Information Security Policy Format

Posted on 2014-02-02
Last Modified: 2014-02-25

I understand that examples and templates of information security policies are all over the internet, both paid and free. SANS, NIST, Ruskwig etc has loads of them online.

What has been your best example of creating an easy to read, understand and retain the base elements of an information security policy?

Something innovative that struck you at first instance. In my view, more than half a page of information security policy document is destined into annals of history. As the majority of userbase that we need to communicate the policy to is non-IT, there is no need for incorporating elements regarding systems hardening and servers backup into it, that can form some other document.

So, anything that someone wants to share in terms of real ingenuity while writing information security policy format and structure. Understand, that I am not looking for content but structure of it.

Question by:fahim
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 200 total points
ID: 39827830
Reading through an SSCP guidebook the other week, what I took away was that there would be separate policy to deal with different aspects of the business... which makes perfect sense.  My kids have an acceptable use policy to which they agree at the beginning of the school year.  The adults have a different policy agreement.  But in each case, it still isn't the 'whole security policy'.  It's the message that has been tailored to each audience.  The IT Administrators would have a superset of the other policies.  But still the overarching security policy would have to include still more... acceptable risks, disaster recovery, etc.

And even after that, the policy should include plans to educate all users to take reasonable precautions and why.  The policy can't necessary spell them all out, because that education necessarily changes over time.  

But the part the users see is only one small part of the security policy.  And I think that is the critical part of the structure... that it consist of a host of policies, standards, and guidelines which complement each other.  Based on a line or two in your question, I think what you are looking for is an Employee Acceptable Use Policy, which is one important component of Security Policy.  Start there... but define what you want the policy to cover and define the audience before you start trying to draft the policy.
LVL 38

Accepted Solution

Rich Rumble earned 300 total points
ID: 39828772
The crux is they have to be binding, clear, and thorough, I've never encountered a good policy. They are all hum-drum and boring to read, no one but me and or other auditors read them. They are filled with typos, endless loops (see policy-x, policy-x says see policy y). I've got a simple template I use, you can see it here:
First page is the basic layout/begining of a policy, the following pages are the "meat" taken from my std acceptable use policy.

I've been all over, and seen so many policies, I can't name any better, and certainly not as good as what I have there. The SANS ones are way out dated, great starters however. A good policy is one that remembers it's a policy and not a PROCEDURE. Although you can mix the two, they have to be in two different sections if you ask me, policy then procedure. Policy should be much shorter than procedure in most cases.

Policies are "broad stroke" documents, more like rules, with what and why. Procedures are very detailed and explain who, when and how.

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question