I agree that one need not buy a book of semi-useless words. SANS will help
with the basics.
After the basics, you must ask yourself,
"What are the rules and practices that my organization uses to
manage, protect, and distribute sensitive information?"
"What are the rules that govern access to information and other
assets?"
The security rules (Security policies) of the organization are right in
front of your nose.
Example: Ask the CFO, "Can I take a look at the books?" The answer will
probably be, "No".
Then ask, "Well, who can see them?" Who can write to them? Who can amend
them?"
The answers are the security policy associated with the Financial Records.
Make sense?
John
John G. Cronican, Jr. (CISSP)
Director, Corporate Security
Peregrine Systems, Inc.
3611 Valley Centre Drive
San Diego, CA 92130
(858) 794-7550 (voice)
(858) 481-1751 (fax)
[EMAIL PROTECTED]
www.peregrine.com
-----Original Message-----
From: Vicky Ames [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 26, 2002 12:33 PM
To: [EMAIL PROTECTED]; Kanikkannanl PN-149709 Dept-corp Audit
Div Desg-Asst.Manager 1/421037 Ph-43983/45283
Cc: Nil Fiat; [EMAIL PROTECTED]
Subject: Re: help w/ security policies!
Before you buy see if you can't find what you're looking for on the SANS
site or via the links at the bottom of the page.
http://www.sans.org/newlook/resources/policies/policies.htm
Vicky
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: "Kanikkannanl PN-149709 Dept-corp Audit Div Desg-Asst.Manager 1/421037
Ph-43983/45283" <[EMAIL PROTECTED]>
Cc: "Nil Fiat" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Monday, March 25, 2002 5:17 PM
Subject: Re: help w/ security policies!
>
> TechRepublic has a CD which you can purchase called 'IT Professional's
> Guide to Policies and Procedures' (www.techrepublic.com).
>
> John
>
>
>
> "Kanikkannanl
> PN-149709 To: Nil Fiat
<[EMAIL PROTECTED]>
> Dept-corp Audit cc:
[EMAIL PROTECTED]
> Div Subject: Re: help w/
security policies!
> Desg-Asst.Manag
> er 1/421037
> Ph-43983/45283"
> <[EMAIL PROTECTED]
> steel.com>
>
> 23/03/2002
> 08:26 PM
> Please respond
> to
> "Kanikkannanl
> PN-149709
> Dept-corp Audit
> Div
> Desg-Asst.Manag
> er 1/421037
> Ph-43983/45283"
>
>
>
>
>
> Hi
>
> I too searched in vain for a sample information security policy.
> But I can give you some tip based on my expereince,
>
> This is my view of how an information security policy will look like.
>
> An organization's information security policy is a loosely coupled set of
> several policies. Ideally each policy does not exceed 1or 2 pages and
> mostly contain bullet points. It will include,
>
> 1. Password policy
>
> 2. E-mail policy
>
> 3. Firewall and Intrusion detection policy
>
> 4. Anti-virus policy
>
> 5. Software selection, procurement and use policy
>
> 6. Encryption policy
>
> 7. Internet usage policy
>
> 8. Asset management policy
>
> 9. Acceptable system use policy
>
> 10. Incident response policy
>
> 11. Back up and business continuity policy
>
> 12. Security audit policy
>
> 13. Facilities management policy
>
> 14. System development and implementation policy
>
> 15. Outsourcing policy
>
> In addition this bundle should ideally contain an introduction by the
> author(s), definition of terms (information security etc.,), index and a
> foreword signed by the company CEO or Managing Director which serves as
> top management approval and support.
>
> Because of the commonality of the subject dealt with, there will be
> extensive cross-references to other related policies. There will also be
> references to the company HR guidelines, legal and regulatory
> requirements.
>
> I have come across policies where inadvertently authors include procedural
> and technical details. These are not "clean" policies.
>
> What I have given is a skeletal structure. For filling it with flesh you
> need to contact the relevant people (Say for Firewall policy - the person,
> who administers the Firewall and so on) and back it up with your
> information security experience.
>
> And yes, my hands are itching to create one such policy, but currently my
> job is to review and audit the policy being written by line function
> people. At the best I do informal consulting.
>
> Hope this helps.
>
> regards
> Kani
>
>
> On Fri, 22 Mar 2002, Nil Fiat wrote:
> --- snipped ---
> > So hey, yesterday I got handed one of the coolest projects of my
> > life: I get to write a security policy! Have I done this
> > before? Hell no...but I'm sure I can, especially if you lovely
> > peeps and gurus out there will point me to some resources.
> >
> > Peace & Packets,
> > Sara T
>
>
>
>
