In my last tip, I touted the benefits of taking a "monkey-see, monkey do" approach to formulating, building and maintaining information security policy documents. I also recounted that a majority of IT and security professionals report that they learn best by understanding not just the theories, concepts, practices and procedures that go into formulating security policies, but that they also benefit from access to clear, well-written examples of the kinds of security policy documents they wish (or need) to create. Next, I went on to provide pointers to
But a couple of highly-educated and motivated readers also wrote to tell me about a few of their favorite resources that I somehow overlooked in my reporting. In the interests of giving credit where it's due, and to provide some lower cost alternatives to the $795 book: Information Security Policies Made Easy, Version 9, by Charles Cresson Woods (Baseline Software, 2002, ISBN: 1881585093, www.pentasafe.com), I hereby offer up some additional books that others have seen fit to recommend and that my own research has shown me to be entirely worthy of note:
- Scott Barman: Writing Information Security Policies (New Riders, 2001, ISBN: 157870264X; List Price: $34.99). Part of New Riders' generally outstanding, Networking and Security series, Barman's book is a good exemplar, both in doing a good job of explaining what a security policy is and how to write and maintain one, and in including lots of useful examples in its content. A supporting page at www.panix.com/˜barman/wisp/ does a good job of making dynamic content and resources available online and in providing electronic access to his sample information policies.
- Thomas R. Peltier: Information Security Policies, Procedures and Standards: Guidelines for Effective Security Management (CRC Press, 2001, ISBN: 0849311373, List Price: 69.95). OK, I cheerfully confess to being somewhat biased against CRC Press books because of the way they're usually put together: they're often "Frankenbooks" of a sort, assembled by hiring lots of experts to cover individual topics on a per-chapter basis. I was aware of this book's existence, but hadn't really spent the time to read it over and weigh it on its own merits, bias aside. My mistake: it's a well-crafted book that does a good job of explaining how policies, procedures and standards should be best formulated and how they relate to one another. It also does a good job of exploring ISO 17799/BS7799 and includes numerous examples (and pointers to other examples) in its content. Peltier has also authored a more expensive ($279.95 list price) book entitled Information Security Policies and Procedures: A Practitioner's Reference (CRC Press, 1998, ISBN: 0849399963) but I was unable to lay hands on a copy for a useful review. I ignored other of his titles written before 1995 as too old to mention.
- John Fay: Model Security Policies (Butterworth-Heinemann, 1999, ISBN: 0750671831, List Price: $44.99). The book's author is a former US Army CID special agent and former director of the National Crime Prevention Institute at the University of Louisville. His coverage of security policy wanders far afield from strict information security policy in this book (to his credit, his intention is to cover the subject more broadly than only from an IT perspective). He wins points for good examples throughout, even if IT-centric readers will find topics like "Canine Security," "Driving Safeguards," and "Flag Etiquette" waaaaay outside their usual ranges of concern.
If the Woods book at $795 is a little too rich for your budget, if not your blood, try one of these others instead. Because none of them costs more than $70 (not counting the $280 Peltier book I couldn't obtain for this tip), you can actually purchase all of them for considerably less than the cost of the Woods book! Also, my thanks to the readers who shared their thoughts and observations with me; I'm always grateful for feedback and input.
Please feel free to e-mail me with feedback, comments, or questions at email@example.com.
About the author
Ed Tittel is a principal at a content development company based in Austin, Texas, and the creator of the Exam Cram series. He's worked on numerous certification titles on Microsoft, Novell, CompTIA, and Sun topics, and is working on several security certification books.
From the Editor
You've told us that you need security policy templates, so we're going to give them to you! We are currently building a collection of sample policies that you can customize to meet your organization's needs. And, we'd like you to contribute to this feature. If you have a policy on a specific topic (e-mail, employee monitoring, acceptable usage, etc.), submit it to us for publication. If you prefer that we don't use your name, we will post it anonymously. Just let us know! E-mail your policy to me, Crystal Ferraro, Site Editor of SearchSecurity.com.
This was first published in February 2003