Re: FW: process for creating Information security policies and guidelines

[Drew Perry <aperry () MURRAYSTATE EDU>]

I will echo Matt and others' sentiments on policy creation and add my own
experiences. Our Information Technology policies (available for perusal at
https://sites.google.com/a/murraystate.edu/information-security/policy/aup,
we're a Google Apps University), were developed from a framework we
originally acquired from http://www.sans.org/security-resources/policies/,
again "research." I'm also going with derivative works on that one. :) Our
main focus was to keep them as encompassing, yet simplistic as possible. We
preferred broad coverage with room for interpretation over in-depth
specificity. Rather than a flowchart for developing from scratch, we took
the SANS policies as well as others from peer institutions and stepped
through the policies one at a time, adapting them as needed to fit our
university.

Our problem, as others have also detailed, was in approval. Once we had
developed our policies, it took our board 3 years to finally approve them,
the majority of that time was spent in the office of University Counsel.
Unless your attorney is extremely technology adept, expect many hours of
clarification and education. And that's not a shot at lawyers. I'm not
terribly up-to-date on the in's and out's of our state and federal legal
system. So a bit of back and forth is needed on both parts. Best of luck,
feel free to steal... "acquire" as much of ours as is helpful.

*However, the best "rider" we could have thought to tack on was the ability
of the university president to approve changes or additions once the
policies were approved, without the need of the board's approval. Talk about
a time- and headache-saver.*

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry () murraystate edu

*P*  Save a tree. Please consider the environment before printing this
message.