IT Security Protocol<\/title>\n <style>\n :root{\n --purple-1:#6f42c1;\n --purple-2:#8b5cf6;\n --purple-3:#a855f7;\n --text:#111827;\n --muted:#6b7280;\n --bg:#ffffff;\n --card:#ffffff;\n --shadow:0 14px 35px rgba(17,24,39,.10);\n --border:#e5e7eb;\n --prompt-bg:#f3f4f6;\n --tip-bg:#fff3cd;\n --tip-border:#ffe69c;\n --placeholder:#fd7e14;\n --blue:#2563eb;\n --blue-border:#93c5fd;\n --radius:16px;\n --radius-sm:12px;\n }\n\n *{box-sizing:border-box;}\n body{\n margin:0;\n font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial, \"Apple Color Emoji\",\"Segoe UI Emoji\";\n color:var(--text);\n background:var(--bg);\n line-height:1.55;\n }\n\n .page{\n max-width: 1100px;\n margin: 0 auto;\n padding: 28px 18px 44px;\n }\n\n .page-title{\n font-size: 44px;\n font-weight: 900;\n letter-spacing: -0.02em;\n margin: 8px 0 18px;\n line-height:1.05;\n background: linear-gradient(90deg, var(--purple-1), var(--purple-2), var(--purple-3));\n -webkit-background-clip: text;\n background-clip:text;\n color: transparent;\n }\n\n .subtitle{\n margin: 0 0 18px;\n color: var(--muted);\n font-size: 15px;\n }\n\n .card{\n background: var(--card);\n border-radius: var(--radius);\n box-shadow: var(--shadow);\n overflow:hidden;\n border:1px solid rgba(229,231,235,.85);\n }\n\n .card-header{\n padding: 20px 22px;\n background: linear-gradient(90deg, rgba(111,66,193,1), rgba(139,92,246,1), rgba(168,85,247,1));\n color:#fff;\n position:relative;\n }\n\n .header-top{\n display:flex;\n align-items:flex-start;\n justify-content:space-between;\n gap:12px;\n flex-wrap:wrap;\n }\n\n .card-title{\n font-size: 24px;\n font-weight: 800;\n margin:0;\n letter-spacing:-0.01em;\n }\n\n .meta{\n display:flex;\n gap:10px;\n flex-wrap:wrap;\n align-items:center;\n margin-top: 12px;\n }\n\n .badge{\n display:inline-flex;\n align-items:center;\n gap:8px;\n padding: 8px 10px;\n border-radius: 999px;\n background: rgba(255,255,255,.22);\n border: 1px solid rgba(255,255,255,.30);\n color:#fff;\n font-size: 13px;\n font-weight: 700;\n backdrop-filter: blur(6px);\n -webkit-backdrop-filter: blur(6px);\n white-space:nowrap;\n }\n\n .tools{\n display:flex;\n gap:10px;\n flex-wrap:wrap;\n align-items:center;\n }\n\n .tool-badge{\n display:inline-flex;\n align-items:center;\n padding: 7px 10px;\n border-radius: 999px;\n font-size: 12px;\n font-weight: 800;\n color:#fff;\n border: 1px solid rgba(255,255,255,.55);\n background: rgba(255,255,255,.14);\n letter-spacing: .01em;\n }\n\n .card-body{\n padding: 2.5rem;\n }\n\n .section{\n margin-top: 26px;\n }\n\n .section:first-child{margin-top:0;}\n\n .section-title-row{\n display:flex;\n align-items:center;\n justify-content:space-between;\n gap:14px;\n flex-wrap:wrap;\n margin-bottom: 12px;\n }\n\n .section-title{\n margin:0;\n font-size: 18px;\n font-weight: 900;\n color: var(--purple-1);\n padding-left: 12px;\n border-left: 4px solid rgba(111,66,193,.95);\n line-height:1.2;\n }\n\n .copy-button{\n appearance:none;\n border:1px solid rgba(111,66,193,.25);\n background: rgba(111,66,193,.08);\n color: var(--purple-1);\n padding: 10px 12px;\n font-weight: 900;\n border-radius: 12px;\n cursor:pointer;\n transition: transform .06s ease, background .2s ease;\n display:inline-flex;\n align-items:center;\n gap:8px;\n white-space:nowrap;\n }\n\n .copy-button:active{ transform: translateY(1px); }\n .copy-button:hover{ background: rgba(111,66,193,.12); }\n\n .prompt-box{\n background: var(--prompt-bg);\n border: 1px solid var(--border);\n border-radius: var(--radius-sm);\n padding: 18px;\n overflow:auto;\n font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, \"Liberation Mono\", \"Courier New\", monospace;\n font-size: 13.5px;\n line-height: 1.55;\n white-space: pre-wrap;\n }\n\n .placeholder{ color: var(--placeholder); font-weight: 800; }\n\n .tip{\n margin-top: 14px;\n background: var(--tip-bg);\n border: 1px solid var(--tip-border);\n border-radius: var(--radius-sm);\n padding: 14px 14px;\n color: #7a5b00;\n font-weight: 700;\n }\n\n .logic-grid h3,\n .hitl-grid h3{\n margin: 18px 0 8px;\n font-size: 15px;\n color:#111827;\n letter-spacing:-0.01em;\n }\n\n .logic-grid p,\n .hitl-grid p{\n margin: 0 0 10px;\n color:#1f2937;\n }\n\n .preview{\n border: 2px solid var(--blue-border);\n background: rgba(37,99,235,.04);\n border-radius: var(--radius-sm);\n padding: 16px;\n }\n\n .preview .kpi{\n display:grid;\n grid-template-columns: repeat(3, minmax(0, 1fr));\n gap:12px;\n margin-top: 12px;\n }\n\n .kpi-card{\n background:#fff;\n border:1px solid rgba(147,197,253,.7);\n border-radius: 14px;\n padding: 12px;\n }\n\n .kpi-card .label{ color: var(--muted); font-size: 12px; font-weight: 800; }\n .kpi-card .value{ font-size: 18px; font-weight: 900; margin-top: 6px; }\n\n .chain{\n display:grid;\n gap:14px;\n }\n\n .chain-step{\n border: 1px solid var(--border);\n border-radius: var(--radius-sm);\n padding: 14px;\n background:#fff;\n }\n\n .step-head{\n display:flex;\n align-items:baseline;\n justify-content:space-between;\n gap:10px;\n flex-wrap:wrap;\n margin-bottom: 8px;\n }\n\n .step-num{\n font-weight: 900;\n color: var(--purple-1);\n letter-spacing: .02em;\n }\n\n .step-title{\n font-weight: 900;\n }\n\n .mini-label{ color: var(--muted); font-weight: 900; font-size: 12px; margin: 10px 0 6px; }\n\n .mini-prompt{\n background: var(--prompt-bg);\n border: 1px solid var(--border);\n border-radius: 12px;\n padding: 12px;\n font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, \"Liberation Mono\", \"Courier New\", monospace;\n font-size: 12.8px;\n line-height: 1.55;\n white-space: pre-wrap;\n }\n\n .footer{\n margin-top: 26px;\n padding-top: 18px;\n border-top: 1px dashed rgba(107,114,128,.35);\n color: var(--muted);\n display:flex;\n justify-content:space-between;\n gap:12px;\n flex-wrap:wrap;\n font-size: 13px;\n font-weight: 700;\n }\n\n @media (max-width: 860px){\n .page-title{font-size: 36px;}\n .preview .kpi{ grid-template-columns: 1fr; }\n .card-body{ padding: 1.6rem; }\n }\n <\/style>\n<\/head>\n<body>\n <div class=\"page\">\n <div class=\"page-title\">IT Security Protocol<\/div>\n <p class=\"subtitle\">A mixed-environment, jurisdiction-flexible security protocol builder for modern organizations (endpoint + corporate IT + cloud\/SaaS), designed to produce an implementable policy set, technical controls checklist, and operating cadence.<\/p>\n\n <div class=\"card\">\n <div class=\"card-header\">\n <div class=\"header-top\">\n <h1 class=\"card-title\">IT Security Protocol<\/h1>\n <div class=\"tools\" aria-label=\"Tool compatibility\">\n <span class=\"tool-badge\">ChatGPT<\/span>\n <span class=\"tool-badge\">Claude<\/span>\n <span class=\"tool-badge\">Gemini<\/span>\n <span class=\"tool-badge\">Perplexity<\/span>\n <span class=\"tool-badge\">Grok<\/span>\n <\/div>\n <\/div>\n <div class=\"meta\" aria-label=\"Meta badges\">\n <span class=\"badge\">\u2696\ufe0f Legal, Risk & Compliance<\/span>\n <span class=\"badge\">\u23f1\ufe0f 25\u201335 min<\/span>\n <span class=\"badge\">\ud83e\udde0 Advanced<\/span>\n <\/div>\n <\/div>\n\n <div class=\"card-body\">\n\n \n <section class=\"section\" id=\"the-prompt\">\n <div class=\"section-title-row\">\n <h2 class=\"section-title\">The Prompt<\/h2>\n <button class=\"copy-button\" onclick=\"copyPrompt()\" type=\"button\">Copy Prompt<\/button>\n <\/div>\n\n <div id=\"promptContent\" class=\"prompt-box\" role=\"textbox\" aria-label=\"Prompt content\">\nYou are a senior Information Security Leader (CISO-level) and IT Operations Architect. Your job is to produce an actionable IT Security Protocol that is suitable for a real organization, not a generic list. It must be usable by IT Ops, Security, Legal, HR, Finance, and Customer Success.