If you have been in information security for a while and have seen your share of security policies, odds are the policy you are viewing is based on a template from Information Security Policies Made Easy (ISPME) by Charles Cresson Wood. The ISPME templates have been around for decades and are often the launching pad for an organization’s policy program.

I’ve been a fan of Cresson Wood for a long time and have used ISPME for client policy engagements and his Information Security Roles & Responsibilities Made Easy. Charles is back, and his latest is Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process (InfoSecurity Infrastructure, Inc.).

As a practicing attorney, in addition to having significant information security experience and CISSP, CISM, CIPP and other industry certifications, Cresson Wood has a unique skill set that brings the legal and technology together here in this helpful reference. 

The book primarily assists professionals in generating opinions that their organization’s directors and officers are complying with their information security, privacy and legal duties. The book’s methodology is an independent audit, which can be used to determine whether the directors and officers at an organization are in compliance with their information security and privacy duties. 

The book has different sections depending on the person’s role. This includes project management, legal department, auditors, project managers, business process designers, mergers and acquisitions, and more. 

As the book’s title indicates, it provides a turnkey approach to security due diligence and performance of a duties audit. With extensive use of tables, flowcharts and graphs, the specific user can save significant time performing due diligence. At over 1,100 pages, there is also ample use of listings for changes to be made to a nonconforming product or service to address any deficiencies, and templates with pre-canned language to reply to a vendor or internal group. 

For a larger firm, a duties audit can be a project nightmare. The book solves with its project management methodology on how to carry out this audit. The book includes a project management approach that a firm’s project manager (hopefully they are a PMP) can use.