Educause Security Discussion mailing list archives
Re: FW: process for creating Information security policies and guidelines
From: Drew Perry <aperry () MURRAYSTATE EDU>
Date: Mon, 12 Sep 2011 15:00:03 -0500
I will echo Matt and others' sentiments on policy creation and add my own experiences. Our Information Technology policies (available for perusal at https://sites.google.com/a/murraystate.edu/information-security/policy/aup, we're a Google Apps University), were developed from a framework we originally acquired from http://www.sans.org/security-resources/policies/, again "research." I'm also going with derivative works on that one. :) Our main focus was to keep them as encompassing, yet simplistic as possible. We preferred broad coverage with room for interpretation over in-depth specificity. Rather than a flowchart for developing from scratch, we took the SANS policies as well as others from peer institutions and stepped through the policies one at a time, adapting them as needed to fit our university. Our problem, as others have also detailed, was in approval. Once we had developed our policies, it took our board 3 years to finally approve them, the majority of that time was spent in the office of University Counsel. Unless your attorney is extremely technology adept, expect many hours of clarification and education. And that's not a shot at lawyers. I'm not terribly up-to-date on the in's and out's of our state and federal legal system. So a bit of back and forth is needed on both parts. Best of luck, feel free to steal... "acquire" as much of ours as is helpful. *However, the best "rider" we could have thought to tack on was the ability of the university president to approve changes or additions once the policies were approved, without the need of the board's approval. Talk about a time- and headache-saver.* Drew Perry Security Analyst Murray State University (270) 809-4414 aperry () murraystate edu *P* Save a tree. Please consider the environment before printing this message.
Current thread:
- FW: process for creating Information security policies and guidelines Mohamed Elhindi (Sep 11)
- Re: FW: process for creating Information security policies and guidelines Barrett, Bruce R. (Sep 11)
- Re: FW: process for creating Information security policies and guidelines James Farr '05 (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Sarazen, Daniel (Sep 12)
- Re: FW: process for creating Information security policies and guidelines James Farr '05 (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Valdis Kletnieks (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Matthew Gracie (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Drew Perry (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Valdis Kletnieks (Sep 12)
- Re: FW: process for creating Information security policies and guidelines A. Harry Williams (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Matthew Gracie (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Barrett, Bruce R. (Sep 11)