\n\nCONTEXT\n- Organization name: <span class=\"placeholder\">[ORG_NAME]<\/span>\n- Country \/ primary jurisdiction: <span class=\"placeholder\">[COUNTRY]<\/span>\n- Industry: <span class=\"placeholder\">[INDUSTRY]<\/span>\n- Organization size: <span class=\"placeholder\">[EMPLOYEE_COUNT]<\/span> employees; <span class=\"placeholder\">[CONTRACTOR_COUNT]<\/span> contractors\n- Business model: <span class=\"placeholder\">[B2B_B2C_MIX]<\/span>\n- Data handled (choose all that apply): <span class=\"placeholder\">[DATA_TYPES_HANDLED]<\/span> (e.g., customer PII, employee PII, payment data, health data, proprietary source code, financial statements)\n- Systems footprint (mixed environment):\n - Endpoint OS mix: <span class=\"placeholder\">[ENDPOINT_OS_MIX]<\/span>\n - Identity provider \/ SSO: <span class=\"placeholder\">[IDP_SSO]<\/span>\n - Email + collaboration: <span class=\"placeholder\">[EMAIL_COLLAB_SUITE]<\/span>\n - Cloud provider(s): <span class=\"placeholder\">[CLOUD_PROVIDERS]<\/span>\n - Core SaaS tools: <span class=\"placeholder\">[CORE_SAAS_LIST]<\/span>\n - Device management (MDM\/EMM): <span class=\"placeholder\">[MDM_TOOL]<\/span>\n - EDR\/XDR: <span class=\"placeholder\">[EDR_XDR_TOOL]<\/span>\n - Ticketing\/ITSM: <span class=\"placeholder\">[ITSM_TOOL]<\/span>\n - Source control\/CI: <span class=\"placeholder\">[DEV_TOOLCHAIN]<\/span>\n- Current maturity level: <span class=\"placeholder\">[SECURITY_MATURITY_LEVEL]<\/span> (e.g., ad-hoc, developing, defined, managed)\n- Constraints:\n - Budget range: <span class=\"placeholder\">[SECURITY_BUDGET_RANGE]<\/span>\n - Team capacity: <span class=\"placeholder\">[SECURITY_TEAM_SIZE]<\/span> security, <span class=\"placeholder\">[IT_TEAM_SIZE]<\/span> IT\n - Union\/work councils: <span class=\"placeholder\">[UNION_WORK_COUNCIL_STATUS]<\/span>\n - Remote work: <span class=\"placeholder\">[REMOTE_WORK_PERCENT]<\/span>\n\nOBJECTIVE\nCreate a comprehensive IT Security Protocol package that includes (1) policy language, (2) operational procedures, (3) minimum technical standards, (4) monitoring and metrics, and (5) an implementation plan. It must be aligned to <span class=\"placeholder\">[COUNTRY]<\/span> expectations without naming specific statutes unless you are certain; instead use \u201capplicable law and regulation in <span class=\"placeholder\">[COUNTRY]<\/span>\u201d.\n\nOUTPUT REQUIREMENTS (STRICT)\n1) Start with a 1-page executive overview:\n - Security goals (3\u20135)\n - Scope (in-scope and out-of-scope systems)\n - Roles (CISO\/Head of Security, IT Ops, Engineering, HR, Legal, Finance, Customer Success)\n - \u201cNon-negotiables\u201d (10 bullet points)\n - A risk summary table: Top 10 risks, likelihood, impact, owner, mitigation\n\n2) Provide a Protocol Architecture (the \u201csecurity system\u201d):\n - A layered control model (Identity, Endpoint, Network, Cloud, Application, Data, People, Vendor)\n - For each layer: objective, control families, and how to measure success\n\n3) Produce the core IT Security Policies (usable text):\n A. Access Control & Identity\n - MFA\/2FA standard (including phishing-resistant guidance)\n - Password policy (if used) and SSO expectations\n - Joiner-Mover-Leaver process with SLAs\n - Privileged access management (PAM) requirements\n - Service accounts policy\n - Quarterly access reviews (who, how, evidence)\n\n B. Endpoint & Device Security\n - Corporate-owned vs BYOD rules\n - MDM baseline (encryption, screen lock, patching, local admin restrictions)\n - EDR requirements and alerting tiers\n - Secure configuration baseline for Windows\/macOS\/Linux\n - Removable media policy\n\n C. Network & Perimeter Security\n - VPN \/ ZTNA policy\n - Wi-Fi standards (corp vs guest)\n - Segmentation principles\n - Firewall rules governance and change control\n - Remote access and third-party access\n\n D. Cloud & SaaS Security\n - Cloud account structure (prod\/non-prod separation)\n - Logging standards (what logs, retention, access)\n - Config management \/ IaC expectations\n - SaaS security posture (SSO, SCIM, least privilege)\n - Backups and ransomware resilience\n\n E. Data Security & Privacy-by-Design\n - Data classification scheme (at least 4 levels)\n - Encryption standards (at rest\/in transit)\n - Key management principles\n - Data retention + deletion schedule with evidence\n - DLP approach (pragmatic, not theoretical)\n - Secure data sharing rules\n\n F. Vulnerability & Patch Management\n - Asset inventory requirements\n - Scanning cadence by asset class\n - SLAs for remediation by severity\n - Exception process (risk acceptance with expiry)\n - Dependency and third-party library handling\n\n G. Secure SDLC (if software exists)\n - Branch protections, reviews, secrets management\n - SAST\/DAST dependency scanning\n - Release approvals and rollback\n - Security testing gates aligned to risk\n\n H. Incident Response & Breach Handling\n - Incident severity model (SEV0\u2013SEV3)\n - Containment playbooks (ransomware, credential compromise, data exfiltration)\n - Communications workflow (internal + customer)\n - Evidence handling and forensics basics\n - Post-incident review template and corrective actions\n\n I. Vendor \/ Third-Party Security\n - Vendor tiering model\n - Due diligence checklist and evidence requirements\n - Contractual minimums (security addendum highlights)\n - Continuous monitoring approach\n\n J. Security Awareness & People Controls\n - Training cadence + role-based modules\n - Phishing simulations (ethical guidance)\n - Acceptable use policy highlights\n - Disciplinary approach that is fair and documented\n\n4) Provide a \u201cMinimum Technical Standard\u201d checklist (auditable):\n - 60\u2013120 controls with pass\/fail criteria\n - Each control includes: owner, evidence type, tool source, frequency\n\n5) Provide an Implementation Roadmap:\n - 30\/60\/90-day plan plus 6-month horizon\n - Dependencies, resourcing assumptions, and milestones\n - A \u201cquick wins\u201d list (10 items)\n\n6) Provide Metrics & Reporting:\n - A security KPI dashboard (12\u201318 KPIs) with definitions\n - Monthly reporting template\n - Executive risk reporting template (quarterly)\n\n7) Include templates:\n - Access request form fields\n - Risk acceptance form\n - Incident report form\n - Vendor security questionnaire (short-form)\n - Security exception register schema\n\nSTYLE AND QUALITY BAR\n- Write with professional, policy-grade language.\n- Make it realistic: include sample SLAs, realistic retention windows, and example evidence artifacts.\n- Make it internally consistent: if you define a severity model, reuse it everywhere.\n- Provide \u201cwhy\u201d callouts (short) after each major section that explain the intent.\n- Use tables where appropriate.\n- Do not claim legal compliance; state \u201cdesigned to support compliance with applicable law and regulation in <span class=\"placeholder\">[COUNTRY]<\/span>\u201d.\n\nFINAL CHECK BEFORE YOU OUTPUT\n- Did you include the executive overview, architecture, policies A\u2013J, technical standard checklist, roadmap, metrics, and templates?\n- Did you avoid statute-name guessing?\n- Are there any contradictions? Fix them.\n- Is the output sufficiently detailed to implement without more guessing?\n <\/div>\n\n <div class=\"tip\"><strong>Tip:<\/strong> After generating the protocol, ask the model to produce an \u201caudit-ready evidence pack\u201d that lists where each control\u2019s evidence will be stored and who attests monthly\u2014this turns policy into operations.<\/div>\n <\/section>\n\n \n <section class=\"section\" id=\"the-logic\">\n <div class=\"section-title-row\">\n <h2 class=\"section-title\">The Logic<\/h2>\n <\/div>\n\n <div class=\"logic-grid\">\n <h3>1) Control layering prevents \u201csingle-point security theater\u201d<\/h3>\n <p>Most security failures aren\u2019t caused by one missing control\u2014they happen when a single control (like MFA) is assumed to be a universal shield. Layering forces you to treat identity, endpoints, network, cloud, apps, data, people, and vendors as distinct attack surfaces with different failure modes. For example, MFA may reduce credential-stuffing risk, but it won\u2019t stop a compromised endpoint from exfiltrating data via an authenticated session. By requiring a Protocol Architecture that explicitly maps objectives, control families, and measurement per layer, you build a system that degrades gracefully under attack. The layered approach also helps budgeting: you can justify spend by layer (e.g., EDR improves endpoint detection time, centralized logging improves investigation speed) and avoid \u201cnice-to-have\u201d tools that do not measurably reduce risk. Finally, layering improves accountability because each layer has an owner and evidence type, making gaps visible rather than debated.<\/p>\n\n <h3>2) Operational SLAs turn security into a repeatable service<\/h3>\n <p>Security protocols fail when they read like aspirational principles instead of service operations. Explicit SLAs (e.g., joiner account creation within 1 business day; SEV1 response within 30 minutes; critical patches within 7 days) convert intent into an enforceable workflow that teams can staff and measure. This prompt forces you to specify SLAs by domain (access, patching, incidents, vendor due diligence) and to tie them to evidence artifacts. For example, a quarterly access review becomes auditable only when you define who performs it, what report is exported, where it is stored, and what exceptions process is used. SLAs also help resolve conflict: when Engineering or Customer Success pushes back, you can discuss tradeoffs (risk, cost, customer impact) against a defined baseline rather than personal preference. Over time, these SLAs become leading indicators for risk (e.g., patch backlog trend predicts breach probability).