Solved

Information Security Policy Format

Posted on 2014-02-02
2
493 Views
Last Modified: 2014-02-25
Hi

I understand that examples and templates of information security policies are all over the internet, both paid and free. SANS, NIST, Ruskwig etc has loads of them online.

What has been your best example of creating an easy to read, understand and retain the base elements of an information security policy?

Something innovative that struck you at first instance. In my view, more than half a page of information security policy document is destined into annals of history. As the majority of userbase that we need to communicate the policy to is non-IT, there is no need for incorporating elements regarding systems hardening and servers backup into it, that can form some other document.

So, anything that someone wants to share in terms of real ingenuity while writing information security policy format and structure. Understand, that I am not looking for content but structure of it.

Rgds
0
Comment
Question by:fahim
2 Comments
 
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 200 total points
ID: 39827830
Reading through an SSCP guidebook the other week, what I took away was that there would be separate policy to deal with different aspects of the business... which makes perfect sense.  My kids have an acceptable use policy to which they agree at the beginning of the school year.  The adults have a different policy agreement.  But in each case, it still isn't the 'whole security policy'.  It's the message that has been tailored to each audience.  The IT Administrators would have a superset of the other policies.  But still the overarching security policy would have to include still more... acceptable risks, disaster recovery, etc.

And even after that, the policy should include plans to educate all users to take reasonable precautions and why.  The policy can't necessary spell them all out, because that education necessarily changes over time.  

But the part the users see is only one small part of the security policy.  And I think that is the critical part of the structure... that it consist of a host of policies, standards, and guidelines which complement each other.  Based on a line or two in your question, I think what you are looking for is an Employee Acceptable Use Policy, which is one important component of Security Policy.  Start there... but define what you want the policy to cover and define the audience before you start trying to draft the policy.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 300 total points
ID: 39828772
The crux is they have to be binding, clear, and thorough, I've never encountered a good policy. They are all hum-drum and boring to read, no one but me and or other auditors read them. They are filled with typos, endless loops (see policy-x, policy-x says see policy y). I've got a simple template I use, you can see it here:
https://docs.google.com/file/d/0BxkO4FxAaw9uTV9iV1VlUFlmaHc
First page is the basic layout/begining of a policy, the following pages are the "meat" taken from my std acceptable use policy.

I've been all over, and seen so many policies, I can't name any better, and certainly not as good as what I have there. The SANS ones are way out dated, great starters however. A good policy is one that remembers it's a policy and not a PROCEDURE. Although you can mix the two, they have to be in two different sections if you ask me, policy then procedure. Policy should be much shorter than procedure in most cases.

Policies are "broad stroke" documents, more like rules, with what and why. Procedures are very detailed and explain who, when and how.
-rich
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question