Cyber Policy Wizard Beta

Answer a few questions about your organization and generate tailored, NIST-aligned information security policies entirely in your browser with no data stored

Org Info

Personnel

IT Systems

Regulations

Settings

Policies

Generate

Organization Information

Organization / Entity Name *

Used wherever policies reference [Entity] or [entity].

City

State / Region

Organization Type

Policy Effective Date

Policy Number Prefix

Version

Key Personnel & Roles

These names and titles will be inserted into policy ownership, authority, and responsibility sections.

Executive / Security Leadership

Chief Information Security Officer (CISO)

CISO Title

Chief Information Officer (CIO)

CIO Title

Information Security Officer (ISO)

ISO Title

Data Protection Officer (DPO) (GDPR)

Privacy Officer

IT Operations

IT Director / Manager

IT Director Title

System Owner Role Title

SOC / Security Team Name

Support Contacts

Legal / Counsel

Human Resources

Public Relations / Communications

Internal Audit / Compliance

Compliance Officer

Risk Manager

External IR Resources

Not applicable

Vendor and external contact details referenced in the Incident Response Policy. Leave blank if not applicable to your organization.

Cyber Insurance Carrier

Cyber Insurance Policy #

DFIR / IR Retainer Firm

DFIR Hotline / Contact

Managed Service Provider (MSP)

MSP Emergency Contact

Backup / DR Vendor

Backup Vendor Contact

External Breach Counsel

External Counsel Contact

Primary Law Enforcement Contact

IT Environment & System Scope

Select the system types present in your organization. Click a tile to select it, then check the specific technologies that apply to you. You don't need every item listed — they're just examples of what falls under each category. Hover the ? on any tile for guidance on whether it applies to you.

Cloud Services

Amazon Web Services (AWS)

Microsoft Azure

Google Cloud Platform (GCP)

Other / SaaS Providers

On-Premises Data Center

Physical Servers

Virtualized Infrastructure

Co-location Facility

Endpoints / Workstations

Windows

macOS

Linux

Mobile Devices

iOS (iPhone/iPad)

Android

MDM-enrolled (managed)

BYOD (personal devices)

Network Infrastructure

Cisco

Palo Alto

Fortinet

Other / Mixed

Email / Collaboration

Microsoft 365

Google Workspace

On-premises mail server

Database Systems

Microsoft SQL Server

MySQL / MariaDB

Oracle

PostgreSQL

Web Applications

Internal / Intranet

External / Internet-facing

APIs / Web Services

Remote Access / VPN

VPN (SSL/IPSec)

Zero Trust Network Access

Remote Desktop (RDP/Citrix)

OT / ICS / IoT

SCADA / ICS Systems

IoT Devices

Building Management Systems

Sensitive Data Types Handled

PII

PHI

Cardholder Data (PCI)

Federal / CUI

Student Records (FERPA)

Customer Financial Data

Intellectual Property

Applicable Regulatory Frameworks

Select all regulatory requirements and frameworks applicable to your organization. Compliance-specific language, required controls, and notification obligations will be added as addenda to the appropriate policies.

Healthcare

HIPAA / HITECH

Health Insurance Portability and Accountability Act — required for any org handling PHI. Adds Security Rule, Privacy Rule, and Breach Notification requirements.

Financial

PCI-DSS v4.0

Payment Card Industry Data Security Standard — required for any org storing, processing, or transmitting cardholder data.

SOX — Sarbanes-Oxley

Required for US public companies. Adds IT General Controls (ITGCs), audit trail requirements, and financial system access controls.

GLBA — Gramm-Leach-Bliley

Required for financial institutions. Adds Safeguards Rule requirements for customer financial information protection.

Federal / Defense

FISMA

Federal Information Security Modernization Act — required for federal agencies and contractors handling federal information.

FedRAMP

Federal Risk and Authorization Management Program — required for cloud service providers serving federal agencies.

CMMC / NIST SP 800-171

Cybersecurity Maturity Model Certification — required for DoD contractors handling Controlled Unclassified Information (CUI).

Privacy

GDPR

EU General Data Protection Regulation — applies to any org processing EU residents' personal data. Adds 72-hour breach notification, DPO, and data subject rights requirements.

CCPA / CPRA

California Consumer Privacy Act — applies to orgs meeting threshold criteria handling California residents' personal information.

FERPA

Family Educational Rights and Privacy Act — required for educational institutions handling student education records.

Frameworks & Certifications

SOC 2 (Type I / II)

AICPA Service Organization Controls — voluntary certification demonstrating security, availability, processing integrity, confidentiality, and privacy controls.

NIST Cybersecurity Framework (CSF)

NIST CSF 2.0 — widely adopted voluntary framework aligned to Identify, Protect, Detect, Respond, and Recover functions.

