Security Policy

yrcissp

Hello All,

I am tasked with writing a security policy. I was wondering if there is a template available that i can customize or use as a guideline. Furthermore, i was wondering what are the most common program and issue specific policies organizations employ. Thanks!

JDMurray

You should use the security policies previously created by your business as a template. Contact your policy review board to learn the process. Security policies are reviewed by an organization's legal team, so you might be dealing with your company's lawyers directly.

yrcissp

Great idea, the only problem, there isn't one previously created

JDMurray

Check with your org's lawyers. They are the ones that make the final decisions, so go to them first. They should already know what they want in the form, fit, and functions of policy documents.

Security policies are usually created as one way an organization seeks to limit its legal liabilities. First, you must have a buy-in from the executives of the organization for the need to create and enforce security policies. Therefore, the creation of security policies starts at the very top of an organization and not at the bottom. Once you have executive approval to create the processes necessary to maintain security policies, start looking into the details of what to put on paper. The lawyers will have a strong opinion there too.

Darril

SANS has several templates as part of their SANS Security Policy Template that you can access here as downloadable PDF and Word docs:
SANS: Information Security Policy Templates

HTH,

Darril Gibson
Security Blog

yrcissp

Darril, perfect, thanks, that's exactly what i was looking for, more or less practical application