ISPME Table of Contents

Chapter 1: Introduction to Security Policies

Chapter 2: Policy Development Instructions

Instruction
Information Security Policies
Importance Of Policies
Considerations In The Policy Development Process
Policy Development Time Line
Policy Document Length
Policy Usage
Policy Objectives And Scope
Disclaimers

Chapter 3: Information Security Policy Library

Contains over 1400 policy statements with expert commentary on the following topics. (See an example)

5 SECURITY POLICY
5.1 INFORMATION SECURITY POLICY

6 ORGANIZATION OF INFORMATION SECURITY
6.1 INTERNAL ORGANIZATION
6.2 EXTERNAL PARTIES

7 ASSET MANAGEMENT
7.1 RESPONSIBILITY FOR ASSETS.
7.2 INFORMATION CLASSIFICATION

8 HUMAN RESOURCES SECURITY
8.1 PRIOR TO EMPLOYMENT
8.2 DURING EMPLOYMENT
8.3 TERMINATION OR CHANGE OF EMPLOYMENT

9 PHYSICAL AND ENVIRONMENTAL SECURITY
9.1 SECURE AREAS
9.2 EQUIPMENT SECURITY

10 COMMUNICATIONS AND OPERATIONS MANAGEMENT
10.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES
10.2 THIRD PARTY SERVICE DELIVERY MANAGEMENT
10.3 SYSTEM PLANNING AND ACCEPTANCE.
10.4 PROTECTION AGAINST MALICIOUS AND MOBILE CODE
10.5 BACK-UP
10.6 NETWORK SECURITY MANAGEMENT
10.7 MEDIA HANDLING
10.8 EXCHANGE OF INFORMATION
10.9 ELECTRONIC COMMERCE SERVICES
10.10 MONITORING

11 ACCESS CONTROL
11.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL
11.2 USER ACCESS MANAGEMENT.
11.3 USER RESPONSIBILITIES
11.4 NETWORK ACCESS CONTROL.
11.5 OPERATING SYSTEM ACCESS CONTROL
11.6 APPLICATION AND INFORMATION ACCESS CONTROL
11.7 MOBILE COMPUTING AND TELEWORKING

12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
12.1 SECURITY REQUIREMENTS OF INFORMATION SYSTEMS
12.3 CRYPTOGRAPHIC CONTROLS
12.4 SECURITY OF SYSTEM FILES
12.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES
12.6 TECHNICAL VULNERABILITY MANAGEMENT

13 INFORMATION SECURITY INCIDENT MANAGEMENT
13.1 REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES.
13.2 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS

14 BUSINESS CONTINUITY MANAGEMENT
14.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

15 COMPLIANCE
15.1 COMPLIANCE WITH LEGAL REQUIREMENTS
15.2 COMPLIANCE WITH SECURITY POLICIES AND STANDARDS, AND TECHNICAL COMPLIANCE

Appendix A: List Of Information Security Policy References

Appendix B: List Of Information Security Periodicals

Appendix C: List Of Professional Associations And Related Organizations

Appendix D: List Of Suggested Awareness-Raising Methods

In Person
In Writing
On Systems
On Other Things

Appendix E: External Network Interface Security Policy Harmonization

Access Control Considerations
Encryption And Public Key Infrastructure Considerations
Change Control And Contingency Planning Considerations
Network Management Considerations

Appendix F: Checklist Of Steps In Policy Development Process

Appendix G: Overview Of Policy Development Process Tasks

Appendix H: Real World Problem Cases Caused By Missing Policies

Government Agency
Law Firms
Oil Company
Local Newspaper
Midwest Manufacturing Company
West Coast Manufacturing Company
Major Online Service Company

Appendix I: Suggested Next Steps

Appendix J: Regulatory Requirements for Information Security Policies

Appendix K: Sample Policy-Related Documents

Agreement To Comply With Information Security Policies

Management Risk Acceptance Memo

Two-Page Simple Non-Disclosure Agreement

Appendix L: Sample Information Security Policy Documents

Sample High-Level Information Security Policy

Sample Detailed Information Security Policy

Sample Telecommuting and Mobile Computer Security Policy

Management Issues
Access Control
Backup And Media Storage
Communications Links
Communications Links
System Management
Travel Considerations
Physical Security

Sample External Communications Security Policy

Sample Personal Computer Security Policy

Sample Electronic Mail Policy

Sample Computer Network Security Policy

Purpose
Scope
General Policy
Responsibilities
System Access Control
End-User Passwords
Password System Set-Up
Logon and Logoff Process
System Privileges
Establishment Of Access Paths
Computer Viruses, Worms, And Trojan Horses
Data And Program Backup
Encryption
Portable Computers
Remote Printing
Privacy
Logs And Other Systems Security Tools
Handling Network Security Information
Physical Security Of Computer And Communications Gear
Exceptions
Violations
Glossary

Sample Internet Security Policy For User

Introduction
Information Integrity
Information Confidentiality
Public Representations
Intellectual Property Rights
Access Control
Personal Use
Privacy Expectations
Reporting Security Problems

Sample Intranet Security Policy

Sample Privacy Policy - Stringent

Overview And Applicability
Definitions
Specific Requirements
Information To Be Given To The Individual
Individual's Right Of Access To Data
Individual's Right To Object
Disclosure Of Personal Data To Third Parties
Processing Confidentiality And Security
Monitoring Of Internal Activities

Sample Privacy Policy - Lenient

Company Intentions and Management Responsibilities
Disclosure Of Private Information
Appropriate Handling of Private Information
Private Information on Computer and Communication System
Activity Monitoring
Handling Personnel Information
Private Information from Job Seekers
Private Information About Customers

Sample Web Privacy Policy

Sample Data Classification Policy

Sample Data Classification Quick Reference Table

Sample External Party Information Disclosure Policy

Sample Information Ownership Policy

Sample Firewall Policy

Appendix M: Index Of New Policies In Version 11

About the Author