Hi I too searched in vain for a sample information security policy. But I can give you some tip based on my expereince,
This is my view of how an information security policy will look like. An organization's information security policy is a loosely coupled set of several policies. Ideally each policy does not exceed 1or 2 pages and mostly contain bullet points. It will include, 1. Password policy 2. E-mail policy 3. Firewall and Intrusion detection policy 4. Anti-virus policy 5. Software selection, procurement and use policy 6. Encryption policy 7. Internet usage policy 8. Asset management policy 9. Acceptable system use policy 10. Incident response policy 11. Back up and business continuity policy 12. Security audit policy 13. Facilities management policy 14. System development and implementation policy 15. Outsourcing policy In addition this bundle should ideally contain an introduction by the author(s), definition of terms (information security etc.,), index and a foreword signed by the company CEO or Managing Director which serves as top management approval and support. Because of the commonality of the subject dealt with, there will be extensive cross-references to other related policies. There will also be references to the company HR guidelines, legal and regulatory requirements. I have come across policies where inadvertently authors include procedural and technical details. These are not "clean" policies. What I have given is a skeletal structure. For filling it with flesh you need to contact the relevant people (Say for Firewall policy - the person, who administers the Firewall and so on) and back it up with your information security experience. And yes, my hands are itching to create one such policy, but currently my job is to review and audit the policy being written by line function people. At the best I do informal consulting. Hope this helps. regards Kani On Fri, 22 Mar 2002, Nil Fiat wrote: --- snipped --- > So hey, yesterday I got handed one of the coolest projects of my > life: I get to write a security policy! Have I done this > before? Hell no...but I'm sure I can, especially if you lovely > peeps and gurus out there will point me to some resources. > > Peace & Packets, > Sara T
