Information Security Policy Format

Posted on 2014-02-02
Last Modified: 2014-02-25

I understand that examples and templates of information security policies are all over the internet, both paid and free. SANS, NIST, Ruskwig etc has loads of them online.

What has been your best example of creating an easy to read, understand and retain the base elements of an information security policy?

Something innovative that struck you at first instance. In my view, more than half a page of information security policy document is destined into annals of history. As the majority of userbase that we need to communicate the policy to is non-IT, there is no need for incorporating elements regarding systems hardening and servers backup into it, that can form some other document.

So, anything that someone wants to share in terms of real ingenuity while writing information security policy format and structure. Understand, that I am not looking for content but structure of it.

Question by:fahim
LVL 29

Assisted Solution

by:Rich Weissler
Rich Weissler earned 200 total points
ID: 39827830
Reading through an SSCP guidebook the other week, what I took away was that there would be separate policy to deal with different aspects of the business... which makes perfect sense.  My kids have an acceptable use policy to which they agree at the beginning of the school year.  The adults have a different policy agreement.  But in each case, it still isn't the 'whole security policy'.  It's the message that has been tailored to each audience.  The IT Administrators would have a superset of the other policies.  But still the overarching security policy would have to include still more... acceptable risks, disaster recovery, etc.

And even after that, the policy should include plans to educate all users to take reasonable precautions and why.  The policy can't necessary spell them all out, because that education necessarily changes over time.  

But the part the users see is only one small part of the security policy.  And I think that is the critical part of the structure... that it consist of a host of policies, standards, and guidelines which complement each other.  Based on a line or two in your question, I think what you are looking for is an Employee Acceptable Use Policy, which is one important component of Security Policy.  Start there... but define what you want the policy to cover and define the audience before you start trying to draft the policy.
LVL 38

Accepted Solution

Rich Rumble earned 300 total points
ID: 39828772
The crux is they have to be binding, clear, and thorough, I've never encountered a good policy. They are all hum-drum and boring to read, no one but me and or other auditors read them. They are filled with typos, endless loops (see policy-x, policy-x says see policy y). I've got a simple template I use, you can see it here:
First page is the basic layout/begining of a policy, the following pages are the "meat" taken from my std acceptable use policy.

I've been all over, and seen so many policies, I can't name any better, and certainly not as good as what I have there. The SANS ones are way out dated, great starters however. A good policy is one that remembers it's a policy and not a PROCEDURE. Although you can mix the two, they have to be in two different sections if you ask me, policy then procedure. Policy should be much shorter than procedure in most cases.

Policies are "broad stroke" documents, more like rules, with what and why. Procedures are very detailed and explain who, when and how.

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now