Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security policy

From: Russ Foster <rjf () russfoster com>
Date: Wed, 25 Oct 2006 14:06:40 -0500 (CDT)


The Computer Security Resource Center (CSRC) of the National Institute of 
Standards and Technology (NIST) has lots of good templates. Poke around 
here:  http://csrc.nist.gov/

Depending on your company size and industry, generally speaking you have 
an overall "Security Policy" which is fairly high level. User policies 
address the specifics; email use policy (your email may be read and is 
retained for 90 days, etc.), acceptable use (computers are propery of ABC 
company, may be used for limited personal access)...and so on.

Find out what is common in your industry. There will be many differences 
between medical, financial, educational and manufacturing needs.

The Security Policy may include one or more of the following; chain of
command, who the security officer is, escalation procedures, how often
these policies will be reviewed, how often employees will be reminded 
about them (at employment start and once a year thereafter), disciplinary 
actions, etc.

-r


On Tue, 24 Oct 2006, Francois Yang wrote:


Can anyone please point me in the right direction.
I need to write some security policies, but I'm not sure where to begin.
I know there are alot of examples and templates out there, but what do
I include in the policy.
I see seperated policies for e-mail, password, remote access,
acceptable use, etc...but I was also told that it is better to try to
make all of those fit into one so that we don't have to keep track of
10 different policies.  The question is, which one do I include in one
big security policy and which ones to I make them seperate?

thank you.




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: