Information Security Policy Format


I understand that examples and templates of information security policies are all over the internet, both paid and free. SANS, NIST, Ruskwig etc has loads of them online.

What has been your best example of creating an easy to read, understand and retain the base elements of an information security policy?

Something innovative that struck you at first instance. In my view, more than half a page of information security policy document is destined into annals of history. As the majority of userbase that we need to communicate the policy to is non-IT, there is no need for incorporating elements regarding systems hardening and servers backup into it, that can form some other document.

So, anything that someone wants to share in terms of real ingenuity while writing information security policy format and structure. Understand, that I am not looking for content but structure of it.

Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
The crux is they have to be binding, clear, and thorough, I've never encountered a good policy. They are all hum-drum and boring to read, no one but me and or other auditors read them. They are filled with typos, endless loops (see policy-x, policy-x says see policy y). I've got a simple template I use, you can see it here:
First page is the basic layout/begining of a policy, the following pages are the "meat" taken from my std acceptable use policy.

I've been all over, and seen so many policies, I can't name any better, and certainly not as good as what I have there. The SANS ones are way out dated, great starters however. A good policy is one that remembers it's a policy and not a PROCEDURE. Although you can mix the two, they have to be in two different sections if you ask me, policy then procedure. Policy should be much shorter than procedure in most cases.

Policies are "broad stroke" documents, more like rules, with what and why. Procedures are very detailed and explain who, when and how.
Rich WeisslerConnect With a Mentor Professional Troublemaker^h^h^h^h^hshooterCommented:
Reading through an SSCP guidebook the other week, what I took away was that there would be separate policy to deal with different aspects of the business... which makes perfect sense.  My kids have an acceptable use policy to which they agree at the beginning of the school year.  The adults have a different policy agreement.  But in each case, it still isn't the 'whole security policy'.  It's the message that has been tailored to each audience.  The IT Administrators would have a superset of the other policies.  But still the overarching security policy would have to include still more... acceptable risks, disaster recovery, etc.

And even after that, the policy should include plans to educate all users to take reasonable precautions and why.  The policy can't necessary spell them all out, because that education necessarily changes over time.  

But the part the users see is only one small part of the security policy.  And I think that is the critical part of the structure... that it consist of a host of policies, standards, and guidelines which complement each other.  Based on a line or two in your question, I think what you are looking for is an Employee Acceptable Use Policy, which is one important component of Security Policy.  Start there... but define what you want the policy to cover and define the audience before you start trying to draft the policy.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.