>While security policies need to be unique per organization, there are some >common elements that can be recycled. > >Just to give an example, how about the handling of passwords? Really, do >you need to re-create the piece of the policy that says passwords need to be >protected, must be of a certain length, and mixed characters? It really >doesn't matter if the policy is for Van Kamps fish sticks factory, or for >the DEA: both need to ensure that they have some baseline protection for >passwords.
Password structure is too detailed for the security policy, although it's necessary in the security design. The policy should state something on the order that people must protect their passwords, whether they can or cannot change their own, etc. And things do vary even here. The DEA, for electronic controlled substance prescribing, also requires digital signatures and biometrics for some functions. > >The below book may help, the high price tag buys you a one-organization >copyright. Having a ready-made template can save some time, and enable you >to focus on the more unique aspects of the organization's requirements >without spending all your time re-inventing the wheel. > >To that end, John, the following may be useful to you. Check it on Amazon. > >Information Security Policies Made Easy Version 8 >by Charles Cresson Wood > >HTH, > >Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52143&t=52061 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
