In [None]:
# Lets design a policy model!

In [2]:
# ==========================================================
# 1️⃣ HIGH-LEVEL GENERAL SECURITY POLICY
# ==========================================================

general_security_policy = {
    "administrative": {
        "policy_title": "Corporate Security Policy",
        "version": "1.0",
        "publication_date": "2026-02-22",
        "valid_from": "2026-03-01",
        "review_date": "2027-03-01",
        "change_history": [
            {"version": "1.0", "date": "2026-02-22", "description": "Initial release"}
        ],
        "owner": "Chief Information Security Officer (CISO)",
        "approver": "Chief Executive Officer (CEO)",
        "classification": "Internal",
        "intended_audience": "All employees, contractors, and third parties"
    },

    "policy_summary": "This policy establishes the organization's commitment to protecting information assets and managing security risks in alignment with business objectives.",

    "introduction": "Security is essential to maintaining trust, operational continuity, and regulatory compliance. This policy defines the overarching security direction of the organization.",

    "scope": "Applies to all business units, employees, contractors, systems, facilities, and information assets owned or managed by the organization.",

    "objectives": [
        "Protect confidentiality, integrity, and availability of information.",
        "Ensure compliance with legal and regulatory requirements.",
        "Reduce information security risks to acceptable levels."
    ],

    "principles": [
        "Security shall be risk-based and aligned with business objectives.",
        "Security responsibilities shall be clearly defined.",
        "Security controls shall follow the principle of least privilege."
    ],

    "responsibilities": {
        "top_management": "Provide strategic direction and approve security policy.",
        "CISO": "Implement and maintain the security program.",
        "employees": "Comply with all security policies and report incidents."
    },

    "key_outcomes": [
        "Reduced security incidents.",
        "Improved regulatory compliance.",
        "Increased stakeholder trust."
    ],

    "related_policies": [
        "Information Security Policy",
        "Risk Management Policy",
        "Incident Response Policy"
    ],

    "policy_requirements": [
        "An ISMS shall be established and maintained.",
        "Security risk assessments shall be conducted annually.",
        "Security awareness training shall be provided to all personnel."
    ]
}



# ==========================================================
# 2️⃣ HIGH-LEVEL TOPIC-SPECIFIC POLICY
# INFORMATION SECURITY POLICY
# ==========================================================

information_security_policy = {
    "administrative": {
        "policy_title": "Information Security Policy",
        "version": "1.0",
        "publication_date": "2026-02-22",
        "valid_from": "2026-03-01",
        "review_date": "2027-03-01",
        "change_history": [
            {"version": "1.0", "date": "2026-02-22", "description": "Initial release"}
        ],
        "owner": "Information Security Manager",
        "approver": "CISO",
        "classification": "Internal",
        "intended_audience": "All system users and IT personnel"
    },

    "policy_summary": "This policy defines how information assets are protected against unauthorized access, disclosure, alteration, and destruction.",

    "introduction": "Information is a critical business asset. Protecting information ensures operational resilience and regulatory compliance.",

    "scope": "Applies to all information assets in electronic, physical, or verbal form, including systems, databases, and cloud services.",

    "objectives": [
        "Ensure confidentiality, integrity, and availability of information.",
        "Prevent unauthorized access to information assets.",
        "Support business continuity."
    ],

    "principles": [
        "Access shall be granted based on business need.",
        "Information shall be classified according to sensitivity.",
        "Security controls shall be proportional to risk."
    ],

    "responsibilities": {
        "information_owners": "Classify and protect information assets.",
        "IT_department": "Implement technical security controls.",
        "users": "Handle information according to classification."
    },

    "key_outcomes": [
        "Controlled access to sensitive information.",
        "Reduced data breaches.",
        "Improved data governance."
    ],

    "related_policies": [
        "Corporate Security Policy",
        "Access Control Policy",
        "Data Protection Policy"
    ],

    "policy_requirements": [
        "Information shall be classified into defined categories.",
        "Access controls shall be implemented and reviewed periodically.",
        "Encryption shall be used for sensitive information in transit."
    ]
}



# ==========================================================
# 3️⃣ TOPIC-SPECIFIC POLICY
# REMOTE ACCESS POLICY
# ==========================================================

remote_access_policy = {
    "administrative": {
        "policy_title": "Remote Access Policy",
        "version": "1.0",
        "publication_date": "2026-02-22",
        "valid_from": "2026-03-01",
        "review_date": "2027-03-01",
        "change_history": [
            {"version": "1.0", "date": "2026-02-22", "description": "Initial release"}
        ],
        "owner": "IT Operations Manager",
        "approver": "CISO",
        "classification": "Internal",
        "intended_audience": "Employees and contractors with remote access privileges"
    },

    "policy_summary": "This policy defines the requirements for secure remote access to organizational systems and networks.",

    "introduction": "Remote access introduces additional security risks. This policy establishes controls to mitigate those risks.",

    "scope": "Applies to all remote connections including VPN, cloud access, remote desktop services, and mobile device access.",

    "objectives": [
        "Ensure secure remote connectivity.",
        "Prevent unauthorized access from external networks.",
        "Protect organizational data during remote sessions."
    ],

    "principles": [
        "Multi-factor authentication shall be required.",
        "Remote access shall be encrypted.",
        "Devices used for remote access shall meet security baseline requirements."
    ],

