Security Policy

EverlifeEverlife Member Posts: 253 ■■■□□□□□□□
Hi everyone,

I'm in the process of writing our security policy (small company, never had one before, been hell trying to get them to approve instituting one) and I was wondering if anyone could take a few minutes to review the policy I have written. Please shoot me a private message if you have a few moments to spare.

Thanks!

Comments

  • earweedearweed Member Posts: 5,192 ■■■■■■■■■□
    Why not attach a generic version to your post?
    No longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives.
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    That's too involved to do quickly and well.

    Here are some resources that may help you out:
    SANS: Information Security Policy Templates

    https://www.amazon.com/Writing-Information-Security-Policies-Barman/dp/157870264X/ref=sr_1_3?ie=UTF8&s=books&qid=1280417447&sr=8-3 (it's old but still has good principles, and the used price is great)
  • PlantwizPlantwiz Alligator wrestler Mod Posts: 5,057 Mod
    dynamik wrote: »
    That's too involved to do quickly and well.

    Here are some resources that may help you out:
    SANS: Information Security Policy Templates

    https://www.amazon.com/Writing-Information-Security-Policies-Barman/dp/157870264X/ref=sr_1_3?ie=UTF8&s=books&qid=1280417447&sr=8-3 (it's old but still has good principles, and the used price is great)

    Agreed.

    Both good resources too!
    Plantwiz
    _____
    "Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux

    ***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.

    'i' before 'e' except after 'c'.... weird?
  • EverlifeEverlife Member Posts: 253 ■■■□□□□□□□
    This hasn't been something that was done quickly. I have been working on the WISP for over a year. This includes numerous meetings with various department heads, identifying sensitive information, identifying the threats to that information, and developing procedures to mitigate those threats. Over the past three years I have instituted an AUP, Data Destruction/Sanitization Policy, and Remote Access Policy.

    The purpose of the WISP is to address some other areas which were not properly covered by the previous policies as well as to address some physical records security.

    I am not looking for someone to tell me "Oh you're missing this, and that.", because someone unfamiliar with the environment cannot make those type of judgements. I was mainly looking for an opinion of the format.

    I have utilized the SANS policies previously and have found them to be excellent. Also, I would recommend the RUSecure reference manual from http://www.information-security-policies.com/. It was a big help in formulating the policy.

    It looks like a better option will be simply to have our legal contact who advises on such things take a look at it.

    Thanks for the links.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    I am using some of the SANS guides right now for my current project. I am a bit overwhelmed though since I am writing all the policies and procedures since our corporate policy does not carry over to the new projects.
  • EverlifeEverlife Member Posts: 253 ■■■□□□□□□□
    tpatt100 wrote: »
    I am using some of the SANS guides right now for my current project. I am a bit overwhelmed though since I am writing all the policies and procedures since our corporate policy does not carry over to the new projects.

    Brutal isn't it? Check out that manual from RUSecure. They give you initial access to a fair amount of it to evaluate whether or not the PDF is worth the price.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    What's brutal is doing it almost alone when normally you contract the project out to a team of people who do this type of C&A work regularly. I am trying to line up 100+ IA controls to the new policies while making sure they accommodate a few of the DoDI 8000 series requirements.

    Plus being one of the only IT security people in a meeting explaining why I need more billable hours to accomplish the task lol.

    Glad the weekend is almost here.
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    Everlife wrote: »
    This hasn't been something that was done quickly.

    I meant for me. I usually spend days going over an organization's policies when I do that type of thing. I help out a lot here, but that's too big to give away ;)
  • EverlifeEverlife Member Posts: 253 ■■■□□□□□□□
    dynamik wrote: »
    I meant for me. I usually spend days going over an organization's policies when I do that type of thing. I help out a lot here, but that's too big to give away ;)

    Gotcha! Thanks for the links Dyn. I ended up ordering that book from Amazon, can't hurt!
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    I created an acceptable use policy about 3 months ago and now everyone hates me icon_sad.gif
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    tpatt100 wrote: »
    What's brutal is doing it almost alone when normally you contract the project out to a team of people who do this type of C&A work regularly. I am trying to line up 100+ IA controls to the new policies while making sure they accommodate a few of the DoDI 8000 series requirements.

    Plus being one of the only IT security people in a meeting explaining why I need more billable hours to accomplish the task lol.

    Glad the weekend is almost here.


    Sounds like someone is MAC II DIACAPing... icon_lol.gif

    ...we are going through the same thing.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    phoeneous wrote: »
    I created an acceptable use policy about 3 months ago and now everyone hates me icon_sad.gif

    Implement web filtering that blocks streaming media and social networking then remove their local administrator privileges.

    I have a friend that works for an engineering firm that is extremely locked down, and he complains constantly. I tell him to stfu and give them props; they're more locked-down than a lot of the financial institutions I work with.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    colemic wrote: »
    Sounds like someone is MAC II DIACAPing... icon_lol.gif

    ...we are going through the same thing.

    Yeah each system is MAC III classified. I thought it was a bunch of stupid paperwork and documentation but now I kind of respect it a bit. Its a very thorough and logic method of making sure everything is covered.

    I inherited a bunch of classified labs and the last guy documented crap. So I was hunting pecking and trying to figure out what the hell was going on.
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    dynamik wrote: »
    Implement web filtering that blocks streaming media and social networking then remove their local administrator privileges.

    That was my first project when I got here. Currently running Endian on an old box but I dont like it. I used iPrism at my last job and it rocked. And no local admin rights, these animals will install pretty much anything...
Sign In or Register to comment.