Re: Building a Company Computer Use/Security Policy

[jayson.agagnier () aero bombardier com]

There are many sites that have such policies, but it depends on what type
of business you are in.

Some good points of reference are:

www.isaca.org
www.sans.org/resources/policies
www.iso.ch
http://www.arma.org/imj/index.cfm
http://www.gao.gov/
http://www.tbs.sct.gc.ca/pubs_pol/ciopubs/TB_IT/siglist_e.asp
http://www.information-security-policies-and-standards.com/

Don't forget to include a scope of audience and outline who are the
information owners, information custodians and information users, along
with classification & labeling suitable for your business sector.

A good reference book to have for outlining roles and responsibilities is
'Information Security Roles & Responsibilities Made Easy' published by
PentaSafe.

Good luck!

Regards,

Jayson Agagnier, CISSP, CISA
Sr. Information Security Advisor
Bombardier Aerospace




                                                                                                                        
               
                      "Samuel S. Kempf"                                                                                 
               
                      <samk@rjpromotion        To:       security-basics () securityfocus com                           
                  
                      s.com>                   cc:                                                                      
               
                                               Subject:  Building a Company Computer Use/Security Policy                
               
                      01/16/2005 07:33                                                                                  
               
                      PM                                                                                                
               
                                                                                                                        
               
                                                                                                                        
               




I've recently taken over the position of I.T. Director for a mid-sized
company that has no IT policy of any sort currently in place, aside from
a vague mention in the no compete agreement about not giving proprietary
data to other companies. One of my prime initiatives at the moment is to
implement such a policy, something I've never been responsible for
before. Can anyone point me to sites/articles on how to do this? Or,
better yet, does anyone know of such a policy available online that I
could use as a basis for my company? Any suggestions are most welcome.

Samuel S. Kempf






E-mail disclaimer:
This message contains information, which is intended for the sole
use of the recipient or authorized representative. Any person who
receives this e-mail by mistake shall immediately notify the
sender and destroy it. E-mail transmissions cannot be guaranteed
to be error-free as information could be intercepted, altered, or
contain viruses. The sender therefore does not accept any
liability for damages caused by the fraudulent alteration of this
message including, without limitations, damages caused by any
virus transmitted by it.

Ce message contient de l'information destinée au seul usage du
destinataire ou de son représentant autorisé. Toute personne qui
reçoit ce courriel par erreur doit en aviser immédiatement
l"expéditeur et détruire le courriel. Les transmissions de
courriels ne peuvent être garanties exemptes d'erreurs puisque
l'information peut être interceptée, modifiée ou contenir des
virus.  L'expéditeur ne peut donc accepter de responsabilité
quant aux dommages causés par une modification frauduleuse du
message, y compris, sans s'y limiter, tout dommage occasionné par
un virus qu'il aurait transmis.