Problem solve Get help with specific problems with your technologies, process and projects.

The scope of a security policy

I am looking into the BS 7799. With regards to security policies, I am a little confused. Does a security policy contain all policies on e-mail, Internet usage, etc., or are these separate and the security policy itself is just an overview?
Security policies are actually very flexible documents. Your security policy can be one large document that incorporates an e-mail policy, an Internet Usage policy, an Acceptable Use policy, etc. You can also break each of these topics out into its own policy. I prefer to break policies out into individual sections and have one summary document. I feel end users approach the concept of security policies much more positively that way. Instead of handing them a 100 page document to read, they get a bunch of smaller documents.

For more information on this topic, visit these other SearchSecurity.com resources:
Security Policies Tip: Issues to cover in a security policy
Best Web Links: Security Policy & Infrastructure
Chat Transcript: Security policies in the workplace

This was last published in November 2002

Dig Deeper on Information security policies, procedures and guidelines