I have two questions:
- What is a good resource for security policies. We are a small company, and are starting from scratch, so we are looking for freeware type solution, End to End Security Policy for Dummies!
- What is a good source for Security Audit checklists, which are linked to aspects of Compliance? HIPPA, SoX, GLB etc.
- Security Policy by Example (Jan 17, 2003)
- Reader responses and recommendations on security policy by example (Jun 2, 2003)
These should help get you started down the road toward formulating security policy: though most of the resources mentioned cost something, most of them don't cost very much, either.
For question number 2, I'd look around at complianceonline.com and SANS (the latter is well-known for providing security checklists of all kinds, including for audit purposes). You might also want to troll around at ISACA where you can probably find such things as well. Then, too, there's always the brute force technique of using, for example, "HIPAA security audit checklist" as a search string in your favorite search engine (I found one direct hit at searchdomino.com using a literal string search, and thousands of hits using less demanding criteria).
This was first published in October 2006