RE: help w/ security policies!
From: Treu, Jill (Jill.Treu@compuware.com)Date: 03/25/02
- Previous message: Sumit Dhar: "Password Generation Procedure?"
- Maybe in reply to: Stephen Entwisle: "RE: help w/ security policies!"
- Next in thread: John Cronican: "RE: help w/ security policies!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Treu, Jill" <Jill.Treu@compuware.com> To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com> Date: Mon, 25 Mar 2002 12:48:58 -0500
There are some model security policies on the SANSs site.
Go to:
http://rr.sans.org/policy/policy_list.php
There are model security policies on the site.
Two books I have used:
Writing Information Security Policies by Scott Barman
Information Security Policies, Procedures, and Standards: Guidelines for
Effective Information Security Management by Tom Peltier
Good Luck
-----Original Message-----
From: Kanikkannanl PN-149709 Dept-corp Audit Div Desg-Asst.Manager 1/421037
Ph-43983/45283
To: Nil Fiat
Cc: security-basics@securityfocus.com
Sent: 3/23/02 5:26 AM
Subject: Re: help w/ security policies!
Hi
I too searched in vain for a sample information security policy.
But I can give you some tip based on my expereince,
This is my view of how an information security policy will look like.
An organization's information security policy is a loosely coupled set
of
several policies. Ideally each policy does not exceed 1or 2 pages and
mostly contain bullet points. It will include,
1. Password policy
2. E-mail policy
3. Firewall and Intrusion detection policy
4. Anti-virus policy
5. Software selection, procurement and use policy
6. Encryption policy
7. Internet usage policy
8. Asset management policy
9. Acceptable system use policy
10. Incident response policy
11. Back up and business continuity policy
12. Security audit policy
13. Facilities management policy
14. System development and implementation policy
15. Outsourcing policy
In addition this bundle should ideally contain an introduction by the
author(s), definition of terms (information security etc.,), index and a
foreword signed by the company CEO or Managing Director which serves as
top management approval and support.
Because of the commonality of the subject dealt with, there will be
extensive cross-references to other related policies. There will also be
references to the company HR guidelines, legal and regulatory
requirements.
I have come across policies where inadvertently authors include
procedural
and technical details. These are not "clean" policies.
What I have given is a skeletal structure. For filling it with flesh you
need to contact the relevant people (Say for Firewall policy - the
person,
who administers the Firewall and so on) and back it up with your
information security experience.
And yes, my hands are itching to create one such policy, but currently
my
job is to review and audit the policy being written by line function
people. At the best I do informal consulting.
Hope this helps.
regards
Kani
On Fri, 22 Mar 2002, Nil Fiat wrote:
--- snipped ---
> So hey, yesterday I got handed one of the coolest projects of my
> life: I get to write a security policy! Have I done this
> before? Hell no...but I'm sure I can, especially if you lovely
> peeps and gurus out there will point me to some resources.
>
> Peace & Packets,
> Sara T
The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.
- Previous message: Sumit Dhar: "Password Generation Procedure?"
- Maybe in reply to: Stephen Entwisle: "RE: help w/ security policies!"
- Next in thread: John Cronican: "RE: help w/ security policies!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
