Policy

Policy Links

• IT Security Cookbook An excellent guide to computer & network security with a strong focus on writing and implementing security policy. This is primarily for security managers and system administrators.
  
  
• Model Security Policies Sample of 25 model security policies for use as templates or guides when developing policies for your own environment.
  
• Information Security Policy Handbook This is an information page which must be filled out to download the Information Security Policy Handbook from Axent Inc.
  
• Shelfware: How to Avoid Writing Security Policy and Documentation That Doesnt Work This paper explores the "GIAC Basic Security Policy" material (Part V of the course), looking into pitfalls that can make security policy and similar documentation unwieldy and unreadable.
  
• Building Effective, Tailored Information Security Policy 20th NISSC Internet Technical Security Policy Panel
  
• Site Security Policy Development Article by Rob McMillan outlining the importance and characteristics of a good security policy. This article is slightly dated, but provides a good starting point.
  
• Computer and Information Security Policy Formal IT security policy helps establish standards for IT resource protection by assigning program management responsibilities and providing basic rules, guidelines, and definitions for everyone in the organization. Policy thus helps prevent inconsistencies that can introduce risks, and policy serves as a basis for the enforcement of more detailed rules and procedures.
  
• Security Awareness Are Your Users "clued in" or "clueless"? A sound security policy is the foundation of any successful security program. The policy defines the organizations overall posture toward security.
  
• Sun Tzu and the Art of (Cyber) War: Ancient Advice for Developing an Information Security Program Though the battles fought are quite different from ancient China, Sun Tzus philosophies can aid when setting up a security program at your company.
  
• Acceptable Use Policy While there are many categories of security policy and each is important, some are conceivably more critical as they provide the foundation for many other sections of the policy. Perhaps no category does more to provide that foundation than that of acceptable use.
  
• Information Security Awarewness Policy This document will explain the implementation of a security awareness policy and in what ways it is used to involve the user to be more alert towards security issues.
  
• E-Policy E-policy is a corporate statement and set-of-rules to protect the organisation from casual or intentional abuse that could result in the release of sensitive information, IT system failures or litigation against the organisation by employees or other parties.
  
• Sandstorm Modem Policy This policy is designed to be an addition to an existing corporate security policy. It can be an addition to a Remote Access Policy, if one exists, or to simply stand alone as a Modem Access policy if no current policy of this sort exists at the Company.
  
• The Information Security Forum - The Forum's Standard of Good Practice for Information Security The Information Security Forum has produced the Standard to provide guidelines on all aspects of information security including, IT, Data and Computer controls.
  
• Information Flow: Lessons Learned from the Old School Understanding how information flows is core to being able to protect that information in transport.
  
• Group Policy and Security The use of Group Policy to simplify the network security tasks that you face as a network administrator. With Group Policy, you can ensure that the machines on your network remain in a secure configuration after you deploy them.
  
• Best Practices in Network Security Knowing how and what to protect and what controls to put in place is difficult. It takes security management, including planning, policy development and the design of procedures.
  
• Acceptable Use Policy This document establishes policies, assigns responsibilities, and prescribes standards and procedures for the management and use of an Automated Information System security program for the District Office.
  
• When a Security Policy Matures into a Security Solution It is only through the implementation of security policies with a policy framework and testing to see whether the security exposures were reduced that one can measure if the security policy matured into a security solution.
  
• Security Framework and Principles The section of the Workstation Support Services Security Framework and Principles document from the University of California, Berkley.
  
• Create Order with a Strong Policy A well-written, well-run security policy keeps cracks from appearing in your network's foundation.
  
• Applying IT Security Policies & Computer Security Standards Security policies and computer security standards must be implemented to be effective. This site introduces an approach to easing the problem of organization wide implementation.
  
• Security Planning This paper provides guidelines for developing security policies and implementing controls to prevent computer risks from becoming reality.
  
• Do you have an intrusion detection response plan? Discussion of what should go into the creation of an intrusion detection plan and the expected results.
  
• Policies and Procedures A presentation from the SANS institute course "Building an Effective Security Infrastructure", which outlines the elements to be included when designing a corporate security policy. Also available for download in Power Point format.
  
• Outsourcing Security Management This purpose of this paper is to highlight some high-level security issues, faced by organizations when outsourcing security management. Some key factors regarding preparation and management of the outsourcing partnership are also included.
  
• What Do I Put in a Security Policy? Discussion of how to use all the available information on security policies to create a client specific policy. Contains a sample policy outline.
  
