TechRepublic has a CD which you can purchase called 'IT Professional's
Guide to Policies and Procedures' (www.techrepublic.com).
John
"Kanikkannanl
PN-149709 To: Nil Fiat
<[EMAIL PROTECTED]>
Dept-corp Audit cc: [EMAIL PROTECTED]
Div Subject: Re: help w/ security policies!
Desg-Asst.Manag
er 1/421037
Ph-43983/45283"
<[EMAIL PROTECTED]
steel.com>
23/03/2002
08:26 PM
Please respond
to
"Kanikkannanl
PN-149709
Dept-corp Audit
Div
Desg-Asst.Manag
er 1/421037
Ph-43983/45283"
Hi
I too searched in vain for a sample information security policy.
But I can give you some tip based on my expereince,
This is my view of how an information security policy will look like.
An organization's information security policy is a loosely coupled set of
several policies. Ideally each policy does not exceed 1or 2 pages and
mostly contain bullet points. It will include,
1. Password policy
2. E-mail policy
3. Firewall and Intrusion detection policy
4. Anti-virus policy
5. Software selection, procurement and use policy
6. Encryption policy
7. Internet usage policy
8. Asset management policy
9. Acceptable system use policy
10. Incident response policy
11. Back up and business continuity policy
12. Security audit policy
13. Facilities management policy
14. System development and implementation policy
15. Outsourcing policy
In addition this bundle should ideally contain an introduction by the
author(s), definition of terms (information security etc.,), index and a
foreword signed by the company CEO or Managing Director which serves as
top management approval and support.
Because of the commonality of the subject dealt with, there will be
extensive cross-references to other related policies. There will also be
references to the company HR guidelines, legal and regulatory
requirements.
I have come across policies where inadvertently authors include procedural
and technical details. These are not "clean" policies.
What I have given is a skeletal structure. For filling it with flesh you
need to contact the relevant people (Say for Firewall policy - the person,
who administers the Firewall and so on) and back it up with your
information security experience.
And yes, my hands are itching to create one such policy, but currently my
job is to review and audit the policy being written by line function
people. At the best I do informal consulting.
Hope this helps.
regards
Kani
On Fri, 22 Mar 2002, Nil Fiat wrote:
--- snipped ---
> So hey, yesterday I got handed one of the coolest projects of my
> life: I get to write a security policy! Have I done this
> before? Hell no...but I'm sure I can, especially if you lovely
> peeps and gurus out there will point me to some resources.
>
> Peace & Packets,
> Sara T
