Setting the Rules
When it comes to writing policies, there are many resources available, including the SANS Institute's Security Policy Project and the ISO 17799 security standard, which provides a policy framework. A number of organizations, mostly colleges and universities, have posted their infosecurity policies on the Internet, which can provide helpful sample materials. (For examples, see "Policy Resources," at right)
If you don't want to write your policies from scratch, there are a number of vendors that provide canned policies; however, they tend to be generic and must be tailored to be effective. No matter what route you take, make sure the policies fit your organization--those that don't meet an organization's needs are often neglected, exposing the enterprise to risk.
Also, it's critical that policies not be too specific--let the details be addressed in subsequent procedures and guidelines. In policy development, policies should not need to be rewritten every time something changes: If you change your antivirus solution, you should not need to change your antivirus policy, although you may need to modify your antivirus procedure.
Keeping policies as nonspecific as possible will also help your organization deal with emerging threats. If a policy is too specific, it will need to be rewritten every time a threat emerges.
A policy should outline how to assess threats; procedures or guidelines can then be created to handle attacks as they develop. If policies are written openly without naming or describing specific attack vectors, such as spyware or phishing, they will help give your IT security the advantage by establishing criteria for recognizing possible problems, such as abnormal network traffic.