• ISO 17799 Standard: ISO17799 Compliance & Positioning The ISO 17799 security standard: How to achieve full ISO17799 compliance
  
• Network & IT Security Policies Where to find IT security policies, network security policies and a unique method to deliver them. Site includes trial downloads for all software offered.
  
• Steps to a Secure Network The typical corporate security objective of the past has been to protect the Enterprise network from the Internet, but as we are reading in the news today, this has not been enough. The first step in protecting the Enterprise is to set realistic expectations.
  
• A Framework for Establishing Internet Usage Policies A series of questions and answers on the use of a Framwork to implement Internet Usage Policies.
  
• HIPAA Security Policy Development: A Collaborative Approach The Health Insurance Portability and Accountability Act of 1996 (HIPAA), enacted on August 21, 1996 as Public Law 104-191, authorized the Secretary of Health and Human Services (HHS) to develop security standards to prevent inadvertent or intentional unauthorized use or disclosure of any health information that is electronically maintained or used in an electronic transmission.
  
• CERT Practice Modules: Improving Security Determine contractor ability to comply with your organization's security policy.
  
• Policy Manager - Cisco Systems Cisco Secure Policy Manager is a scalable, powerful security policy management system for Cisco firewalls and Virtual Private Network (VPN) gateways. Assistance is also provided with the development and audititing of security policy.
  
• Browsing with a Loaded Gun A strong web Security Policy is key to keeping your company safe in the net-centric world. (PDF format)
  
• Developing a Computer Security Proposal for Small Businesses - How to Start It has been widely reported that computerization has played a significant role in the current economic expansion. However, when it comes to systems management in general, and systems security in particular, small businesses are ill prepared to deal with the challenges that increased automation and increased connectivity bring.
  
• Effective Security Policies Require Frequent Reviews Companies have the best intentions when drafting their initial IT security policies. The problem is that once written, most policies collect dust.
  
• Toward Standardization of Information Security: BS 7799 This paper describes BS 7799, the "Code of Practice for Information Security Management" as an information security management system, identifies the industry movement toward BS 7799 certification, reports the current effort involving the transformation of BS 7799 into ISO 17799 and suggests a need for the information security professional to familiar with BS 7799.
  
• Baseline Software, Inc. Information Security Policies Made Easy by Charles Cresson Wood, CISA, CISSP, noted international information security consultant and researcher.
  
• BS7799 Security Standard: Compliance & Positioning What it is and how to achieve BS7799 compliance - a starting point.
  
• ITworld.com - Security's human side When it comes to keeping your company's systems secure, employees and managers play roles as important as those of the technological gadgets they deploy.
  
• Email Policy.com Learn how to create a company e-mail policy and enforce it using email security software. Also lists sample email policies, books and links.
  
• Network Security Policy A Managers Perspective The tool that a Network Manager has to facilitate and manage good Network Security is policy.
  
• Policy Over Policing It's easy to develop e-mail and Internet policies, but education and documentation are crucial to their success.
  
• CERT Practice Modules: Responding to Intrusions Establish policies and procedures for responding to intrusions.
  
• Considerations for an Acceptable Use Policy for a Commercial Enterprise Computer security policies are the high cover that allow the computer security professional to effectively operate in an enterprise where the ultimate goal is to produce a product at a cost that allows the company to successfully compete in the marketplace.
  
• BS 7799 Security Standard & Compliance BS 7799, first published in February 1995, is a comprehensive set of controls comprising best practices in information security. BS 7799 is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations. It was significantly revised and improved in May 1999.
  
• Security Information Web Site Content rich ready for publication security information web site enables companies to JUMP-START their security management program with policies, plans, techniques, and countermeasures
  
• CERT Practice Modules: Securing Desktop Workstations Develop and promulgate an acceptable use policy for workstations.
  
• Why Security Policies Fail Objective analysis reveals that many breaches are linked to common weaknesses in the security policy...accidents waiting to happen. This article focuses on strategic and systematic weaknesses that can slowly degrade security operations.
  
• How Does the Code of Ethics Relate to Security? Part 2 of this series of including ethics in security policy writing provides examples of the broad range of potential situations which may be faced by system/security administrators.
  
• Information Security Program Development Security standards are needed by organizations because of the amount of information, the value of the information, and ease with which the information can be manipulated or moved.
  
• Herding Cats 101: Development & Implementation of Security Policies at a University The widely-publicized denial of service attacks of February 2000 showcase the need for a basic security policy which governs and oversees the type of activities that are allowed on university computing and network resources.
  