<\/p>\n\n <h3>3) \u201cMinimum Technical Standards\u201d enable auditability and delegation<\/h3>\n <p>High-level policy is necessary, but it\u2019s not sufficient for implementation. A Minimum Technical Standard (MTS) checklist bridges the gap between security leadership and implementers by translating policy into pass\/fail controls that can be verified. This prompt requires 60\u2013120 controls with owners, evidence types, tool sources, and frequencies\u2014enough granularity for IT Ops to execute and for Security to verify without micromanaging. For instance, instead of saying \u201cencrypt laptops,\u201d the MTS can specify \u201cFull disk encryption enabled; escrow key stored in MDM; weekly compliance report exported to <span class=\"placeholder\">[EVIDENCE_REPO]<\/span>.\u201d That detail allows you to delegate execution while maintaining governance. It also reduces drift: when staff change, the checklist remains. Finally, MTS controls are the backbone of continuous compliance; you can schedule attestations, automate checks, and produce audit packets without assembling information from scratch each time.<\/p>\n\n <h3>4) Risk acceptance with expiry prevents permanent exceptions<\/h3>\n <p>Every organization accumulates exceptions\u2014legacy systems, business constraints, or vendor limitations. The danger is \u201ctemporary\u201d exceptions that become permanent and invisible. This prompt bakes in a risk acceptance process with expiry, which forces periodic reconsideration and ensures leadership consciously owns risk. For example, if a critical vendor cannot support SSO, the exception must document compensating controls (limited accounts, strong MFA, monitoring) and a sunset date tied to vendor roadmap or replacement. The expiry concept keeps security aligned with business reality while preventing complacency. It also improves communications with Legal and Procurement: exceptions become contractual negotiation points (e.g., \u201cSSO requirement by renewal date\u201d) rather than IT complaints. A disciplined exception register also improves incident response: when an incident occurs, you already know where the weakest links are and who approved the residual risk.<\/p>\n\n <h3>5) Incident playbooks reduce time-to-containment under stress<\/h3>\n <p>When incidents happen, decision quality drops and coordination becomes the bottleneck. Predefined severity models (SEV0\u2013SEV3), containment playbooks, and communications workflows reduce ambiguity and ensure fast, consistent response. This prompt insists on reusable playbooks for ransomware, credential compromise, and data exfiltration\u2014three of the highest-frequency, highest-impact scenarios. It also forces you to specify evidence handling and post-incident review templates, which are essential for learning and for defensibility if regulators, customers, or litigants ask what happened. A strong incident framework also protects Customer Success: you can give them approved customer communications timelines and escalation triggers so they aren\u2019t improvising under pressure. Over time, post-incident corrective actions feed back into the MTS checklist and roadmap, creating a loop where each incident measurably strengthens the system.<\/p>\n\n <h3>6) Vendor tiering aligns due diligence effort with real exposure<\/h3>\n <p>Third-party risk management becomes unmanageable if every vendor receives the same scrutiny. Vendor tiering enables proportional diligence: high-risk processors and infrastructure providers receive deeper assessment (security addendum, evidence of controls, incident notification commitments), while low-risk tools (e.g., scheduling apps) receive a lightweight review. This prompt requires a tiering model plus a short-form questionnaire and contractual minimums, which helps Procurement and Legal standardize negotiation. For example, Tier 1 vendors might require annual independent assurance evidence, encryption commitments, breach notification timelines, and audit rights; Tier 3 vendors might only need basic privacy terms and account security. The tiering approach also supports continuous monitoring: you decide what to re-check quarterly vs annually and what triggers re-review (scope change, breach news, data expansion). This reduces \u201ccheckbox compliance\u201d and focuses limited security capacity on the vendors most likely to create systemic risk.<\/p>\n <\/div>\n <\/section>\n\n \n <section class=\"section\" id=\"example-preview\">\n <div class=\"section-title-row\">\n <h2 class=\"section-title\">Example Output Preview<\/h2>\n <\/div>\n\n <div class=\"preview\">\n <div style=\"font-weight:900; color:#0f172a;\">Preview: Executive Dashboard Snapshot (Realistic Metrics)<\/div>\n <div style=\"margin-top:8px; color:#334155;\">Org: <strong>Northbridge Analytics<\/strong> (320 employees, 65 contractors) \u2022 Jurisdiction: <strong><span class=\"placeholder\">[COUNTRY]<\/span><\/strong> \u2022 Mixed endpoint + cloud\/SaaS footprint<\/div>\n\n <div class=\"kpi\">\n <div class=\"kpi-card\">\n <div class=\"label\">MFA Coverage (Workforce Accounts)<\/div>\n <div class=\"value\">98.6%<\/div>\n <div style=\"color:var(--muted); font-size:12px; font-weight:800; margin-top:6px;\">Target: \u2265 99% \u2022 Gap owners: 2 legacy service accounts<\/div>\n <\/div>\n <div class=\"kpi-card\">\n <div class=\"label\">Critical Patch SLA Compliance (7 days)<\/div>\n <div class=\"value\">91%<\/div>\n <div style=\"color:var(--muted); font-size:12px; font-weight:800; margin-top:6px;\">Backlog: 14 endpoints \u2022 Aging: 9\u201316 days<\/div>\n <\/div>\n <div class=\"kpi-card\">\n <div class=\"label\">Mean Time to Containment (SEV1)<\/div>\n <div class=\"value\">2h 12m<\/div>\n <div style=\"color:var(--muted); font-size:12px; font-weight:800; margin-top:6px;\">Goal: < 3h \u2022 Last quarter: 3 SEV1 incidents<\/div>\n <\/div>\n <\/div>\n\n <div style=\"margin-top:14px; border-top:1px dashed rgba(148,163,184,.6); padding-top:12px; color:#334155;\">\n <strong>Top Risk (Sample):<\/strong> Over-privileged SaaS admin roles in CRM \u2192 Mitigation: enforce least-privilege role templates + quarterly access review evidence pack; due date: 30 days.\n <\/div>\n <\/div>\n <\/section>\n\n \n <section class=\"section\" id=\"prompt-chain-strategy\">\n <div class=\"section-title-row\">\n <h2 class=\"section-title\">Prompt Chain Strategy<\/h2>\n <\/div>\n\n <div class=\"chain\">\n <div class=\"chain-step\">\n <div class=\"step-head\">\n <div><span class=\"step-num\">Step 1<\/span> \u2014 <span class=\"step-title\">Protocol Draft (Policy + Operating Model)<\/span><\/div>\n <\/div>\n <div class=\"mini-label\">Prompt<\/div>\n <div class=\"mini-prompt\">Use the full prompt above. Output the complete protocol package with executive overview, layered architecture, policies A\u2013J, roadmap, metrics, and templates. Keep it aligned to <span class=\"placeholder\">[COUNTRY]<\/span> without statute guessing.<\/div>\n <div class=\"mini-label\">Expected Output<\/div>\n <div style=\"color:var(--muted); font-weight:800;\">A complete, internally consistent security protocol that can be adopted as policy and used by IT\/Security for execution.<\/div>\n <\/div>\n\n <div class=\"chain-step\">\n <div class=\"step-head\">\n <div><span class=\"step-num\">Step 2<\/span> \u2014 <span class=\"step-title\">Auditable Control Catalog + Evidence Pack<\/span><\/div>\n <\/div>\n <div class=\"mini-label\">Prompt<\/div>\n <div class=\"mini-prompt\">From the protocol you just produced, generate an \u201cAudit-Ready Evidence Pack\u201d with:\n- A control ID list (e.g., ID-01, EP-07, CLD-12)\n- Evidence artifact name, where stored (<span class=\"placeholder\">[EVIDENCE_REPO]<\/span>), owner, frequency\n- Example screenshots\/reports to export from <span class=\"placeholder\">[MDM_TOOL]<\/span>, <span class=\"placeholder\">[IDP_SSO]<\/span>, <span class=\"placeholder\">[EDR_XDR_TOOL]<\/span>\n- A monthly attestation workflow and escalation if evidence is missing<\/div>\n <div class=\"mini-label\">Expected Output<\/div>\n <div style=\"color:var(--muted); font-weight:800;\">A control-to-evidence map that makes audits and internal reviews fast, repeatable, and defensible.