I've been writing custom security policies and have done lots of research on the internet about it. I'v also reviewed lots of company policies which are currently in place.
In my mind, the first thing to do of course is convince management that they need a policy. This is the easiest step. Every business owner/exec will jump at the opportunity to gain control over their company. Especially if it's going to reduce risk, and save money due to lost production time of employees and cut down on IT staff expenditures. When beginning to write the policy, the first thing I start with is defining the company's assets. This kind of makes the rest fall into place. Bandwidth, computers, servers, routers, software, user accounts, domain name space, reputation (for email server relay and spam lists), customer data/info, employee data/info, share holder info/data. etc. etc. These things will all be defined and should have their own place within the policy and what measures are going to be taken to protect them. They should also be given a rank of privacy. from publicly obtained information to top secret. Implemeting a written policy is a big nasty monster. Writing one is even worse. Good Luck. Almost forgot. "The Art of Decption" by Kevin Mitnick has a very good write up in the back of the book about building written security policies... --------------------------------------------------------------------------- ----------------------------------------------------------------------------
