Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Information Security Policy Format

Posted on 2014-02-02
Medium Priority
Last Modified: 2014-02-25

I understand that examples and templates of information security policies are all over the internet, both paid and free. SANS, NIST, Ruskwig etc has loads of them online.

What has been your best example of creating an easy to read, understand and retain the base elements of an information security policy?

Something innovative that struck you at first instance. In my view, more than half a page of information security policy document is destined into annals of history. As the majority of userbase that we need to communicate the policy to is non-IT, there is no need for incorporating elements regarding systems hardening and servers backup into it, that can form some other document.

So, anything that someone wants to share in terms of real ingenuity while writing information security policy format and structure. Understand, that I am not looking for content but structure of it.

Question by:fahim
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 600 total points
ID: 39827830
Reading through an SSCP guidebook the other week, what I took away was that there would be separate policy to deal with different aspects of the business... which makes perfect sense.  My kids have an acceptable use policy to which they agree at the beginning of the school year.  The adults have a different policy agreement.  But in each case, it still isn't the 'whole security policy'.  It's the message that has been tailored to each audience.  The IT Administrators would have a superset of the other policies.  But still the overarching security policy would have to include still more... acceptable risks, disaster recovery, etc.

And even after that, the policy should include plans to educate all users to take reasonable precautions and why.  The policy can't necessary spell them all out, because that education necessarily changes over time.  

But the part the users see is only one small part of the security policy.  And I think that is the critical part of the structure... that it consist of a host of policies, standards, and guidelines which complement each other.  Based on a line or two in your question, I think what you are looking for is an Employee Acceptable Use Policy, which is one important component of Security Policy.  Start there... but define what you want the policy to cover and define the audience before you start trying to draft the policy.
LVL 38

Accepted Solution

Rich Rumble earned 900 total points
ID: 39828772
The crux is they have to be binding, clear, and thorough, I've never encountered a good policy. They are all hum-drum and boring to read, no one but me and or other auditors read them. They are filled with typos, endless loops (see policy-x, policy-x says see policy y). I've got a simple template I use, you can see it here:
First page is the basic layout/begining of a policy, the following pages are the "meat" taken from my std acceptable use policy.

I've been all over, and seen so many policies, I can't name any better, and certainly not as good as what I have there. The SANS ones are way out dated, great starters however. A good policy is one that remembers it's a policy and not a PROCEDURE. Although you can mix the two, they have to be in two different sections if you ask me, policy then procedure. Policy should be much shorter than procedure in most cases.

Policies are "broad stroke" documents, more like rules, with what and why. Procedures are very detailed and explain who, when and how.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What we learned in Webroot's webinar on multi-vector protection.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question