Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

General security policy vs. security awareness

From: "Gideon T. Rasmussen, CISSP, CISA, CISM, CFSO, SCSA" <lists () infostruct net>
Date: Mon, 28 Feb 2005 20:05:37 -0500
This is my response to a post asking how many pages a general security policy should be. It also expressed concerns 
about getting the salient points across. I thought it might be of interest to you...


I would not limit a general security policy to any number of pages per se. One way to keep it relatively compact is to 
write with the average employee as the intended audience (e.g. the sales team does not need to know about the system 
development life cycle). Departmental policies should detail how the general policy applies in that functional area. 
The general policy should include security best practices and be written with applicable regulations in mind (e.g. SOX, 
HIPAA, etc.). This may push the content up to 30-40 pages. Check SANS for policy resources 
(http://www.sans.org/resources/policies).

As for your concerns about employees picking up the salient points...

1. Ask the CEO to introduce the policy by e-mail with a letter stating that security is everyone's responsibility, 
appointing an information security steering committee, and a brief overview of the framework in use (e.g. ISO 17799, CoBIT, 
etc.). Repeat annually.

2. Create a power point presentation based on the policy. Hold security orientation briefings for all employees and 
contractors. Record attendance with a sign-in sheet and require everyone to sign off on the policy within 1 week. That 
should be enough time to answer outstanding questions and consider possible exceptions. Repeat the briefings annually 
and brief new employees as they are hired.

3. Create an internal security web site. Post the policy, presentation, incident report template, security awareness 
tips, etc.

4. Start a formal security awareness program:

http://www.ussecurityawareness.org/highres/security-awareness.html

In essence, the policy is just that, a policy. Getting the point across speaks to a change in culture. For that an 
awareness program is required.

Just my $.02.

Kind regards,

Gideon

Gideon T. Rasmussen
CISSP, CISA, CISM, CFSO, SCSA
Boca Raton, FL
gideon () infostruct net
Previous By Date Next
Previous By Thread Next

Current thread: