Security Policy

Hi everyone,

I'm in the process of writing our security policy (small company, never had one before, been hell trying to get them to approve instituting one) and I was wondering if anyone could take a few minutes to review the policy I have written. Please shoot me a private message if you have a few moments to spare.

Thanks!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

earweed

Why not attach a generic version to your post?

dynamik

That's too involved to do quickly and well.

Here are some resources that may help you out:
SANS: Information Security Policy Templates

https://www.amazon.com/Writing-Information-Security-Policies-Barman/dp/157870264X/ref=sr_1_3?ie=UTF8&s=books&qid=1280417447&sr=8-3 (it's old but still has good principles, and the used price is great)

Plantwiz

dynamik wrote: »

That's too involved to do quickly and well.

Here are some resources that may help you out:
SANS: Information Security Policy Templates

https://www.amazon.com/Writing-Information-Security-Policies-Barman/dp/157870264X/ref=sr_1_3?ie=UTF8&s=books&qid=1280417447&sr=8-3 (it's old but still has good principles, and the used price is great)

Agreed.

Both good resources too!

Everlife

This hasn't been something that was done quickly. I have been working on the WISP for over a year. This includes numerous meetings with various department heads, identifying sensitive information, identifying the threats to that information, and developing procedures to mitigate those threats. Over the past three years I have instituted an AUP, Data Destruction/Sanitization Policy, and Remote Access Policy.

The purpose of the WISP is to address some other areas which were not properly covered by the previous policies as well as to address some physical records security.

I am not looking for someone to tell me "Oh you're missing this, and that.", because someone unfamiliar with the environment cannot make those type of judgements. I was mainly looking for an opinion of the format.

I have utilized the SANS policies previously and have found them to be excellent. Also, I would recommend the RUSecure reference manual from http://www.information-security-policies.com/. It was a big help in formulating the policy.

It looks like a better option will be simply to have our legal contact who advises on such things take a look at it.

Thanks for the links.

tpatt100

I am using some of the SANS guides right now for my current project. I am a bit overwhelmed though since I am writing all the policies and procedures since our corporate policy does not carry over to the new projects.

Everlife

tpatt100 wrote: »

I am using some of the SANS guides right now for my current project. I am a bit overwhelmed though since I am writing all the policies and procedures since our corporate policy does not carry over to the new projects.

Brutal isn't it? Check out that manual from RUSecure. They give you initial access to a fair amount of it to evaluate whether or not the PDF is worth the price.

tpatt100

What's brutal is doing it almost alone when normally you contract the project out to a team of people who do this type of C&A work regularly. I am trying to line up 100+ IA controls to the new policies while making sure they accommodate a few of the DoDI 8000 series requirements.

Plus being one of the only IT security people in a meeting explaining why I need more billable hours to accomplish the task lol.

Glad the weekend is almost here.

dynamik

Everlife wrote: »

This hasn't been something that was done quickly.

I meant for me. I usually spend days going over an organization's policies when I do that type of thing. I help out a lot here, but that's too big to give away

Everlife

dynamik wrote: »

I meant for me. I usually spend days going over an organization's policies when I do that type of thing. I help out a lot here, but that's too big to give away

Gotcha! Thanks for the links Dyn. I ended up ordering that book from Amazon, can't hurt!

colemic

tpatt100 wrote: »

What's brutal is doing it almost alone when normally you contract the project out to a team of people who do this type of C&A work regularly. I am trying to line up 100+ IA controls to the new policies while making sure they accommodate a few of the DoDI 8000 series requirements.

Plus being one of the only IT security people in a meeting explaining why I need more billable hours to accomplish the task lol.

Glad the weekend is almost here.

Sounds like someone is MAC II DIACAPing...

...we are going through the same thing.

dynamik

phoeneous wrote: »

I created an acceptable use policy about 3 months ago and now everyone hates me

Implement web filtering that blocks streaming media and social networking then remove their local administrator privileges.

I have a friend that works for an engineering firm that is extremely locked down, and he complains constantly. I tell him to stfu and give them props; they're more locked-down than a lot of the financial institutions I work with.

tpatt100

colemic wrote: »

Sounds like someone is MAC II DIACAPing...

...we are going through the same thing.

Yeah each system is MAC III classified. I thought it was a bunch of stupid paperwork and documentation but now I kind of respect it a bit. Its a very thorough and logic method of making sure everything is covered.

I inherited a bunch of classified labs and the last guy documented crap. So I was hunting pecking and trying to figure out what the hell was going on.