Hello, take a look at:
http://www.pentasafe.com/products/vspm.htm The product incorporates Charles Woods policy book and allows creation of new policies and web-based policy instruction and quizzes for employees. Disclaimer: I work as a qa tester for Pentasafe, though not for the policy product. -----Original Message----- From: Greg Medina [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 1:58 PM To: Nil Fiat Cc: [EMAIL PROTECTED] Subject: RE: help w/ security policies! Hi Sara T, I have been handed this project myself and have found this site to contain quite a bit on SecPol writing. http://www.sans.org/newlook/resources/policies/policies.htm#name Let me know if you need more.........I've got plenty! Greg > -----Original Message----- > From: Peter Justice [mailto:[EMAIL PROTECTED]] > Sent: Saturday, April 06, 2002 6:19 PM > To: Kanikkannanl PN-149709 Dept-corp Audit Div Desg-Asst.Manager > 1/421037 Ph-43983/45283; Nil Fiat > Cc: [EMAIL PROTECTED] > Subject: RE: help w/ security policies! > > > Have a look @ http://www.oit.nsw.gov.au/pages/4.3.Guidelines.htm > > > -----Original Message----- > From: Kanikkannanl PN-149709 Dept-corp Audit Div > Desg-Asst.Manager 1/421037 > Ph-43983/45283 [mailto:[EMAIL PROTECTED]] > Sent: Saturday, 23 March 2002 9:27 PM > To: Nil Fiat > Cc: [EMAIL PROTECTED] > Subject: Re: help w/ security policies! > > Hi > > I too searched in vain for a sample information security policy. > But I can give you some tip based on my expereince, > > This is my view of how an information security policy will look like. > > An organization's information security policy is a loosely > coupled set of > several policies. Ideally each policy does not exceed 1or 2 pages and > mostly contain bullet points. It will include, > > 1. Password policy > > 2. E-mail policy > > 3. Firewall and Intrusion detection policy > > 4. Anti-virus policy > > 5. Software selection, procurement and use policy > > 6. Encryption policy > > 7. Internet usage policy > > 8. Asset management policy > > 9. Acceptable system use policy > > 10. Incident response policy > > 11. Back up and business continuity policy > > 12. Security audit policy > > 13. Facilities management policy > > 14. System development and implementation policy > > 15. Outsourcing policy > > In addition this bundle should ideally contain an introduction by the > author(s), definition of terms (information security etc.,), > index and a > foreword signed by the company CEO or Managing Director which > serves as > top management approval and support. > > Because of the commonality of the subject dealt with, there will be > extensive cross-references to other related policies. There > will also be > references to the company HR guidelines, legal and regulatory > requirements. > > I have come across policies where inadvertently authors > include procedural > and technical details. These are not "clean" policies. > > What I have given is a skeletal structure. For filling it > with flesh you > need to contact the relevant people (Say for Firewall policy > - the person, > who administers the Firewall and so on) and back it up with your > information security experience. > > And yes, my hands are itching to create one such policy, but > currently my > job is to review and audit the policy being written by line function > people. At the best I do informal consulting. > > Hope this helps. > > regards > Kani > > > On Fri, 22 Mar 2002, Nil Fiat wrote: > --- snipped --- > > So hey, yesterday I got handed one of the coolest projects of my > > life: I get to write a security policy! Have I done this > > before? Hell no...but I'm sure I can, especially if you lovely > > peeps and gurus out there will point me to some resources. > > > > Peace & Packets, > > Sara T > __________________________________________________ D O T E A S Y - "Join the web hosting revolution!" http://www.doteasy.com