    "responsibilities": {
        "IT_security": "Configure and monitor remote access systems.",
        "users": "Ensure their devices comply with security requirements.",
        "management": "Approve remote access privileges."
    },

    "key_outcomes": [
        "Secure remote workforce enablement.",
        "Reduced risk of external compromise.",
        "Improved monitoring of remote activity."
    ],

    "related_policies": [
        "Information Security Policy",
        "Access Control Policy",
        "Mobile Device Policy"
    ],

    "policy_requirements": [
        "VPN shall be used for remote access.",
        "Multi-factor authentication shall be enforced.",
        "Remote sessions shall be logged and monitored.",
        "Access shall be revoked upon termination of employment."
    ]
}

# ==========================================================
# TOPIC-SPECIFIC POLICY
# ACCESS CONTROL POLICY
# ==========================================================

access_control_policy = {
    "administrative": {
        "policy_title": "Access Control Policy",
        "version": "1.0",
        "publication_date": "2026-02-22",
        "valid_from": "2026-03-01",
        "review_date": "2027-03-01",
        "change_history": [
            {"version": "1.0", "date": "2026-02-22", "description": "Initial release"}
        ],
        "owner": "Information Security Manager",
        "approver": "Chief Information Security Officer (CISO)",
        "classification": "Internal",
        "intended_audience": "All employees, contractors, third parties, and system administrators"
    },

    "policy_summary": "This policy defines the requirements for granting, reviewing, modifying, and revoking access to organizational information systems and data.",

    "introduction": "Effective access control ensures that only authorized individuals have access to information and systems necessary for their job functions, reducing the risk of unauthorized disclosure, modification, or destruction of information assets.",

    "scope": "Applies to all information systems, applications, networks, cloud services, and physical systems owned or managed by the organization. This includes user accounts, privileged accounts, service accounts, and third-party access.",

    "objectives": [
        "Ensure access to information is granted based on business need.",
        "Prevent unauthorized access to systems and data.",
        "Enforce the principles of least privilege and segregation of duties.",
        "Ensure timely removal of access upon role change or termination."
    ],

    "principles": [
        "Access shall be granted based on documented authorization.",
        "Users shall be assigned unique identifiers.",
        "Privileged access shall be strictly controlled and monitored.",
        "Access rights shall be reviewed periodically.",
        "Segregation of duties shall be enforced where feasible."
    ],

    "responsibilities": {
        "top_management": "Ensure adequate resources are allocated for access control implementation.",
        "information_owners": "Approve access rights and review access periodically.",
        "IT_department": "Implement technical controls and maintain access management systems.",
        "HR_department": "Notify IT of employee onboarding, role changes, and terminations.",
        "users": "Use granted access responsibly and protect authentication credentials."
    },

    "key_outcomes": [
        "Reduced risk of unauthorized access.",
        "Improved accountability and traceability of user actions.",
        "Compliance with legal and regulatory requirements.",
        "Enhanced protection of sensitive information."
    ],

    "related_policies": [
        "Information Security Policy",
        "User Account Management Procedure",
        "Password Policy",
        "Privileged Access Management Standard",
        "Remote Access Policy"
    ],

    "policy_requirements": [
        "All users shall be uniquely identifiable.",
        "Access shall be approved by the relevant information owner prior to provisioning.",
        "Multi-factor authentication shall be implemented for privileged and remote access.",
        "User access rights shall be reviewed at least annually.",
        "Access shall be revoked immediately upon termination or role change.",
        "Privileged accounts shall not be used for routine business activities.",
        "Authentication credentials shall not be shared."
    ]
}

In [34]:
with open('./remote_acces_policy_v1.0', 'wb') as fred:
    pickle.dump(access_control_policy, fred)

In [35]:
with open('./remote_acces_policy_v1.x', 'wb') as fred:
    pickle.dump(access_control_policy, fred)

In [29]:
import pickle
access_control_policy # v 1.0

{'administrative': {'policy_title': 'Access Control Policy',
  'version': '1.0',
  'publication_date': '2026-02-22',
  'valid_from': '2026-03-01',
  'review_date': '2027-03-01',
  'change_history': [{'version': '1.0',
    'date': '2026-02-22',
    'description': 'Initial release'}],
  'owner': 'Information Security Manager',
  'approver': 'Chief Information Security Officer (CISO)',
  'classification': 'Internal',
  'intended_audience': 'All employees, contractors, third parties, and system administrators'},
 'policy_summary': 'This policy defines the requirements for granting, reviewing, modifying, and revoking access to organizational information systems and data.',
 'introduction': 'Effective access control ensures that only authorized individuals have access to information and systems necessary for their job functions, reducing the risk of unauthorized disclosure, modification, or destruction of information assets.',
 'scope': 'Applies to all information systems, applications, netw

In [25]:
with open('./remote_acces_policy_v1.2', 'wb') as fred:
    pickle.dump(remote_access_policy, fred)

In [26]:
with open('./remote_acces_policy_v1.2', 'rb') as fred:
    data = pickle.load(fred)

In [6]:
access_control_policy.keys()

dict_keys(['administrative', 'policy_summary', 'introduction', 'scope', 'objectives', 'principles', 'responsibilities', 'key_outcomes', 'related_policies', 'policy_requirements'])

In [7]:
[x for x in access_control_policy.keys()]

['administrative',
 'policy_summary',
 'introduction',
 'scope',
 'objectives',
 'principles',
 'responsibilities',
 'key_outcomes',
 'related_policies',
 'policy_requirements']