Security policy by example

Although "monkey-see, monkey do" may sound like an overly primitive approach to formulating, building and maintaining information security policy documents, a majority of IT and security professionals report that they learn best by understanding not just the theories, concepts, practices and procedures that go into formulating security policies, but that they also benefit greatly from access to clear, well-written examples of the kinds of security policy documents they wish (or need) to create. To that end, I'd like to point out a number of free and for-a-fee resources that offer lots of examples, in the hopes that professionals in need of same will find these resources both useful and informative:

• Mandy Andress's excellent book Surviving Security (SAMS, 2002, ISBN: 0-672-32129-7) includes several chapters on this topic, along with templates for and complete examples of security policy documents. List Price: $39.99.
• RUSecure offers a collection of Security Policies, along with supporting documentation, ready to be customized and tailored to a specific organization's needs. At $595, they're pricier than some other options here, but may help save time (and therefore be worth the cost). Visit www.information-security-policies.com for more information. They also offer an interactive editing and automated delivery toolset for security policies as well.
• TekCentral offers an MS-Word based security policy template for $29.99 that's ready to be filled out (though lacking by way of serious supporting information or fully-fleshed examples). Peruse this offering at www.tekcentral.com/teknetwork/Policies_and_Procedures/Security_Policy/.
• The Joint Information Systems Committee in the UK helped formulated BS7799 which led in turn to ISO17799. Their documents on developing an information security policy are still quite ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchSecurity.com

  As an existing member of the TechTarget network please activate your SearchSecurity.com account 

  By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  BROWSE BY TAG Compliance Counselor,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS

  
  

  RELATED CONTENT Compliance Counselor The future of PCI DSS encryption requirements? Tokenization for PCI Security compliance predictions for 2010: New regulations, new technology Compliance strategy: How to become an internal IT auditor GRC customers point to better efficiency, convergence and consistency Benefits of ISO 27001 and ISO 27002 certification for your enterprise Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders Information Security Policies, Procedures and Guidelines Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats

  RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  worthwhile and include examples (and pointers to other examples). Available at no charge at www.jisc.ac.uk/pub01/security_policy.html.

• The Computer Security Resources Clearinghouse (CSRC) at the National Institute of Standards and Technology (NIST) has a terrific set of security policies, complete with numerous case studies and example policy documents. Knock yourself out at www.itsc.state.md.us/info/InternetSecurity/BestPractices/SecPolicy.htm.
• Insight Consulting in the UK offers a highly-regarded course entitled "Establishing an effective security policy" that covers the whole process from planning and design through implementation to maintenance and upkeep. The two-day class costs about $1,600 but includes lots of take-away documentation and sample documents. For more information, please visit www.insight.co.uk/training/tc_securitypolicy.htm.
• SANS has a great Security Policy Project that includes copious explanatory information, training materials and a large collection of sample security policy documents. Visit www.sans.org/resources/policies/ for the complete lowdown. This is a free resource, available to the public.
• Carnegie-Mellon's Software Engineering Institute has published a framework called OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation Framework) that includes lots of information about how to do the background work necessary to formulate security policy. This is a free resource, available at www.sei.cmu.edu/publications/documents/99.reports/ 99tr017/99tr017abstract.html.
• Section 5 of Murdoch University's Information Technology Security Policy online publication is devoted to security policy documentation and includes lots of advice and examples. Check out this free resource at wwwits2.murdoch.edu.au/security/policy.html.
• Although it may be one of the most expensive books I've ever run across, Charles Cresson Wood's Information Security Policies Made Easy, Version 9 is widely regarded as the non-pareil resource on building corporate or organizational security policies. It includes electronic templates of such documents ready for customization and copious, fully-developed examples that IT professionals report being extremely easy to follow and emulate. (Baseline Software, 2002, ISBN: 1881585093, List Price: $795.00). For more information, visit his Web site at www.pentasafe.com.

With one of the for-a-fee resources in your kit (and public consensus is that Wood's Information Security Policies Made Easy is the best of the bunch) along with the reams of other free information and examples on the subject you can find on the Web, you too should be able to plan, formulate and manage security policy for your company or organization.

Ed Tittel is a principal at a content development company based in Austin, Texas, and the creator of the Exam Cram series. He's worked on numerous certification titles on Microsoft, Novell, CIW and Sun topics, and is working on several security certification books.