Background
When I first started out creating a policy and procedure framework, I didn’t want the final product to be just a generic document. The final goal was to understand how governance, risk, and compliance (GRC) connects to real-world security operations. To do that, I started with a fictional company –Rivendell Supply Co. — that has 200 employees and an IT footprint that feels like a typical mid-sized business.
The foundation I chose to follow and learn the most about was the NIST Cybersecurity Framework (CSF). Using this framework and mainly past knowledge from CompTIA’s Sec+ and coursework from my university classes, I was able to construct a concise document over general policies for this fictional company.
Concluding Thoughts
Overall and most importantly, this project taught me the importance of balancing clarity, practicality, and framework alignment. I came to see that policies are not fixed documents but adapt to business needs, risks, and compliance demands. More than anything, I learned how GRC provides the guardrails that let technical teams work safely and consistently.
Overall this project was a success and I learned more about the practical implementation of GRC and policies.
