News from the field: Reader responses and recommendations on security policy by example

News from the field: Reader responses and recommendations on security policy by example

Apparently, several of my recent tips that provide pointers to ready-made examples and templates for security policy have resonated well with readers. In the past months, I've gotten more than 20 e-mails chock full of thank-yous, further recommendations, reactions and suggestions on this popular topic. Apparently, people like to build security policy documents by example, and for that reason have paid more attention to these tips than I might first have guessed.

I got e-mail from as far away as Bahrain, but plenty also from Europe and North America. The consensus from numerous writers was that the Charles Cresson Woods book Information Security Policies Made Easy, Version 9 (Baseline Software, 2002, ISBN: 1881585093) was too expensive (List Price: $795), too hard to work with and use, and that it didn't address the needs of modern organizations as well as other resources. As the first collection of security policy examples and templates widely marketed, some readers opined that perhaps this book earned its many accolades because it was the first of its kind. My gut feeling is that only those with company-funded budgets or highly successful security consultants, would be able or inclined to fund such a purchase anyway.

As more reasonable and usable alternatives to the Woods book, the Barman, Peltier and NIST resources came in with lots of thumbs-up ratings in particular (the citations are in my other tips on this subject; pointers available below). Likewise,

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

the set of example documents available through the SANS Security Policy Project also came in for multiple notable mentions. On the software side, several readers wrote in to praise the RUSecure offerings not just because of their variety, flexibility and ease of use, but also because they apparently make it very easy to meet filing requirements that meet ISO17799 standards. In fact, one reader advised that the tool makes things handy for those organizations interested in outside review of security policy and infrastructure for compliance with ISO 17799 guidelines and best practices by providing a checklist of what's needed and including necessary filing information more or less automatically in the documents it builds. This definitely makes the $595 list price a lot easier to swallow!

If anybody else has favorites or resources I've overlooked, please share them with me. But clearly, there's a wealth of inexpensive and useful information available for IT professionals who want to create security policy documents and who prefer to work by example. I'm very glad to hear that my collections of resources are helping such folks get their jobs done.

Those who haven't yet seen my tips with pointers to security policy examples, templates and resources should check them out at:

Please feel free to e-mail me with feedback, comments or questions at etittel@iLearning.com.

About the author
Ed Tittel is VP of Content Services at iLearning, a CapStar company, based in Austin, Texas. As the creator of the Exam Cram series, Ed's worked on numerous titles on Microsoft, Novell, CompTIA and security certifications, including Security+, CISSP and TICSA.

From the Editor: You've told us that you need security policy templates, so we're going to give them to you! We are currently building a collection of sample policies that you can customize to meet your organization's needs. And, we'd like you to contribute to this feature. If you have a policy on a specific topic (e-mail, employee monitoring, acceptable usage, etc.), submit it to us for publication. If you prefer that we don't use your name, we will post it anonymously. Just let us know! E-mail your policy to me, Crystal I. Ferraro, Site Editor of SearchSecurity.com.


This was first published in June 2003

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top