<\/div>\n <\/div>\n\n <div class=\"chain-step\">\n <div class=\"step-head\">\n <div><span class=\"step-num\">Step 3<\/span> \u2014 <span class=\"step-title\">Implementation Sprint Plan + Change Management<\/span><\/div>\n <\/div>\n <div class=\"mini-label\">Prompt<\/div>\n <div class=\"mini-prompt\">Create a sprint-by-sprint rollout plan for the next 12 weeks:\n- Sprint goals, tasks, owners, acceptance criteria\n- Dependencies and tool configuration steps\n- Communications plan (IT, Engineering, HR, execs)\n- Training plan and policy acknowledgement workflow\n- Success metrics per sprint\nAssume team capacity: <span class=\"placeholder\">[SECURITY_TEAM_SIZE]<\/span> security and <span class=\"placeholder\">[IT_TEAM_SIZE]<\/span> IT.<\/div>\n <div class=\"mini-label\">Expected Output<\/div>\n <div style=\"color:var(--muted); font-weight:800;\">A practical execution plan that reduces roll-out friction, aligns stakeholders, and produces measurable outcomes.<\/div>\n <\/div>\n <\/div>\n <\/section>\n\n \n <section class=\"section\" id=\"human-in-the-loop\">\n <div class=\"section-title-row\">\n <h2 class=\"section-title\">Human-in-the-Loop Refinements<\/h2>\n <\/div>\n\n <div class=\"hitl-grid\">\n <h3>1) Calibrate severity and SLAs to business impact, not fear<\/h3>\n <p>Have leaders from Security, IT, Engineering, and Customer Success validate the severity model (SEV0\u2013SEV3) against real business outcomes. A SEV0 should represent existential risk (e.g., confirmed ransomware with widespread encryption), while SEV1 might represent material customer impact or credible data exfiltration. Then align response\/resolution SLAs to what is realistically staffed (on-call rotations, follow-the-sun coverage, vendor support). If SLAs are impossible, teams will quietly ignore them, creating a false sense of compliance. Use a tabletop exercise with a recent incident pattern (credential compromise) and ask: could we meet the SLA with current tooling and staffing? Adjust and document tradeoffs so the protocol remains credible and adoptable.<\/p>\n\n <h3>2) Validate the Minimum Technical Standards against actual tooling<\/h3>\n <p>The fastest way to break trust in a security protocol is to publish \u201crequirements\u201d your tools can\u2019t measure. Run a short feasibility review where IT confirms each control can be checked using your real systems (<span class=\"placeholder\">[MDM_TOOL]<\/span>, <span class=\"placeholder\">[EDR_XDR_TOOL]<\/span>, <span class=\"placeholder\">[IDP_SSO]<\/span>, <span class=\"placeholder\">[ITSM_TOOL]<\/span>). If not, add a compensating manual evidence step or revise the control. Example: if you cannot reliably verify disk encryption status for BYOD endpoints, you may need to restrict BYOD, require VDI, or require an MDM enrollment gate. This step ensures your control catalog is not merely \u201cbest practice,\u201d but operationally enforceable in your environment.<\/p>\n\n <h3>3) Run a privacy and employment review before monitoring changes<\/h3>\n <p>Monitoring and logging are essential, but in many jurisdictions monitoring employee activity has legal, cultural, and works-council implications. Before implementing expanded logging, run a review with Legal\/HR to confirm lawful basis, notice requirements, retention limits, and whether consultation is required in <span class=\"placeholder\">[COUNTRY]<\/span>. Make sure the protocol distinguishes security telemetry (authentication logs, endpoint alerts) from productivity surveillance. Use plain-language employee communications that explain what is collected, why, and how long it is retained. This increases adoption and reduces the risk of protocol rollbacks after complaints or regulatory scrutiny.<\/p>\n\n <h3>4) Pressure-test incident communications with Customer Success<\/h3>\n <p>Incident response isn\u2019t only technical; it\u2019s a customer trust event. Have Customer Success and Communications review the incident comms workflow and pre-approved templates so they can execute under stress. Define who can speak externally, what requires Legal approval, and how updates are timed (e.g., initial acknowledgement within 24 hours, then daily updates for SEV0\/SEV1). Include clear guidance for \u201cwhat we can say\u201d vs \u201cwhat we must verify.\u201d This prevents contradictory messages and reduces churn. A good practice is to simulate a SEV1 outage plus suspected data exposure and rehearse the update cadence and escalation triggers.<\/p>\n\n <h3>5) Make vendor security requirements negotiation-ready<\/h3>\n <p>Vendor requirements fail when they read like a wishlist rather than contract language. Have Procurement and Legal convert Tier 1\/Tier 2 requirements into a security addendum checklist with fallback positions. For example: if a vendor won\u2019t grant audit rights, require independent assurance evidence or detailed security whitepapers plus breach notification commitments. If a vendor cannot support SSO at onboarding, require an implementation milestone by renewal with documented compensating controls. This makes the protocol useful during real negotiations and prevents \u201cpolicy says X, contract says Y\u201d gaps.<\/p>\n\n <h3>6) Pilot the roadmap with one department before org-wide rollout<\/h3>\n <p>Rolling out device controls, MFA hardening, or least-privilege changes across an entire company can create friction and outages. Choose a pilot group (e.g., IT + Finance) and implement the 30\/60\/90-day plan in a controlled way. Track friction metrics (tickets created, lockouts, time-to-onboard) and update documentation and training based on real issues. For example, deploying conditional access rules may require whitelisting service accounts or configuring break-glass accounts. A pilot also creates internal champions who can advocate for the program. Only after the protocol is stable and metrics are acceptable should you expand to the rest of the organization.<\/p>\n <\/div>\n <\/section>\n\n <div class=\"footer\">\n <div>Estimated time: <strong>25\u201335 minutes<\/strong> \u2022 Skill level: <strong>Advanced<\/strong><\/div>\n <div>Outputs: Policy set \u2022 Control checklist \u2022 Roadmap \u2022 KPI dashboard \u2022 Templates<\/div>\n <\/div>\n\n <\/div>\n <\/div>\n <\/div>\n\n <script>\n function copyPrompt(){\n const el = document.getElementById('promptContent');\n const text = el.innerText;\n if (navigator.clipboard && navigator.clipboard.writeText){\n navigator.clipboard.writeText(text).then(() => {\n const btn = document.querySelector('.copy-button');\n const old = btn.textContent;\n btn.textContent = 'Copied!';\n setTimeout(()=>btn.textContent = old, 1200);\n });\n } else {\n const range = document.createRange();\n range.selectNode(el);\n const sel = window.getSelection();\n sel.removeAllRanges();\n sel.addRange(range);\n try {\n document.execCommand('copy');\n } catch(e) {}\n sel.removeAllRanges();\n }\n }\n <\/script>\n<\/body>\n<\/html>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>IT Security Protocol IT Security Protocol A mixed-environment, jurisdiction-flexible security protocol builder for modern organizations (endpoint + corporate IT + cloud\/SaaS), designed to produce an implementable policy set, technical controls checklist, and operating cadence. IT Security Protocol ChatGPT Claude Gemini Perplexity Grok \u2696\ufe0f Legal, Risk & Compliance \u23f1\ufe0f 25\u201335 min \ud83e\udde0 Advanced The Prompt Copy…<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[160],"tags":[],"class_list":["post-5704","post","type-post","status-publish","format-standard","hentry","category-legal-risk-compliance"],"acf":[],"_links":{"self":[{"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/posts\/5704","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/comments?post=5704"}],"version-history":[{"count":4,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/posts\/5704\/revisions"}],"predecessor-version":[{"id":5708,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/posts\/5704\/revisions\/5708"}],"wp:attachment":[{"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/media?parent=5704"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/categories?post=5704"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/tags?post=5704"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

\n\t\t\t\t\t\t

\n\t\t\t\t\t

\n\t\t\t

\n\t\t\t\t\t\t

