Before you buy see if you can't find what you're looking for on the SANS site or via the links at the bottom of the page. http://www.sans.org/newlook/resources/policies/policies.htm
Vicky ----- Original Message ----- From: <[EMAIL PROTECTED]> To: "Kanikkannanl PN-149709 Dept-corp Audit Div Desg-Asst.Manager 1/421037 Ph-43983/45283" <[EMAIL PROTECTED]> Cc: "Nil Fiat" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, March 25, 2002 5:17 PM Subject: Re: help w/ security policies! > > TechRepublic has a CD which you can purchase called 'IT Professional's > Guide to Policies and Procedures' (www.techrepublic.com). > > John > > > > "Kanikkannanl > PN-149709 To: Nil Fiat <[EMAIL PROTECTED]> > Dept-corp Audit cc: [EMAIL PROTECTED] > Div Subject: Re: help w/ security policies! > Desg-Asst.Manag > er 1/421037 > Ph-43983/45283" > <[EMAIL PROTECTED] > steel.com> > > 23/03/2002 > 08:26 PM > Please respond > to > "Kanikkannanl > PN-149709 > Dept-corp Audit > Div > Desg-Asst.Manag > er 1/421037 > Ph-43983/45283" > > > > > > Hi > > I too searched in vain for a sample information security policy. > But I can give you some tip based on my expereince, > > This is my view of how an information security policy will look like. > > An organization's information security policy is a loosely coupled set of > several policies. Ideally each policy does not exceed 1or 2 pages and > mostly contain bullet points. It will include, > > 1. Password policy > > 2. E-mail policy > > 3. Firewall and Intrusion detection policy > > 4. Anti-virus policy > > 5. Software selection, procurement and use policy > > 6. Encryption policy > > 7. Internet usage policy > > 8. Asset management policy > > 9. Acceptable system use policy > > 10. Incident response policy > > 11. Back up and business continuity policy > > 12. Security audit policy > > 13. Facilities management policy > > 14. System development and implementation policy > > 15. Outsourcing policy > > In addition this bundle should ideally contain an introduction by the > author(s), definition of terms (information security etc.,), index and a > foreword signed by the company CEO or Managing Director which serves as > top management approval and support. > > Because of the commonality of the subject dealt with, there will be > extensive cross-references to other related policies. There will also be > references to the company HR guidelines, legal and regulatory > requirements. > > I have come across policies where inadvertently authors include procedural > and technical details. These are not "clean" policies. > > What I have given is a skeletal structure. For filling it with flesh you > need to contact the relevant people (Say for Firewall policy - the person, > who administers the Firewall and so on) and back it up with your > information security experience. > > And yes, my hands are itching to create one such policy, but currently my > job is to review and audit the policy being written by line function > people. At the best I do informal consulting. > > Hope this helps. > > regards > Kani > > > On Fri, 22 Mar 2002, Nil Fiat wrote: > --- snipped --- > > So hey, yesterday I got handed one of the coolest projects of my > > life: I get to write a security policy! Have I done this > > before? Hell no...but I'm sure I can, especially if you lovely > > peeps and gurus out there will point me to some resources. > > > > Peace & Packets, > > Sara T > > > >