Episode 39 — Audit policies for gaps and drift to restore intended outcomes
Policies can lose their effectiveness over time due to technical changes or shifting business priorities, a phenomenon known as policy drift. This episode focuses on the auditing process required to identify these gaps and restore the governance framework's intended outcomes. We define a policy gap as a scenario where a known threat or a new regulatory requirement is not addressed by the current documentation. For the GSTRT certification, candidates must know how to conduct a "gap analysis" that compares the "as-is" state of policy against a recognized industry framework like NIST or ISO. Examples include discovering that a remote work policy has not been updated to include security requirements for mobile device management. Best practices involve using internal or external audits to provide an objective view of the policy corpus. By systematically auditing for drift, you ensure that the organization's rules remain a potent and relevant tool for risk management rather than a collection of obsolete instructions. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