\n\t\t\t\t\t\n\n\n \n \n IT Security Protocol<\/title>\n <style>\n :root{\n --purple-1:#6f42c1;\n --purple-2:#8b5cf6;\n --purple-3:#a855f7;\n --text:#111827;\n --muted:#6b7280;\n --bg:#ffffff;\n --card:#ffffff;\n --shadow:0 14px 35px rgba(17,24,39,.10);\n --border:#e5e7eb;\n --prompt-bg:#f3f4f6;\n --tip-bg:#fff3cd;\n --tip-border:#ffe69c;\n --placeholder:#fd7e14;\n --blue:#2563eb;\n --blue-border:#93c5fd;\n --radius:16px;\n --radius-sm:12px;\n }\n\n *{box-sizing:border-box;}\n body{\n margin:0;\n font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial, \"Apple Color Emoji\",\"Segoe UI Emoji\";\n color:var(--text);\n background:var(--bg);\n line-height:1.55;\n }\n\n .page{\n max-width: 1100px;\n margin: 0 auto;\n padding: 28px 18px 44px;\n }\n\n .page-title{\n font-size: 44px;\n font-weight: 900;\n letter-spacing: -0.02em;\n margin: 8px 0 18px;\n line-height:1.05;\n background: linear-gradient(90deg, var(--purple-1), var(--purple-2), var(--purple-3));\n -webkit-background-clip: text;\n background-clip:text;\n color: transparent;\n }\n\n .subtitle{\n margin: 0 0 18px;\n color: var(--muted);\n font-size: 15px;\n }\n\n .card{\n background: var(--card);\n border-radius: var(--radius);\n box-shadow: var(--shadow);\n overflow:hidden;\n border:1px solid rgba(229,231,235,.85);\n }\n\n .card-header{\n padding: 20px 22px;\n background: linear-gradient(90deg, rgba(111,66,193,1), rgba(139,92,246,1), rgba(168,85,247,1));\n color:#fff;\n position:relative;\n }\n\n .header-top{\n display:flex;\n align-items:flex-start;\n justify-content:space-between;\n gap:12px;\n flex-wrap:wrap;\n }\n\n .card-title{\n font-size: 24px;\n font-weight: 800;\n margin:0;\n letter-spacing:-0.01em;\n }\n\n .meta{\n display:flex;\n gap:10px;\n flex-wrap:wrap;\n align-items:center;\n margin-top: 12px;\n }\n\n .badge{\n display:inline-flex;\n align-items:center;\n gap:8px;\n padding: 8px 10px;\n border-radius: 999px;\n background: rgba(255,255,255,.22);\n border: 1px solid rgba(255,255,255,.30);\n color:#fff;\n font-size: 13px;\n font-weight: 700;\n backdrop-filter: blur(6px);\n -webkit-backdrop-filter: blur(6px);\n white-space:nowrap;\n }\n\n .tools{\n display:flex;\n gap:10px;\n flex-wrap:wrap;\n align-items:center;\n }\n\n .tool-badge{\n display:inline-flex;\n align-items:center;\n padding: 7px 10px;\n border-radius: 999px;\n font-size: 12px;\n font-weight: 800;\n color:#fff;\n border: 1px solid rgba(255,255,255,.55);\n background: rgba(255,255,255,.14);\n letter-spacing: .01em;\n }\n\n .card-body{\n padding: 2.5rem;\n }\n\n .section{\n margin-top: 26px;\n }\n\n .section:first-child{margin-top:0;}\n\n .section-title-row{\n display:flex;\n align-items:center;\n justify-content:space-between;\n gap:14px;\n flex-wrap:wrap;\n margin-bottom: 12px;\n }\n\n .section-title{\n margin:0;\n font-size: 18px;\n font-weight: 900;\n color: var(--purple-1);\n padding-left: 12px;\n border-left: 4px solid rgba(111,66,193,.95);\n line-height:1.2;\n }\n\n .copy-button{\n appearance:none;\n border:1px solid rgba(111,66,193,.25);\n background: rgba(111,66,193,.08);\n color: var(--purple-1);\n padding: 10px 12px;\n font-weight: 900;\n border-radius: 12px;\n cursor:pointer;\n transition: transform .06s ease, background .2s ease;\n display:inline-flex;\n align-items:center;\n gap:8px;\n white-space:nowrap;\n }\n\n .copy-button:active{ transform: translateY(1px); }\n .copy-button:hover{ background: rgba(111,66,193,.12); }\n\n .prompt-box{\n background: var(--prompt-bg);\n border: 1px solid var(--border);\n border-radius: var(--radius-sm);\n padding: 18px;\n overflow:auto;\n font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, \"Liberation Mono\", \"Courier New\", monospace;\n font-size: 13.5px;\n line-height: 1.55;\n white-space: pre-wrap;\n }\n\n .placeholder{ color: var(--placeholder); font-weight: 800; }\n\n .tip{\n margin-top: 14px;\n background: var(--tip-bg);\n border: 1px solid var(--tip-border);\n border-radius: var(--radius-sm);\n padding: 14px 14px;\n color: #7a5b00;\n font-weight: 700;\n }\n\n .logic-grid h3,\n .hitl-grid h3{\n margin: 18px 0 8px;\n font-size: 15px;\n color:#111827;\n letter-spacing:-0.01em;\n }\n\n .logic-grid p,\n .hitl-grid p{\n margin: 0 0 10px;\n color:#1f2937;\n }\n\n .preview{\n border: 2px solid var(--blue-border);\n background: rgba(37,99,235,.04);\n border-radius: var(--radius-sm);\n padding: 16px;\n }\n\n .preview .kpi{\n display:grid;\n grid-template-columns: repeat(3, minmax(0, 1fr));\n gap:12px;\n margin-top: 12px;\n }\n\n .kpi-card{\n background:#fff;\n border:1px solid rgba(147,197,253,.7);\n border-radius: 14px;\n padding: 12px;\n }\n\n .kpi-card .label{ color: var(--muted); font-size: 12px; font-weight: 800; }\n .kpi-card .value{ font-size: 18px; font-weight: 900; margin-top: 6px; }\n\n .chain{\n display:grid;\n gap:14px;\n }\n\n .chain-step{\n border: 1px solid var(--border);\n border-radius: var(--radius-sm);\n padding: 14px;\n background:#fff;\n }\n\n .step-head{\n display:flex;\n align-items:baseline;\n justify-content:space-between;\n gap:10px;\n flex-wrap:wrap;\n margin-bottom: 8px;\n }\n\n .step-num{\n font-weight: 900;\n color: var(--purple-1);\n letter-spacing: .02em;\n }\n\n .step-title{\n font-weight: 900;\n }\n\n .mini-label{ color: var(--muted); font-weight: 900; font-size: 12px; margin: 10px 0 6px; }\n\n .mini-prompt{\n background: var(--prompt-bg);\n border: 1px solid var(--border);\n border-radius: 12px;\n padding: 12px;\n font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, \"Liberation Mono\", \"Courier New\", monospace;\n font-size: 12.8px;\n line-height: 1.55;\n white-space: pre-wrap;\n }\n\n .footer{\n margin-top: 26px;\n padding-top: 18px;\n border-top: 1px dashed rgba(107,114,128,.35);\n color: var(--muted);\n display:flex;\n justify-content:space-between;\n gap:12px;\n flex-wrap:wrap;\n font-size: 13px;\n font-weight: 700;\n }\n\n @media (max-width: 860px){\n .page-title{font-size: 36px;}\n .preview .kpi{ grid-template-columns: 1fr; }\n .card-body{ padding: 1.6rem; }\n }\n <\/style>\n<\/head>\n<body>\n <div class=\"page\">\n <div class=\"page-title\">IT Security Protocol<\/div>\n <p class=\"subtitle\">A mixed-environment, jurisdiction-flexible security protocol builder for modern organizations (endpoint + corporate IT + cloud\/SaaS), designed to produce an implementable policy set, technical controls checklist, and operating cadence.<\/p>\n\n <div class=\"card\">\n <div class=\"card-header\">\n <div class=\"header-top\">\n <h1 class=\"card-title\">IT Security Protocol<\/h1>\n <div class=\"tools\" aria-label=\"Tool compatibility\">\n <span class=\"tool-badge\">ChatGPT<\/span>\n <span class=\"tool-badge\">Claude<\/span>\n <span class=\"tool-badge\">Gemini<\/span>\n <span class=\"tool-badge\">Perplexity<\/span>\n <span class=\"tool-badge\">Grok<\/span>\n <\/div>\n <\/div>\n <div class=\"meta\" aria-label=\"Meta badges\">\n <span class=\"badge\">\u2696\ufe0f Legal, Risk & Compliance<\/span>\n <span class=\"badge\">\u23f1\ufe0f 25\u201335 min<\/span>\n <span class=\"badge\">\ud83e\udde0 Advanced<\/span>\n <\/div>\n <\/div>\n\n <div class=\"card-body\">\n\n \n <section class=\"section\" id=\"the-prompt\">\n <div class=\"section-title-row\">\n <h2 class=\"section-title\">The Prompt<\/h2>\n <button class=\"copy-button\" onclick=\"copyPrompt()\" type=\"button\">Copy Prompt<\/button>\n <\/div>\n\n <div id=\"promptContent\" class=\"prompt-box\" role=\"textbox\" aria-label=\"Prompt content\">\nYou are a senior Information Security Leader (CISO-level) and IT Operations Architect. Your job is to produce an actionable IT Security Protocol that is suitable for a real organization, not a generic list. It must be usable by IT Ops, Security, Legal, HR, Finance, and Customer Success.