General security policy vs. security awareness
From: Gideon T. Rasmussen, CISSP, CISA, CISM, CFSO, SCSA (lists_at_infostruct.net)
Date: 03/01/05
- Previous message: dissolved: "RE: anyone who saw this arp traffic?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Feb 2005 20:05:37 -0500 To: security-basics@securityfocus.com
This is my response to a post asking how many pages a general security policy should be. It also expressed concerns about getting the salient points across. I thought it might be of interest to you...
I would not limit a general security policy to any number of pages per se. One way to keep it relatively compact is to write with the average employee as the intended audience (e.g. the sales team does not need to know about the system development life cycle). Departmental policies should detail how the general policy applies in that functional area. The general policy should include security best practices and be written with applicable regulations in mind (e.g. SOX, HIPAA, etc.). This may push the content up to 30-40 pages. Check SANS for policy resources (http://www.sans.org/resources/policies).
As for your concerns about employees picking up the salient points...
1. Ask the CEO to introduce the policy by e-mail with a letter stating that security is everyone's responsibility, appointing an information security steering committee, and a brief overview of the framework in use (e.g. ISO 17799, CoBIT, etc.). Repeat annually.
2. Create a power point presentation based on the policy. Hold security orientation briefings for all employees and contractors. Record attendance with a sign-in *** and require everyone to sign off on the policy within 1 week. That should be enough time to answer outstanding questions and consider possible exceptions. Repeat the briefings annually and brief new employees as they are hired.
3. Create an internal security web site. Post the policy, presentation, incident report template, security awareness tips, etc.
4. Start a formal security awareness program:
http://www.ussecurityawareness.org/highres/security-awareness.html
In essence, the policy is just that, a policy. Getting the point across speaks to a change in culture. For that an awareness program is required.
Just my $.02.
Kind regards,
Gideon
Gideon T. Rasmussen
CISSP, CISA, CISM, CFSO, SCSA
Boca Raton, FL
gideon@infostruct.net
- Previous message: dissolved: "RE: anyone who saw this arp traffic?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
