Contents of security user and manager manuals
I just read your answer to a question about security awareness. One of the comments was to "develop a security user and security manager manual designed for your organization." What exactly does this mean? What would be the content of the security user and security manager manuals?
A Manager's Security Guide is a high-level informational and instructional guide to how logical (or physical security if administered under the same organization) security is administrated in your organization and specifically directed toward supervisory positions. The guide should re-enforce the organization's policies, procedures and technical controls, as well as serve as part of an over all security awareness program developed at your organization.
Managers must understand that security awareness (including these guides) is an integral part for your corporation's defense computer fraud and abuse. The guide can be as limited or as expansive as your organization. Some key topics would be how to use the guide, glossary of terms, key contact name and numbers, mission statement, importance of Security Administration in an organization, computer crime, computer use and abuse, user-IDs and passwords, information classification, what security is and isn't, users' and company's rights, roles and responsibilities, concept of data owners and guardians, and personnel-specific issues such as hiring, transferring individuals (and the modification in physical/logical privileges) involuntary and voluntary termination, privacy / monitoring of usage, etc.
The User's Security Guide is functionally the same as the manager's guide, however, personnel information would be specific terminations and transfers as their logical/physical privileges would be affected.
Consider putting the manuals online where they will always be accessible and only one change is necessary should modification be necessary.
For more information on this topic, visit these other SearchSecurity.com resources:
Featured Topic: Managing infosec policies
News & Analysis: An overview of security policies
Infosec Know IT All Trivia: Managing infosec policies
This was first published in May 2002