\n\nCONTEXT\n- Organization name: <span class=\"placeholder\">[ORG_NAME]<\/span>\n- Country \/ primary jurisdiction: <span class=\"placeholder\">[COUNTRY]<\/span>\n- Industry: <span class=\"placeholder\">[INDUSTRY]<\/span>\n- Organization size: <span class=\"placeholder\">[EMPLOYEE_COUNT]<\/span> employees; <span class=\"placeholder\">[CONTRACTOR_COUNT]<\/span> contractors\n- Business model: <span class=\"placeholder\">[B2B_B2C_MIX]<\/span>\n- Data handled (choose all that apply): <span class=\"placeholder\">[DATA_TYPES_HANDLED]<\/span> (e.g., customer PII, employee PII, payment data, health data, proprietary source code, financial statements)\n- Systems footprint (mixed environment):\n - Endpoint OS mix: <span class=\"placeholder\">[ENDPOINT_OS_MIX]<\/span>\n - Identity provider \/ SSO: <span class=\"placeholder\">[IDP_SSO]<\/span>\n - Email + collaboration: <span class=\"placeholder\">[EMAIL_COLLAB_SUITE]<\/span>\n - Cloud provider(s): <span class=\"placeholder\">[CLOUD_PROVIDERS]<\/span>\n - Core SaaS tools: <span class=\"placeholder\">[CORE_SAAS_LIST]<\/span>\n - Device management (MDM\/EMM): <span class=\"placeholder\">[MDM_TOOL]<\/span>\n - EDR\/XDR: <span class=\"placeholder\">[EDR_XDR_TOOL]<\/span>\n - Ticketing\/ITSM: <span class=\"placeholder\">[ITSM_TOOL]<\/span>\n - Source control\/CI: <span class=\"placeholder\">[DEV_TOOLCHAIN]<\/span>\n- Current maturity level: <span class=\"placeholder\">[SECURITY_MATURITY_LEVEL]<\/span> (e.g., ad-hoc, developing, defined, managed)\n- Constraints:\n - Budget range: <span class=\"placeholder\">[SECURITY_BUDGET_RANGE]<\/span>\n - Team capacity: <span class=\"placeholder\">[SECURITY_TEAM_SIZE]<\/span> security, <span class=\"placeholder\">[IT_TEAM_SIZE]<\/span> IT\n - Union\/work councils: <span class=\"placeholder\">[UNION_WORK_COUNCIL_STATUS]<\/span>\n - Remote work: <span class=\"placeholder\">[REMOTE_WORK_PERCENT]<\/span>\n\nOBJECTIVE\nCreate a comprehensive IT Security Protocol package that includes (1) policy language, (2) operational procedures, (3) minimum technical standards, (4) monitoring and metrics, and (5) an implementation plan. It must be aligned to <span class=\"placeholder\">[COUNTRY]<\/span> expectations without naming specific statutes unless you are certain; instead use \u201capplicable law and regulation in <span class=\"placeholder\">[COUNTRY]<\/span>\u201d.\n\nOUTPUT REQUIREMENTS (STRICT)\n1) Start with a 1-page executive overview:\n - Security goals (3\u20135)\n - Scope (in-scope and out-of-scope systems)\n - Roles (CISO\/Head of Security, IT Ops, Engineering, HR, Legal, Finance, Customer Success)\n - \u201cNon-negotiables\u201d (10 bullet points)\n - A risk summary table: Top 10 risks, likelihood, impact, owner, mitigation\n\n2) Provide a Protocol Architecture (the \u201csecurity system\u201d):\n - A layered control model (Identity, Endpoint, Network, Cloud, Application, Data, People, Vendor)\n - For each layer: objective, control families, and how to measure success\n\n3) Produce the core IT Security Policies (usable text):\n A. Access Control & Identity\n - MFA\/2FA standard (including phishing-resistant guidance)\n - Password policy (if used) and SSO expectations\n - Joiner-Mover-Leaver process with SLAs\n - Privileged access management (PAM) requirements\n - Service accounts policy\n - Quarterly access reviews (who, how, evidence)\n\n B. Endpoint & Device Security\n - Corporate-owned vs BYOD rules\n - MDM baseline (encryption, screen lock, patching, local admin restrictions)\n - EDR requirements and alerting tiers\n - Secure configuration baseline for Windows\/macOS\/Linux\n - Removable media policy\n\n C. Network & Perimeter Security\n - VPN \/ ZTNA policy\n - Wi-Fi standards (corp vs guest)\n - Segmentation principles\n - Firewall rules governance and change control\n - Remote access and third-party access\n\n D. Cloud & SaaS Security\n - Cloud account structure (prod\/non-prod separation)\n - Logging standards (what logs, retention, access)\n - Config management \/ IaC expectations\n - SaaS security posture (SSO, SCIM, least privilege)\n - Backups and ransomware resilience\n\n E. Data Security & Privacy-by-Design\n - Data classification scheme (at least 4 levels)\n - Encryption standards (at rest\/in transit)\n - Key management principles\n - Data retention + deletion schedule with evidence\n - DLP approach (pragmatic, not theoretical)\n - Secure data sharing rules\n\n F. Vulnerability & Patch Management\n - Asset inventory requirements\n - Scanning cadence by asset class\n - SLAs for remediation by severity\n - Exception process (risk acceptance with expiry)\n - Dependency and third-party library handling\n\n G. Secure SDLC (if software exists)\n - Branch protections, reviews, secrets management\n - SAST\/DAST dependency scanning\n - Release approvals and rollback\n - Security testing gates aligned to risk\n\n H. Incident Response & Breach Handling\n - Incident severity model (SEV0\u2013SEV3)\n - Containment playbooks (ransomware, credential compromise, data exfiltration)\n - Communications workflow (internal + customer)\n - Evidence handling and forensics basics\n - Post-incident review template and corrective actions\n\n I. Vendor \/ Third-Party Security\n - Vendor tiering model\n - Due diligence checklist and evidence requirements\n - Contractual minimums (security addendum highlights)\n - Continuous monitoring approach\n\n J. Security Awareness & People Controls\n - Training cadence + role-based modules\n - Phishing simulations (ethical guidance)\n - Acceptable use policy highlights\n - Disciplinary approach that is fair and documented\n\n4) Provide a \u201cMinimum Technical Standard\u201d checklist (auditable):\n - 60\u2013120 controls with pass\/fail criteria\n - Each control includes: owner, evidence type, tool source, frequency\n\n5) Provide an Implementation Roadmap:\n - 30\/60\/90-day plan plus 6-month horizon\n - Dependencies, resourcing assumptions, and milestones\n - A \u201cquick wins\u201d list (10 items)\n\n6) Provide Metrics & Reporting:\n - A security KPI dashboard (12\u201318 KPIs) with definitions\n - Monthly reporting template\n - Executive risk reporting template (quarterly)\n\n7) Include templates:\n - Access request form fields\n - Risk acceptance form\n - Incident report form\n - Vendor security questionnaire (short-form)\n - Security exception register schema\n\nSTYLE AND QUALITY BAR\n- Write with professional, policy-grade language.\n- Make it realistic: include sample SLAs, realistic retention windows, and example evidence artifacts.\n- Make it internally consistent: if you define a severity model, reuse it everywhere.\n- Provide \u201cwhy\u201d callouts (short) after each major section that explain the intent.\n- Use tables where appropriate.\n- Do not claim legal compliance; state \u201cdesigned to support compliance with applicable law and regulation in <span class=\"placeholder\">[COUNTRY]<\/span>\u201d.\n\nFINAL CHECK BEFORE YOU OUTPUT\n- Did you include the executive overview, architecture, policies A\u2013J, technical standard checklist, roadmap, metrics, and templates?\n- Did you avoid statute-name guessing?\n- Are there any contradictions? Fix them.\n- Is the output sufficiently detailed to implement without more guessing?\n <\/div>\n\n <div class=\"tip\"><strong>Tip:<\/strong> After generating the protocol, ask the model to produce an \u201caudit-ready evidence pack\u201d that lists where each control\u2019s evidence will be stored and who attests monthly\u2014this turns policy into operations.<\/div>\n <\/section>\n\n \n <section class=\"section\" id=\"the-logic\">\n <div class=\"section-title-row\">\n <h2 class=\"section-title\">The Logic<\/h2>\n <\/div>\n\n <div class=\"logic-grid\">\n <h3>1) Control layering prevents \u201csingle-point security theater\u201d<\/h3>\n <p>Most security failures aren\u2019t caused by one missing control\u2014they happen when a single control (like MFA) is assumed to be a universal shield. Layering forces you to treat identity, endpoints, network, cloud, apps, data, people, and vendors as distinct attack surfaces with different failure modes. For example, MFA may reduce credential-stuffing risk, but it won\u2019t stop a compromised endpoint from exfiltrating data via an authenticated session. By requiring a Protocol Architecture that explicitly maps objectives, control families, and measurement per layer, you build a system that degrades gracefully under attack. The layered approach also helps budgeting: you can justify spend by layer (e.g., EDR improves endpoint detection time, centralized logging improves investigation speed) and avoid \u201cnice-to-have\u201d tools that do not measurably reduce risk. Finally, layering improves accountability because each layer has an owner and evidence type, making gaps visible rather than debated.<\/p>\n\n <h3>2) Operational SLAs turn security into a repeatable service<\/h3>\n <p>Security protocols fail when they read like aspirational principles instead of service operations. Explicit SLAs (e.g., joiner account creation within 1 business day; SEV1 response within 30 minutes; critical patches within 7 days) convert intent into an enforceable workflow that teams can staff and measure. This prompt forces you to specify SLAs by domain (access, patching, incidents, vendor due diligence) and to tie them to evidence artifacts. For example, a quarterly access review becomes auditable only when you define who performs it, what report is exported, where it is stored, and what exceptions process is used. SLAs also help resolve conflict: when Engineering or Customer Success pushes back, you can discuss tradeoffs (risk, cost, customer impact) against a defined baseline rather than personal preference. Over time, these SLAs become leading indicators for risk (e.g., patch backlog trend predicts breach probability).