ISO/IEC 27001

International standard for Information Security Management Systems (ISMS). Adds Annex A control alignment and certification audit requirements.

State & Other

NYDFS Cybersecurity (23 NYCRR 500)

New York Department of Financial Services — applies to NY-licensed financial entities. Specific CISO, penetration testing, and MFA requirements.

NERC CIP

NERC Critical Infrastructure Protection — required for electric utilities. Adds bulk electric system cybersecurity requirements.

Policy Configuration

Set organization-specific parameters that will be embedded into policy language throughout all generated documents.

Training & Testing Frequencies

Security Awareness Training Frequency

Role-Based Security Training Frequency

Incident Response Testing Frequency

Vulnerability Scanning Frequency

Policy Review Cycle

Risk Assessment Frequency

Penetration Testing Frequency

Phishing Simulation Frequency

Account & Access Controls

Account Inactivity Lockout (days)

Identifier Reuse Prevention (days)

Primary MFA Method

Access Review / Recertification Frequency

Session Inactivity Timeout (minutes)

Failed Login Lockout Threshold

Incident Response Parameters

Incident Reporting Timeframe

IR Training — Initial Completion Window

Primary IR Test/Exercise Type

Critical Vulnerability Remediation SLA

Data Classification Labels

Public

Internal / For Official Use Only

Confidential

Restricted / Sensitive

Incident Classification & Response Authority

Not applicable

Define reportable incident types, severity thresholds that trigger IRP activation, and who holds communication authority during major incidents.

Event types that constitute a reportable security incident:

Ransomware / malicious encryption of systems or data

Confirmed data breach or unauthorized exfiltration

Unauthorized access to systems, networks, or data

Malware infection (non-ransomware) on organizational systems

DDoS / denial of service causing material service disruption

Successful phishing resulting in credential compromise

Insider threat — malicious or grossly negligent data misuse

Physical security breach affecting IT infrastructure

Third-party / supply chain compromise affecting org data or systems

Lost or stolen device containing unencrypted organizational data

Privileged account compromise or credential theft

Successful web application attack (SQLi, RCE, account takeover)

IRP Full Activation Threshold

Executive / Board Notification Threshold

Response Communication Authority:

Threat Actor Contact Approval Authority

Authorized Public / Media Spokesperson

Law Enforcement Engagement Approver

Regulatory Notification Authority

Data Retention

Set minimum retention periods by record category for the Data Retention Policy. Regulatory minimums (based on Step 4 selections) are noted in the labels.

Default Retention — General / Unclassified Records

Financial & Accounting Records (SOX: 7 yr min)

Employee / HR Records (7 yr post-separation typical)

Health / Medical Records — PHI (HIPAA: 6 yr min)

Customer & Client Records

Payment Card / Transaction Records (PCI: 1 yr CHD)

Student / Education Records (FERPA: 5 yr after departure)

Security & Audit Logs (PCI: 1 yr; FISMA/FedRAMP: 3 yr)

Email & Electronic Communications

Legal Documents & Contracts

Tax Records (IRS: 7 yr guidance)

Intellectual Property & Source Code

Legal Hold Officer

Data Disposal Standard

Select Policies to Generate

Choose the policies you need. All are based on NIST SP 800-53 control families. Hover the ? next to each policy name for a description of what it covers, who needs it, and which regulations require it.

Acceptable Use Policy

Governs appropriate use of IT resources and user responsibilities.

Access Control Policy

NIST AC — account management, access enforcement, privileged access.

Computer Security Threat Response Policy

CCERT/DCERT structure, threat reporting, and escalation procedures.

Cyber Incident Response Standard

End-to-end IR process, stakeholder roles, severity levels, and metrics.

Identification & Authentication Policy

NIST IA — MFA, identifier management, authenticator requirements.

Incident Response Policy

NIST IR — training, testing, handling, monitoring, and reporting.

Information Security Policy

Umbrella policy — program governance, risk management, responsibilities.

Information Security Risk Management Standard

Risk framing, assessment, response, and monitoring framework.

Risk Assessment Policy

NIST RA — security categorization, risk assessment, vulnerability scanning.

Security Assessment & Authorization Policy

NIST CA — security assessments, system interconnections, continuous monitoring.

Security Awareness & Training Policy

NIST AT — awareness training, role-based training, phishing simulation.

System & Services Acquisition Policy

NIST SA — acquisition requirements, SDLC security, supply chain.

Data Retention Policy

Retention schedules by data category, regulatory minimums, legal hold, and secure disposal.

Generate Your Policies

Each policy downloads as an HTML file. Open it in your browser and use File → Print → Save as PDF to create a professional PDF. Nothing leaves your browser.

or download individually above