• Computing Policies The electronic resource usage and security policy for the University of Pennsylvania.
  
• A System Security Policy for You The purpose of this document is to meet the requirements of the GIAC Security Essentials assignment and to provide other interested parties with a reference document that they can use to get their System Security Policy (SSP) document started.
  
• Enhancing Enterprise Security This is a solid site with a good overview of all factors which should go into to the design of a security policy.
  
• PKI Policy Whitepaper This PKI Note provides general information about PKI policy, the role that policy plays in a PKI and how that policy applies to both traditional and PKI-enabled business environments.
  
• RFC2196 (Site Security Handbook) a guide to developing computer security policies and procedures for sites that have systems on the Internet.
  
• Internet Security Policy: A Technical Guide - Contents This document is intended to help an organization create a coherent Internet-specific information security policy.
  
• Internet/Network Security Policy Development How to write an effective network security policy. This is Part 4 of a 5 part tutorial on Internet and network security.
  
• Central Policy Mediation for Information Sharing Most existing methods of information sharing rely on application and operating system features to provide security. The format of this list and its policy capabilities are different for each platform. A complete solution for secure information sharing requires a method of uniformly creating and enforcing information security policies across an enterprise network.
  
• How to Develop Your Companys First Security Baseline Standard The goal of this document is to provide a guide for those charged with designing and implementing baseline security standards for the first time.
  
• How to Develop a Network Secuity Policy White Paper This document is for business executives, and others, who want to know more about Internet and internetworking security, and what measures you can take to protect your site.
  
• Para-Protect's Para-Policy Policy is the foundation for a strong and consistent security program. Policy is the often over-looked component of all good corporate information security programs.
  
• ISO 17799 Service & Software Directory Services and software for ISO 17799 audit, compliance, implementation and security risk analysis.
  
• Firewalls and Internet Security Good paper with theory and firewalls description. Network security policy example.
  
• What's Your Policy? If your company doesn't have written security policies, it's time it did, and Mark Edwards has some resources to help.
  
• Information Security Discussion of topic with security policies and baseline standards information.
  
• Information Security Policies & Computer Security Policy Directory This directory is intended to help you ensure that your policies actually meet your needs.
  
• Generalizing Ethics in an Information-based Society Part 1 of a series of articles on the problems faced when attempting to include a code of ethics in a computer security policy.
  
• Creating Security Policies Lessons Learned After attending SANS training or other security classes we return to work with an eagerness to move forward with hardening servers, tightening firewalls, and implementing intrusion detection systems. This paper shows the reader some steps we have taken on our continuing journey towards a full set of security policies and procedures.
  
• Site Security Policy Development This paper outlines some issues that the writer of a Site Computer Security Policy may need to consider when formulating such a document.
  
• Embrace your Policies Discussion of the importance of security policy acceptance to overall security.
  
• A Pragmatic Approach to Implementing a Corporate Security Policy By focusing on a company's Security Policy, the InfoSec professional can finally begin to have a meaningful impact on the actual fabric of everyday business activities within an Information Security context.
  
• Computer Policy Guide A commercial manual with sample policies. Topics include: Email; Internet Usage; Personal Computer Usage; Information Security; and Document Retention.
  
• Realizing Computer Security: If Not Now, When? Security is increasingly recognized as a necessity in today's highly competitive environment. The trouble is that in practice, corporate security policies too often pay only lip service to protecting data assets.
  
• Structured Approach to Computer Security A security policy is a set of rules written in general terms stating what is permitted and what is not permitted in a system during normal operation.
  
• Computer Policies for Employee Handbooks Proven, affordable, ready made computer security and usage policies covering areas such as email, internet, virus, unauthorized changes, personal use, remote access and laptop precautions.
  
• Enterprise Security Management (ESM): Centralizing Management of Your Security Policy This paper will define Enterprise Security Management (ESM). It will discuss motivations for implementing ESM. It will also look at security policy development and overview some of the items that security policy should contain.
  
• Policy Standards and IETF Terminology The goal of this series of papers is to present the elements of Policy-based Network Management (PBNM) and Quality of Service (QoS) in an organized and thorough manner.
  
• Number One Security Tool? Policy! A collection of tips from some of the most successful security policies.
  
• How to Develop Your Companys First Security Baseline Standard In an age were security is becoming more important to many organisations, it is important for such organisations to document their security policy, just as they would document their marketing policy, client service policy or accounting policies. But the effort of just documenting policies is insufficient, since it is no use going through the effort and costs of developing a security policy and not implementing or updating it.