<\/p>\n\n <h3>3) \u201cMinimum Technical Standards\u201d enable auditability and delegation<\/h3>\n <p>High-level policy is necessary, but it\u2019s not sufficient for implementation. A Minimum Technical Standard (MTS) checklist bridges the gap between security leadership and implementers by translating policy into pass\/fail controls that can be verified. This prompt requires 60\u2013120 controls with owners, evidence types, tool sources, and frequencies\u2014enough granularity for IT Ops to execute and for Security to verify without micromanaging. For instance, instead of saying \u201cencrypt laptops,\u201d the MTS can specify \u201cFull disk encryption enabled; escrow key stored in MDM; weekly compliance report exported to <span class=\"placeholder\">[EVIDENCE_REPO]<\/span>.\u201d That detail allows you to delegate execution while maintaining governance. It also reduces drift: when staff change, the checklist remains. Finally, MTS controls are the backbone of continuous compliance; you can schedule attestations, automate checks, and produce audit packets without assembling information from scratch each time.<\/p>\n\n <h3>4) Risk acceptance with expiry prevents permanent exceptions<\/h3>\n <p>Every organization accumulates exceptions\u2014legacy systems, business constraints, or vendor limitations. The danger is \u201ctemporary\u201d exceptions that become permanent and invisible. This prompt bakes in a risk acceptance process with expiry, which forces periodic reconsideration and ensures leadership consciously owns risk. For example, if a critical vendor cannot support SSO, the exception must document compensating controls (limited accounts, strong MFA, monitoring) and a sunset date tied to vendor roadmap or replacement. The expiry concept keeps security aligned with business reality while preventing complacency. It also improves communications with Legal and Procurement: exceptions become contractual negotiation points (e.g., \u201cSSO requirement by renewal date\u201d) rather than IT complaints. A disciplined exception register also improves incident response: when an incident occurs, you already know where the weakest links are and who approved the residual risk.<\/p>\n\n <h3>5) Incident playbooks reduce time-to-containment under stress<\/h3>\n <p>When incidents happen, decision quality drops and coordination becomes the bottleneck. Predefined severity models (SEV0\u2013SEV3), containment playbooks, and communications workflows reduce ambiguity and ensure fast, consistent response. This prompt insists on reusable playbooks for ransomware, credential compromise, and data exfiltration\u2014three of the highest-frequency, highest-impact scenarios. It also forces you to specify evidence handling and post-incident review templates, which are essential for learning and for defensibility if regulators, customers, or litigants ask what happened. A strong incident framework also protects Customer Success: you can give them approved customer communications timelines and escalation triggers so they aren\u2019t improvising under pressure. Over time, post-incident corrective actions feed back into the MTS checklist and roadmap, creating a loop where each incident measurably strengthens the system.<\/p>\n\n <h3>6) Vendor tiering aligns due diligence effort with real exposure<\/h3>\n <p>Third-party risk management becomes unmanageable if every vendor receives the same scrutiny. Vendor tiering enables proportional diligence: high-risk processors and infrastructure providers receive deeper assessment (security addendum, evidence of controls, incident notification commitments), while low-risk tools (e.g., scheduling apps) receive a lightweight review. This prompt requires a tiering model plus a short-form questionnaire and contractual minimums, which helps Procurement and Legal standardize negotiation. For example, Tier 1 vendors might require annual independent assurance evidence, encryption commitments, breach notification timelines, and audit rights; Tier 3 vendors might only need basic privacy terms and account security. The tiering approach also supports continuous monitoring: you decide what to re-check quarterly vs annually and what triggers re-review (scope change, breach news, data expansion). This reduces \u201ccheckbox compliance\u201d and focuses limited security capacity on the vendors most likely to create systemic risk.<\/p>\n <\/div>\n <\/section>\n\n \n <section class=\"section\" id=\"example-preview\">\n <div class=\"section-title-row\">\n <h2 class=\"section-title\">Example Output Preview<\/h2>\n <\/div>\n\n <div class=\"preview\">\n <div style=\"font-weight:900; color:#0f172a;\">Preview: Executive Dashboard Snapshot (Realistic Metrics)<\/div>\n <div style=\"margin-top:8px; color:#334155;\">Org: <strong>Northbridge Analytics<\/strong> (320 employees, 65 contractors) \u2022 Jurisdiction: <strong><span class=\"placeholder\">[COUNTRY]<\/span><\/strong> \u2022 Mixed endpoint + cloud\/SaaS footprint<\/div>\n\n <div class=\"kpi\">\n <div class=\"kpi-card\">\n <div class=\"label\">MFA Coverage (Workforce Accounts)<\/div>\n <div class=\"value\">98.6%<\/div>\n <div style=\"color:var(--muted); font-size:12px; font-weight:800; margin-top:6px;\">Target: \u2265 99% \u2022 Gap owners: 2 legacy service accounts<\/div>\n <\/div>\n <div class=\"kpi-card\">\n <div class=\"label\">Critical Patch SLA Compliance (7 days)<\/div>\n <div class=\"value\">91%<\/div>\n <div style=\"color:var(--muted); font-size:12px; font-weight:800; margin-top:6px;\">Backlog: 14 endpoints \u2022 Aging: 9\u201316 days<\/div>\n <\/div>\n <div class=\"kpi-card\">\n <div class=\"label\">Mean Time to Containment (SEV1)<\/div>\n <div class=\"value\">2h 12m<\/div>\n <div style=\"color:var(--muted); font-size:12px; font-weight:800; margin-top:6px;\">Goal: < 3h \u2022 Last quarter: 3 SEV1 incidents<\/div>\n <\/div>\n <\/div>\n\n <div style=\"margin-top:14px; border-top:1px dashed rgba(148,163,184,.6); padding-top:12px; color:#334155;\">\n <strong>Top Risk (Sample):<\/strong> Over-privileged SaaS admin roles in CRM \u2192 Mitigation: enforce least-privilege role templates + quarterly access review evidence pack; due date: 30 days.\n <\/div>\n <\/div>\n <\/section>\n\n \n <section class=\"section\" id=\"prompt-chain-strategy\">\n <div class=\"section-title-row\">\n <h2 class=\"section-title\">Prompt Chain Strategy<\/h2>\n <\/div>\n\n <div class=\"chain\">\n <div class=\"chain-step\">\n <div class=\"step-head\">\n <div><span class=\"step-num\">Step 1<\/span> \u2014 <span class=\"step-title\">Protocol Draft (Policy + Operating Model)<\/span><\/div>\n <\/div>\n <div class=\"mini-label\">Prompt<\/div>\n <div class=\"mini-prompt\">Use the full prompt above. Output the complete protocol package with executive overview, layered architecture, policies A\u2013J, roadmap, metrics, and templates. Keep it aligned to <span class=\"placeholder\">[COUNTRY]<\/span> without statute guessing.<\/div>\n <div class=\"mini-label\">Expected Output<\/div>\n <div style=\"color:var(--muted); font-weight:800;\">A complete, internally consistent security protocol that can be adopted as policy and used by IT\/Security for execution.<\/div>\n <\/div>\n\n <div class=\"chain-step\">\n <div class=\"step-head\">\n <div><span class=\"step-num\">Step 2<\/span> \u2014 <span class=\"step-title\">Auditable Control Catalog + Evidence Pack<\/span><\/div>\n <\/div>\n <div class=\"mini-label\">Prompt<\/div>\n <div class=\"mini-prompt\">From the protocol you just produced, generate an \u201cAudit-Ready Evidence Pack\u201d with:\n- A control ID list (e.g., ID-01, EP-07, CLD-12)\n- Evidence artifact name, where stored (<span class=\"placeholder\">[EVIDENCE_REPO]<\/span>), owner, frequency\n- Example screenshots\/reports to export from <span class=\"placeholder\">[MDM_TOOL]<\/span>, <span class=\"placeholder\">[IDP_SSO]<\/span>, <span class=\"placeholder\">[EDR_XDR_TOOL]<\/span>\n- A monthly attestation workflow and escalation if evidence is missing<\/div>\n <div class=\"mini-label\">Expected Output<\/div>\n <div style=\"color:var(--muted); font-weight:800;\">A control-to-evidence map that makes audits and internal reviews fast, repeatable, and defensible.