Saturday, 31 May 2008

Where to go when developing an IT policy.

To find out more on the creation and testing of policy visit the following sites

The SANS Policy Website
o The SANS Security Policy Resource page is a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You'll find a great set of resources posted here already including policy templates for twenty-four important security requirements.

Information Security Policy - A Development Guide for Large and Small Companies
o A security policy should fulfill many purposes. It should: protect people and information; set the rules for expected behavior by users, system administrators, management, and security personnel; authorize security personnel to monitor, probe, and investigate; define and authorize the consequences of violation; define the company consensus baseline stance on security; help minimize risk; and help track compliance with regulations and legislation.

SANS Policy Primer
o This short primer on developing and writing security policies was taken from Michele D. Guel’s full day tutorial titled “Security Governance – A Strong Foundation for a Secure Enterprise.
· RUsecure Information Security Policies
o A commercial Policy creation program
· Technical Writing for IT Security Policies in Five Easy Steps
o As management requires more policies, staff comfort levels drop. As policy writers include complex, confusing, and incomprehensible language, staff comfort levels continue to drop. Therefore, IT Security policy writers need a writing resource, not just a policy resource. This paper points new policy technical writers in the right direction and provides a solid foundation from which to start. Follow these five easy steps when writing IT Security policies. Your management and employees will thank you.

Security Policy Roadmap - Process for Creating Security Policies
o Information is an important business asset and is valuable to an organization. Thus, it needs to be protected to ensure its confidentiality, integrity and availability. The very first thing in information security is to set up policies and procedures on how to protect information. This paper presents a systematic approach in developing computer security policies and procedures. All the processes in the Policy Life Cycle will be discussed. In particular, it will list all the issues and factors that must be considered when setting up the policies. It makes some recommendations and suggestions on relevant areas and produces a framework for setting security policies and procedures.

SANS Score - Security Consensus Operational Readiness Evaluation
o SCORE is a cooperative effort between SANS/GIAC and the Center for Internet Security(CIS). SCORE is a community of security professionals from a wide range of organizations and backgrounds working to develop consensus regarding minimum standards and best practice information, essentially acting as the research engine for CIS. After consensus is reached and best practice recommendations are validated, they may be formalized by CIS as best practice and minimum standards benchmarks for general use by industry at large.
o SCORE Objectives:
§ Promote, develop and publish security checklists.
§ Build these checklists via consensus, and through open discussion through SCORE mailing lists.
§ Use existing references, recruit GIAC-certified professionals, and enlist subject matter experts, where and when possible.

1 comment:

IT@SmallBiz said...

Thanks for the great summary. I added a link to this topic in my post this morning on writing security policies.