There are some model security policies on the SANSs site. Go to: http://rr.sans.org/policy/policy_list.php
There are model security policies on the site. Two books I have used: Writing Information Security Policies by Scott Barman Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management by Tom Peltier Good Luck -----Original Message----- From: Kanikkannanl PN-149709 Dept-corp Audit Div Desg-Asst.Manager 1/421037 Ph-43983/45283 To: Nil Fiat Cc: [EMAIL PROTECTED] Sent: 3/23/02 5:26 AM Subject: Re: help w/ security policies! Hi I too searched in vain for a sample information security policy. But I can give you some tip based on my expereince, This is my view of how an information security policy will look like. An organization's information security policy is a loosely coupled set of several policies. Ideally each policy does not exceed 1or 2 pages and mostly contain bullet points. It will include, 1. Password policy 2. E-mail policy 3. Firewall and Intrusion detection policy 4. Anti-virus policy 5. Software selection, procurement and use policy 6. Encryption policy 7. Internet usage policy 8. Asset management policy 9. Acceptable system use policy 10. Incident response policy 11. Back up and business continuity policy 12. Security audit policy 13. Facilities management policy 14. System development and implementation policy 15. Outsourcing policy In addition this bundle should ideally contain an introduction by the author(s), definition of terms (information security etc.,), index and a foreword signed by the company CEO or Managing Director which serves as top management approval and support. Because of the commonality of the subject dealt with, there will be extensive cross-references to other related policies. There will also be references to the company HR guidelines, legal and regulatory requirements. I have come across policies where inadvertently authors include procedural and technical details. These are not "clean" policies. What I have given is a skeletal structure. For filling it with flesh you need to contact the relevant people (Say for Firewall policy - the person, who administers the Firewall and so on) and back it up with your information security experience. And yes, my hands are itching to create one such policy, but currently my job is to review and audit the policy being written by line function people. At the best I do informal consulting. Hope this helps. regards Kani On Fri, 22 Mar 2002, Nil Fiat wrote: --- snipped --- > So hey, yesterday I got handed one of the coolest projects of my > life: I get to write a security policy! Have I done this > before? Hell no...but I'm sure I can, especially if you lovely > peeps and gurus out there will point me to some resources. > > Peace & Packets, > Sara T The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