<\/div>\n <\/div>\n\n <div class=\"chain-step\">\n <div class=\"step-head\">\n <div><span class=\"step-num\">Step 3<\/span> \u2014 <span class=\"step-title\">Implementation Sprint Plan + Change Management<\/span><\/div>\n <\/div>\n <div class=\"mini-label\">Prompt<\/div>\n <div class=\"mini-prompt\">Create a sprint-by-sprint rollout plan for the next 12 weeks:\n- Sprint goals, tasks, owners, acceptance criteria\n- Dependencies and tool configuration steps\n- Communications plan (IT, Engineering, HR, execs)\n- Training plan and policy acknowledgement workflow\n- Success metrics per sprint\nAssume team capacity: <span class=\"placeholder\">[SECURITY_TEAM_SIZE]<\/span> security and <span class=\"placeholder\">[IT_TEAM_SIZE]<\/span> IT.<\/div>\n <div class=\"mini-label\">Expected Output<\/div>\n <div style=\"color:var(--muted); font-weight:800;\">A practical execution plan that reduces roll-out friction, aligns stakeholders, and produces measurable outcomes.<\/div>\n <\/div>\n <\/div>\n <\/section>\n\n \n <section class=\"section\" id=\"human-in-the-loop\">\n <div class=\"section-title-row\">\n <h2 class=\"section-title\">Human-in-the-Loop Refinements<\/h2>\n <\/div>\n\n <div class=\"hitl-grid\">\n <h3>1) Calibrate severity and SLAs to business impact, not fear<\/h3>\n <p>Have leaders from Security, IT, Engineering, and Customer Success validate the severity model (SEV0\u2013SEV3) against real business outcomes. A SEV0 should represent existential risk (e.g., confirmed ransomware with widespread encryption), while SEV1 might represent material customer impact or credible data exfiltration. Then align response\/resolution SLAs to what is realistically staffed (on-call rotations, follow-the-sun coverage, vendor support). If SLAs are impossible, teams will quietly ignore them, creating a false sense of compliance. Use a tabletop exercise with a recent incident pattern (credential compromise) and ask: could we meet the SLA with current tooling and staffing? Adjust and document tradeoffs so the protocol remains credible and adoptable.<\/p>\n\n <h3>2) Validate the Minimum Technical Standards against actual tooling<\/h3>\n <p>The fastest way to break trust in a security protocol is to publish \u201crequirements\u201d your tools can\u2019t measure. Run a short feasibility review where IT confirms each control can be checked using your real systems (<span class=\"placeholder\">[MDM_TOOL]<\/span>, <span class=\"placeholder\">[EDR_XDR_TOOL]<\/span>, <span class=\"placeholder\">[IDP_SSO]<\/span>, <span class=\"placeholder\">[ITSM_TOOL]<\/span>). If not, add a compensating manual evidence step or revise the control. Example: if you cannot reliably verify disk encryption status for BYOD endpoints, you may need to restrict BYOD, require VDI, or require an MDM enrollment gate. This step ensures your control catalog is not merely \u201cbest practice,\u201d but operationally enforceable in your environment.<\/p>\n\n <h3>3) Run a privacy and employment review before monitoring changes<\/h3>\n <p>Monitoring and logging are essential, but in many jurisdictions monitoring employee activity has legal, cultural, and works-council implications. Before implementing expanded logging, run a review with Legal\/HR to confirm lawful basis, notice requirements, retention limits, and whether consultation is required in <span class=\"placeholder\">[COUNTRY]<\/span>. Make sure the protocol distinguishes security telemetry (authentication logs, endpoint alerts) from productivity surveillance. Use plain-language employee communications that explain what is collected, why, and how long it is retained. This increases adoption and reduces the risk of protocol rollbacks after complaints or regulatory scrutiny.<\/p>\n\n <h3>4) Pressure-test incident communications with Customer Success<\/h3>\n <p>Incident response isn\u2019t only technical; it\u2019s a customer trust event. Have Customer Success and Communications review the incident comms workflow and pre-approved templates so they can execute under stress. Define who can speak externally, what requires Legal approval, and how updates are timed (e.g., initial acknowledgement within 24 hours, then daily updates for SEV0\/SEV1). Include clear guidance for \u201cwhat we can say\u201d vs \u201cwhat we must verify.\u201d This prevents contradictory messages and reduces churn. A good practice is to simulate a SEV1 outage plus suspected data exposure and rehearse the update cadence and escalation triggers.<\/p>\n\n <h3>5) Make vendor security requirements negotiation-ready<\/h3>\n <p>Vendor requirements fail when they read like a wishlist rather than contract language. Have Procurement and Legal convert Tier 1\/Tier 2 requirements into a security addendum checklist with fallback positions. For example: if a vendor won\u2019t grant audit rights, require independent assurance evidence or detailed security whitepapers plus breach notification commitments. If a vendor cannot support SSO at onboarding, require an implementation milestone by renewal with documented compensating controls. This makes the protocol useful during real negotiations and prevents \u201cpolicy says X, contract says Y\u201d gaps.<\/p>\n\n <h3>6) Pilot the roadmap with one department before org-wide rollout<\/h3>\n <p>Rolling out device controls, MFA hardening, or least-privilege changes across an entire company can create friction and outages. Choose a pilot group (e.g., IT + Finance) and implement the 30\/60\/90-day plan in a controlled way. Track friction metrics (tickets created, lockouts, time-to-onboard) and update documentation and training based on real issues. For example, deploying conditional access rules may require whitelisting service accounts or configuring break-glass accounts. A pilot also creates internal champions who can advocate for the program. Only after the protocol is stable and metrics are acceptable should you expand to the rest of the organization.<\/p>\n <\/div>\n <\/section>\n\n <div class=\"footer\">\n <div>Estimated time: <strong>25\u201335 minutes<\/strong> \u2022 Skill level: <strong>Advanced<\/strong><\/div>\n <div>Outputs: Policy set \u2022 Control checklist \u2022 Roadmap \u2022 KPI dashboard \u2022 Templates<\/div>\n <\/div>\n\n <\/div>\n <\/div>\n <\/div>\n\n <script>\n function copyPrompt(){\n const el = document.getElementById('promptContent');\n const text = el.innerText;\n if (navigator.clipboard && navigator.clipboard.writeText){\n navigator.clipboard.writeText(text).then(() => {\n const btn = document.querySelector('.copy-button');\n const old = btn.textContent;\n btn.textContent = 'Copied!';\n setTimeout(()=>btn.textContent = old, 1200);\n });\n } else {\n const range = document.createRange();\n range.selectNode(el);\n const sel = window.getSelection();\n sel.removeAllRanges();\n sel.addRange(range);\n try {\n document.execCommand('copy');\n } catch(e) {}\n sel.removeAllRanges();\n }\n }\n <\/script>\n<\/body>\n<\/html>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>IT Security Protocol IT Security Protocol A mixed-environment, jurisdiction-flexible security protocol builder for modern organizations (endpoint + corporate IT + cloud\/SaaS), designed to produce an implementable policy set, technical controls checklist, and operating cadence. IT Security Protocol ChatGPT Claude Gemini Perplexity Grok \u2696\ufe0f Legal, Risk & Compliance \u23f1\ufe0f 25\u201335 min \ud83e\udde0 Advanced The Prompt Copy…<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[160],"tags":[],"class_list":["post-5704","post","type-post","status-publish","format-standard","hentry","category-legal-risk-compliance"],"acf":[],"_links":{"self":[{"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/posts\/5704","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/comments?post=5704"}],"version-history":[{"count":4,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/posts\/5704\/revisions"}],"predecessor-version":[{"id":5708,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/posts\/5704\/revisions\/5708"}],"wp:attachment":[{"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/media?parent=5704"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/categories?post=5704"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teen.aiproinstitute.com\/zh\/wp-json\/wp\/v2\/tags?post=5704"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}