Apparently, several of my recent tips that provide pointers to ready-made examples and templates for security policy...
have resonated well with readers. In the past months, I've gotten more than 20 e-mails chock full of thank-yous, further recommendations, reactions and suggestions on this popular topic. Apparently, people like to build security policy documents by example, and for that reason have paid more attention to these tips than I might first have guessed.
I got e-mail from as far away as Bahrain, but plenty also from Europe and North America. The consensus from numerous writers was that the Charles Cresson Woods book Information Security Policies Made Easy, Version 9 (Baseline Software, 2002, ISBN: 1881585093) was too expensive (List Price: $795), too hard to work with and use, and that it didn't address the needs of modern organizations as well as other resources. As the first collection of security policy examples and templates widely marketed, some readers opined that perhaps this book earned its many accolades because it was the first of its kind. My gut feeling is that only those with company-funded budgets or highly successful security consultants, would be able or inclined to fund such a purchase anyway.
As more reasonable and usable alternatives to the Woods book, the Barman, Peltier and NIST resources came in with lots of thumbs-up ratings in particular (the citations are in my other tips on this subject; pointers available below). Likewise, the set of example documents available through the SANS Security Policy Project also came in for multiple notable mentions. On the software side, several readers wrote in to praise the RUSecure offerings not just because of their variety, flexibility and ease of use, but also because they apparently make it very easy to meet filing requirements that meet ISO17799 standards. In fact, one reader advised that the tool makes things handy for those organizations interested in outside review of security policy and infrastructure for compliance with ISO 17799 guidelines and best practices by providing a checklist of what's needed and including necessary filing information more or less automatically in the documents it builds. This definitely makes the $595 list price a lot easier to swallow!
If anybody else has favorites or resources I've overlooked, please share them with me. But clearly, there's a wealth of inexpensive and useful information available for IT professionals who want to create security policy documents and who prefer to work by example. I'm very glad to hear that my collections of resources are helping such folks get their jobs done.
Those who haven't yet seen my tips with pointers to security policy examples, templates and resources should check them out at:
Please feel free to e-mail me with feedback, comments or questions at etittel@iLearning.com.
About the author
Ed Tittel is VP of Content Services at iLearning, a CapStar company, based in Austin, Texas. As the creator of the Exam Cram series, Ed's worked on numerous titles on Microsoft, Novell, CompTIA and security certifications, including Security+, CISSP and TICSA.
From the Editor: You've told us that you need security policy templates, so we're going to give them to you! We are currently building a collection of sample policies that you can customize to meet your organization's needs. And, we'd like you to contribute to this feature. If you have a policy on a specific topic (e-mail, employee monitoring, acceptable usage, etc.), submit it to us for publication. If you prefer that we don't use your name, we will post it anonymously. Just let us know! E-mail your policy to me, Crystal I. Ferraro, Site Editor of SearchSecurity.com.