Information Security Policies Made Easy
Chapter 1: Introduction to Security Policies
Chapter 2: Policy Development Instructions
Instruction
Information Security Policies
Importance Of Policies
Considerations In The Policy Development Process
Policy Development Time Line
Policy Document Length
Policy Usage
Policy Objectives And Scope
Disclaimers
Chapter 3: Specific Policies
Security Policy
Information Security Policies
Organizational Security
Information Security Infrastructure
Security Of Third-Party Access
Outsourcing
Asset Classification And Control
Accountability For Assets
Information Classification
Personnel
Security In Job Definition And Resourcing
User Training
Responding To Security Incidents And Malfunctions
Physical And Environmental Security
Secure Areas
Equipment Security
General Controls
Communications And Operations Management
Operational Procedures And Responsibilities
System Planning And Acceptance
Protection Against Malicious Software
Housekeeping
Media Handling and Security
Exchanges Of Information And Software
Access Control
Business Requirement For Access Control
User Access Management
User Responsibilities
Network Access Control
Operating System Access Control
Application Access Control
Monitoring System Access And Use
Mobile Computing
Systems Development And Maintenance
Security Requirements Of Systems
Security In Application Systems
Cryptographic Controls
Security Of System Files
Security In Development And Support Processes
Business Continuity Management
Aspects Of Business Continuity Management
Compliance
Compliance With Legal Requirements
Reviews Of Security Policy And Technical Compliance
System Audit Considerations
Chapter 4: Sample High-Level Information Security Policy
Chapter 5: Sample Detailed Information Security Policy
Chapter 6: Sample Telecommuting and Mobile Computer Security Policy
Management Issues
Access Control
Backup And Media Storage
Communications Links
Communications Links
System Management
Travel Considerations
Physical Security
Chapter 7: Sample External Communications Security Policy
Chapter 8: Sample Personal Computer Security Policy
Chapter 9: Sample Electronic Mail Policy
Chapter 10: Sample Computer Network Security Policy
Purpose
Scope
General Policy
Responsibilities
System Access Control
End-User Passwords
Password System Set-Up
Logon and Logoff Process
System Privileges
Establishment Of Access Paths
Computer Viruses, Worms, And Trojan Horses
Data And Program Backup
Encryption
Portable Computers
Remote Printing
Privacy
Logs And Other Systems Security Tools
Handling Network Security Information
Physical Security Of Computer And Communications Gear
Exceptions
Violations
Glossary
Chapter 11: Sample Internet Security Policy For User
Introduction
Information Integrity
Information Confidentiality
Public Representations
Intellectual Property Rights
Access Control
Personal Use
Privacy Expectations
Reporting Security Problems
Chapter 12: Sample Intranet Security Policy
Chapter 13: Sample Privacy Policy - Stringent
Overview And Applicability
Definitions
Specific Requirements
Information To Be Given To The Individual
Individual's Right Of Access To Data
Individual's Right To Object
Disclosure Of Personal Data To Third Parties
Processing Confidentiality And Security
Monitoring Of Internal Activities
Chapter 14: Sample Privacy Policy - Lenient
Company Intentions and Management Responsibilities
Disclosure Of Private Information
Appropriate Handling of Private Information
Private Information on Computer and Communication System
Activity Monitoring
Handling Personnel Information
Private Information from Job Seekers
Private Information About Customers
Chapter 15: Sample Web Privacy Policy
Chapter 16: Sample Data Classification Policy
Chapter 17: Sample Data Classification Quick Reference Table
Chapter 18: Sample External Party Information Disclosure Policy
Chapter 19: Sample Information Ownership Policy
Chapter 20: Sample Firewall Policy
Appendix A: List Of Information Security Policy References
Appendix B: List Of Information Security Periodicals
Appendix C: List Of Professional Associations And Related Organizations
Appendix D: List Of Suggested Awareness-Raising Methods
In Person
In Writing
On Systems
On Other Things
Appendix E: External Network Interface Security Policy Harmonization
Access Control Considerations
Encryption And Public Key Infrastructure Considerations
Change Control And Contingency Planning Considerations
Network Management Considerations
Appendix F: Checklist Of Steps In Policy Development Process
Appendix G: Overview Of Policy Development Process Tasks
Appendix H: Real World Problem Cases Caused By Missing Policies
Government Agency
Law Firms
Oil Company
Local Newspaper
Midwest Manufacturing Company
West Coast Manufacturing Company
Major Online Service Company
Appendix I: Suggested Next Steps
Appendix J: Agreement To Comply With Information Security Policies
Appendix K: Identify Token Responsibility Statement
Appendix L: Management Risk Acceptance Memo
Appendix M: Two-Page Simple Non-Disclosure Agreement
Appendix N: Index Of New Policies
Appendix O: Regulatory Requirements for Information Security Policies
About the Author
Index
