Hopefully you were in Boston for SecureWorld 2024 and got a chance to see my presentation on leveraging AI to create security policies. Hopefully the information was informative. Below are some of the queries I made with OpenAI ChatGPT (https://chat.openai.com) and Google Gemini (https://gemini.google.com) along with the resulting output. Feel free to review them but remember these three points:

• Any policy created by a generative AI should serve as a template, not the final draft.
• Proofread, Proofread and Proofread, AGAIN! Generative AI can make mistakes.
• Have your legal counsel or lawyers verify that policy legally fits in with your organization and the locations it is needed.
  • If your organization has a policy review process, it is good to also have them review the output of the draft to make sure it fits in with the organization’s culture.

What policies can be generated?

Generally, you could get generative AI to create “any” security policy, but some policies may need more criteria and points as a starting point. Adding points specific to your organization’s needs helps to tailor the policy to your organization. The following is not an exhaustive list of security policies that could be created. The ones with an asterisk were created in my testing.

• *Acceptable Use Policy
• Email Use Policy
• *Information Security Policy
• Access Control Policy
• Physical Security Policy
• Incident Response Policy
• Backup and Recovery Policy
• *Password Policy
• Remote Access Policy
• Disaster Recovery (DR) Policy
• Portable Media Policy
• *Bring Your Own Device (BYOD) Policy

Policies created with ChatGPT

I asked ChatGPT to assume the role of a CISO with a healthcare organization that has 3 hospitals and 25 remote clinics.

Put yourself in the role of a chief information security officer for a healthcare organization with 3 hospitals and 25 clinics.

Next, I asked it to create an acceptable use policy with 4 criteria: (1) All user actions are monitored. (2) Internet access is only granted based on the user’s role and job responsibilities, and must be approved by their manager. (3) Email is to be used for business communication and not personal use. (4) Inappropriate use will result in disciplinary actions, up to termination of employment. Notice the grammatical error (see in red, should be monitored and not monitoring).

Based on this role, create an acceptable use policy that addresses the following: All user actions on workstations are monitoring. Internet access is only granted based on the user's role and job responsibilities, and must be approved by their manager. Email is to be used for business communication and not personal use. Inappropriate use will result in disciplinary actions, up to termination of employment.

The result: Example-Healthcare-Acceptable Use Policy

Next, I asked it to create a password policy.

Based on this role, create a password policy.

The result: Example-Healthcare-Password Policy

Next, I expanded on the password policy and asked it create one with the following criteria: (1) Have a minimum length of 16 characters. (2) Cannot reuse the last 8 passwords. (3) Cannot use common terms such as seasons or sports teams. (4) Passwords will be vetted against list of known exposed passwords.

Based on this role, create a password policy that includes the following: Minimum password length is 16 characters. Users cannot reuse the last 8 passwords. Passwords should not be common terms such as seasons or sports teams. Passwords will be checked against databases of known exposed passwords.

The result: Example-Healthcare-Enhanced Password Policy

Next, I asked it to create a bring your own device (BYOD) policy with several criteria.

Based on this, create bring your own device policy that includes the following: Allowed devices are phones and tablets. Users must keep their devices updated. User's devices must lock after 2 minutes and be passcode or password protected. User understands that if the devices is lost, organization has the right to erase/wipe the device remotely. Personal laptops are not allowed to access organization. If users need a laptop to access resources remotely, their manager will need to submit a request.

The result: Example-Healthcare-Bring Your Own Device Policy

Next, I asked it to create a written information security policy (WISP).

Based on this, create written information security policy.

The result: Example-Healthcare-Written Information Security Policy

Finally, I asked it to expand on that policy and make it specific for the Commonwealth of Massachusetts. Note on this is ChatGPT initially choked on this and froze in the middle of generating the policy. It took a few runs for it to create a policy.

Based on this role, create a written information security policy based on the Commonwealth of Massachusetts regulations.

The result: Example-Healthcare-MA Written Information Security Policy

Policies created with Google Gemini

I asked Google Gemini to assume the role of a CISO with an international financial institution.

Put yourself in the role of a chief information security officer for an international financial institution.

Next, I asked it to create an acceptable use policy with 4 criteria: (1) All user actions are monitored. (2) Internet access is only granted based on the user’s role and job responsibilities, and must be approved by their manager. (3) Email is to be used for business communication and not personal use. (4) Inappropriate use will result in disciplinary actions, up to termination of employment. Same statement I passed to ChatGPT, complete with the grammatical error.

Based on this role, create an acceptable use policy that includes the following information: All user actions on workstations are monitoring. Internet access is only granted based on the user's role and responsibilities, and their manager must approve their access. Email is to be used for business communication and not personal use. Violations of these rules will result in disciplinary action that could include termination.

The result: Example-Financial-Acceptable Use Policy

Next, I asked it to a data privacy policy covering staff and customers that reside in Portugal. Notice I did not tell it to what language to create the policy. However notice that the resulting policy is in English.

Based on this role, create a data privacy policy for our staff and customers located in Portugal.

The result: Example-Financial-Data Privacy Policy-Portugal-EN

Next, I asked it to a data privacy policy covering staff and customers that reside in Brazil. Notice I did not tell it to what language to create the policy. This time it created a policy in Portuguese. Interesting it created the policy for Brazil in Portuguese and the one for Portugal in English. It also choked on the policy toward the end. Notice point 10 in this policy verses point 10 in the next example.

Based on this role, create a data privacy policy for our staff and customers located in Brazil.

The result: Example-Financial-Data Privacy Policy-Brasil-PT

Next, I asked it to recreate the data privacy policy for Brazil in English. Notice that at the end of the policy it mentions that “the Portuguese version of the Policy prevails in case of any discrepancies.”

Based on this role, create a data privacy policy for our staff and customers located in Brazil, written in English.

The result: Example-Financial-Data Privacy Policy-Brazil-EN

Next, I asked it to create a data privacy policy covering staff and customers that reside in the state of California.

Based on this role, create a data privacy policy for our staff and customers located in California.

The result: Example-Financial-Data Privacy Policy-California

Finally, I asked it to create a data privacy policy covering staff and customers that reside in Spain. Once again, notice I did not tell it to what language to create the policy. Both Portugal and Spain are covered under the European Union General Data Protection Regulation (GDPR). Interesting it created the policy for Spain in Spanish and remember the one for Portugal was created in English, not Portuguese.

Based on this role, create a data privacy policy for our staff and customers located in Spain.

The result: Example-Financial-Data Privacy Policy-Espana-ES

A policy created with Microsoft Copilot

I know this question will come up: do I need to tell AI to assume the role of a CISO for a specific organization before telling it to create a specific policy?

The answer is no. You can create a policy without giving AI the “who” or assume the role statement. The following was passed to Microsoft Copilot (https://copilot.microsoft.com/) to create an acceptable use policy for a non-profit organization using three specific criteria.

Create an acceptable use policy for a non-profit organization that includes the following information: All user's internet access on the workstations are monitored. Email is to be used for business communication and not personal use. Accessing inappropriate material may result in disciplinary action that could include termination and possibly prosecution if it is determined that it is illegal.

The result: Example-Nonprofit Organization-Acceptable Use Policy