Well, the policy statements that are out there, SANS and elsewhere are guides only. You should really think through a few things before writing a policy.
1) What are your biggest risks to the business? 2) How can you address those risks? 3) What is the balance with business operations you need? 4) How are you going to measure policy compliance? 5) Do procedures need to change to ensure compliance? ... and so on. Once you have some of these items down, you can come up with a security plan (i.e. a broad plan of how to address the issues). Taken together, these can help you format your policy. Hopefully you'll get total buy-in from the company owner/management. I don't think it's wise to write a policy in a vacuum or write a policy that includes stuff you can't do (because the business won't support it) or can't enforce and measure. Dan On Wed, Apr 14, 2010 at 12:12 PM, Craig Freyman <[email protected]>wrote: > I have to write a security policy for our company. We are a mall shop, and > the "policy" that is in place is a mess. Are there any specific templates > the group recommends? > > I see that SANS has a number of very specific policies but was wondering if > there was an overall template that people find effective. > > Thanks, > Craig > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Dan McGinn-Combs, Security+, GSEC, CISSP, CISA [email protected] Google Voice: +1 404 492 7532 Peachtree City, Georgia USA
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
