Re: Security policy



The Computer Security Resource Center (CSRC) of the National Institute of
Standards and Technology (NIST) has lots of good templates. Poke around
here: http://csrc.nist.gov/

Depending on your company size and industry, generally speaking you have
an overall "Security Policy" which is fairly high level. User policies
address the specifics; email use policy (your email may be read and is
retained for 90 days, etc.), acceptable use (computers are propery of ABC
company, may be used for limited personal access)...and so on.

Find out what is common in your industry. There will be many differences
between medical, financial, educational and manufacturing needs.

The Security Policy may include one or more of the following; chain of
command, who the security officer is, escalation procedures, how often
these policies will be reviewed, how often employees will be reminded
about them (at employment start and once a year thereafter), disciplinary
actions, etc.

-r


On Tue, 24 Oct 2006, Francois Yang wrote:

Can anyone please point me in the right direction.
I need to write some security policies, but I'm not sure where to begin.
I know there are alot of examples and templates out there, but what do
I include in the policy.
I see seperated policies for e-mail, password, remote access,
acceptable use, etc...but I was also told that it is better to try to
make all of those fit into one so that we don't have to keep track of
10 different policies. The question is, which one do I include in one
big security policy and which ones to I make them seperate?

thank you.



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Re: CIFS and Windows Server 2003
    ... digital signing in both default domain policies. ... Choose Domain Controller Security Policy | Local Policies | Security ... > Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • RE: Mass Distribution of Security Policies
    ... It could start with a Network usage agreement, (Advisory Policy) to all ... Mass Distribution of Security Policies ...
    (Security-Basics)
  • RE: Security Policy-Please help
    ... your Masters in Systems & Network Security, ... Before you begin writing policies, you deffinetly want to make sure you've ... SANS Security Policy Project at http://www.sans.org/resources/policies/. ... L0phtcrack is one of the better tools for testing password ...
    (Security-Basics)
  • Re: Least User Priviledges for Network Administrators
    ... It makes sense to have a chain of command and approval policy to keep things ... the computer use policies, software purchasing policies, security ... upper management--both within the Network Technology group, ... driving the process of tightening down security. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Least User Priviledges for Network Administrators
    ... computer use policies, software purchasing policies, security policies, etc. ... management--both within the Network Technology group, and at the top of the ... Policy. ...
    (microsoft.public.windowsxp.security_admin)