Although "monkey-see, monkey do" may sound like an overly primitive approach to formulating, building and maintaining information security policy documents, a majority of IT and security professionals report that they learn best by understanding not just the theories, concepts, practices and procedures that go into formulating security policies, but that they also benefit greatly from access to clear, well-written examples of the kinds of security policy documents they wish (or need) to create. To that end, I'd like to point out a number of free and for-a-fee resources that offer lots of examples, in the hopes that professionals in need of same will find these resources both useful and informative:
- Mandy Andress's excellent book Surviving Security (SAMS, 2002, ISBN: 0-672-32129-7) includes several chapters on this topic, along with templates for and complete examples of security policy documents. List Price: $39.99.
- RUSecure offers a collection of Security Policies, along with supporting documentation, ready to be customized and tailored to a specific organization's needs. At $595, they're pricier than some other options here, but may help save time (and therefore be worth the cost). Visit
- www.information-security-policies.com for more information. They also offer an interactive editing and automated delivery toolset for security policies as well.
- TekCentral offers an MS-Word based security policy template for $29.99 that's ready to be filled out (though lacking by way of serious supporting information or fully-fleshed examples). Peruse this offering at www.tekcentral.com/teknetwork/Policies_and_Procedures/Security_Policy/.
- The Joint Information Systems Committee in the UK helped formulated BS7799 which led in turn to ISO17799. Their documents on developing an information security policy are still quite worthwhile and include examples (and pointers to other examples). Available at no charge at www.jisc.ac.uk/pub01/security_policy.html.
- The Computer Security Resources Clearinghouse (CSRC) at the National Institute of Standards and Technology (NIST) has a terrific set of security policies, complete with numerous case studies and example policy documents. Knock yourself out at www.itsc.state.md.us/info/InternetSecurity/BestPractices/SecPolicy.htm.
- Insight Consulting in the UK offers a highly-regarded course entitled "Establishing an effective security policy" that covers the whole process from planning and design through implementation to maintenance and upkeep. The two-day class costs about $1,600 but includes lots of take-away documentation and sample documents. For more information, please visit www.insight.co.uk/training/tc_securitypolicy.htm.
- SANS has a great Security Policy Project that includes copious explanatory information, training materials and a large collection of sample security policy documents. Visit www.sans.org/resources/policies/ for the complete lowdown. This is a free resource, available to the public.
- Carnegie-Mellon's Software Engineering Institute has published a framework called OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation Framework) that includes lots of information about how to do the background work necessary to formulate security policy. This is a free resource, available at www.sei.cmu.edu/publications/documents/99.reports/ 99tr017/99tr017abstract.html.
- Section 5 of Murdoch University's Information Technology Security Policy online publication is devoted to security policy documentation and includes lots of advice and examples. Check out this free resource at wwwits2.murdoch.edu.au/security/policy.html.
- Although it may be one of the most expensive books I've ever run across, Charles Cresson Wood's Information Security Policies Made Easy, Version 9 is widely regarded as the non-pareil resource on building corporate or organizational security policies. It includes electronic templates of such documents ready for customization and copious, fully-developed examples that IT professionals report being extremely easy to follow and emulate. (Baseline Software, 2002, ISBN: 1881585093, List Price: $795.00). For more information, visit his Web site at www.pentasafe.com.
With one of the for-a-fee resources in your kit (and public consensus is that Wood's Information Security Policies Made Easy is the best of the bunch) along with the reams of other free information and examples on the subject you can find on the Web, you too should be able to plan, formulate and manage security policy for your company or organization.About the author
Ed Tittel is a principal at a content development company based in Austin, Texas, and the creator of the Exam Cram series. He's worked on numerous certification titles on Microsoft, Novell, CIW and Sun topics, and is working on several security certification books.
This was first published in January 2003