RE: Security policy

["Roger A. Grimes" <roger () banneretcs com>]

The real complication of the issue is that you can do it anyway that you
want. 

But in many cases, the overall grand security policy makes wide sweeping
general statements (e.g. "Confidential data must be encrypted", "You
must use passwords", "PCs are for business use only", etc.).  It is a
general guideline that then feeds the other policies. Then each specific
policy gives perscriptive guidance for each service area or application.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************

 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Francois Yang
Sent: Tuesday, October 24, 2006 5:39 PM
To: security-basics () lists securityfocus com
Subject: Security policy

Can anyone please point me in the right direction.
I need to write some security policies, but I'm not sure where to begin.
I know there are alot of examples and templates out there, but what do I
include in the policy.
I see seperated policies for e-mail, password, remote access, acceptable
use, etc...but I was also told that it is better to try to make all of
those fit into one so that we don't have to keep track of 10 different
policies.  The question is, which one do I include in one big security
policy and which ones to I make them seperate?

thank you.

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------