RE: Security Policy-Please help

[Jaymz Ringler <adminjaymz () sperrytv com>]

I've been writing custom security policies and have done lots of
research on the internet about it.   I'v also reviewed lots of company
policies which are currently in place.

In my mind, the first thing to do of course is convince management that
they need a policy.  This is the easiest step.  Every business
owner/exec will jump at the opportunity to gain control over their
company.  Especially if it's going to reduce risk, and save money due to
lost production time of employees and cut down on IT staff expenditures.

When beginning to write the policy, the first thing I start with is
defining the company's assets.  This kind of makes the rest fall into
place.  

Bandwidth, computers, servers, routers, software, user accounts, domain
name space, reputation (for email server relay and spam lists), customer
data/info, employee data/info, share holder info/data.  etc. etc.  

These things will all be defined and should have their own place within
the policy and what measures are going to be taken to protect them. 
They should also be given a rank of privacy.  from publicly obtained
information to top secret.  

Implemeting a written policy is a big nasty monster.  Writing one is
even worse.  Good Luck.

Almost forgot.   "The Art of Decption" by Kevin Mitnick has a very good
write up in the back of the book about building written security
policies...



---------------------------------------------------------------------------
----------------------------------------------------------------------------