there any other incidents in the headlines that might give us more lessons to learn from and what changes would you suggest to the policy for that?        

In a future article, we will explore how we can turn these news-based gap findings into a fun incident response tabletop exercise. Those trainings are much more engaging if you base them on real gaps in your controls.

Your New Sidekick and You

Integrating AI helpers into your modern policy management lifecycle is quickly becoming a necessity. The changes happening in threats, regulations, and third-party contracts is going to make it a near insurmountable task for your team to keep up. Leverage the new tools at your disposal to not only help them keep up, but to excel past your competitors.

Not only will this new toolset be crucial for policy management, it will help your team translate the requirements into effective communication strategies for the rest of your company. Good security programs will fail without having everyone on board. All it takes is for one of your coworkers to not take this seriously for a breach to happen.

In my next article, we will branch into business continuity and incident response policy management. Given the inherent creativity of these tools, it makes for a perfect tool for all of your continuity needs. Be ready to see how ChatGPT can come up with creative continuity scenarios and see it create some of the best tabletop exercises you've ever played through.