Not sure if this is the best approach but I would first look to see if this organization has to abide by any Government or industry regulations ex PCI, HIPPA and possibly work backwards from there.
I am currently undertaking a similar task for a University I work for and that's one option I am looking at. I am also looking at other standards from NIST, SANS and others and then trim them down after having a talk with upper management. Cheers, Infolookup http://infolookup.securegossip.com www.twitter.com/infolookup -----Original Message----- From: Michael Lubinski <[email protected]> Sender: [email protected] Date: Mon, 28 Feb 2011 14:10:28 To: <[email protected]> Reply-To: PaulDotCom Security Weekly Mailing List <[email protected]> Subject: [Pauldotcom] Security Starts With Policies _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
