Security Spotlight: Security Policy By Example
Savvy information security professionals know that careful crafting of security policy documents is a vital step in creating and maintaining proper organization security posture and practices. But where can professionals if they need to create such documents, but not have anything to work from? There are plenty of sources and resources on security policy, including some great sample and example policy documents online and in software and book form. Here are some “best of breed” sources for creating security policy documents by example:
- RUSecure sells a sizable collection of Security Policies, along with supporting documents, ready for customization for any specific organization. At $595, the company’s offerings are somewhat pricey, but may help save time (and come with strong endorsements from several happy readers of this newsletter). For more information, check out www.information-security-policies.com. RUSecure also offers a set of interactive editing and automated delivery tools for security policies as a separate product.
- TekCentral sells a set of MS-Word security policy template files for $29.99. They’re ready to be opened in Word, then simply filled out (but note that neither detailed help files nor complete examples are lacking; pair this with other items here for best results). You can learn more about their templates at: www.tekcentral.com/teknetwork/Policies_and_Procedures/Security_Policy/.
- The Joint Information Systems Committee in the UK helped create British Standard 7799 (BS7799). Ultimately, this work led to the ISO Standard, ISO17799. The documents they created on developing an information security policy are still relevant and useful, including numerous examples (with pointers to more). Available free at http://www.jisc.ac.uk/index.cfm?name=home.
- The Computer Security Resources Clearinghouse (CSRC) at the National Institute of Standards and Technology (NIST) has a useful and interesting set of security policies, complete with case studies and examples; check it out at www.itsc.state.md.us/info/InternetSecurity/BestPractices/SecPolicy.htm.
- Insight Consulting in the UK has a top-flight course named “Establishing an effective security policy.” It covers the security policy process from planning and design all the way through implementation, maintenance, and upkeep. The class costs about US$1,600, runs for two days, and includes copious documentation and examples; details at http://www.insight.co.uk/training/index.htm.
- SANS Security Policy Project offers reams of explanation, white papers, training materials, and a library of security policy document samples. Visit www.sans.org/resources/policies/ for a table of contents and pointers to all kinds of resources.
- The Carnegie-Mellon’s Software Engineering Institute offers OCTAVE (the Operationally Critical Threat, Asset, and Vulnerability Evaluation Framework) that includes lots of information about how to research, design, and formulate security policy. Visit this resource online at
- Section 5 of Murdoch University’s Information Technology Security Policy site covers security policy documentation; it includes copious advice and numerous examples; find it at http://wwwits2.murdoch.edu.au/security/policy.html.
- Scott Barman: Writing Information Security Policies (New Riders, 2001, ISBN: 157870264X; List Price: $34.99). This book belongs to New great Networking and Security series, and makes short work of explaining security policy. Barman devotes considerable effort to describing how to write and maintain security policies, with plenty of useful examples presented in context. Visit his Web page at http://www.panix.com/~barman/wisp/ for more online information, for access to sample information policy documents.
- Thomas R. Peltier: Information Security Policies, Procedures and Standards: Guidelines for Effective Security Management (CRC Press, 2001, ISBN: 0849311373, List Price: 69.95). A nicely constructed compendium of articles that do a good job of explaining how policies, procedures and standards are best formulated and how they should relate to each other. The book also covers ISO 17799/BS7799 and includes multiple examples (with pointers to more).
- John Fay: Model Security Policies (Butterworth-Heinemann, 1999, ISBN: 0750671831, List Price: $44.99). The author is a former special agent and academic heavy hitter in information security. The coverage of security policy is broader than strict information security policy and tries to look at the subject from multiple viewpoints. Good examples abound throughout the book, though subjects such as “Canine Security,” “Driving Safeguards,” or “Flag Etiquette” may not appeal to hard-boiled IT professionals.