Educause Security Discussion mailing list archives
Re: FW: process for creating Information security policies and guidelines
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Mon, 12 Sep 2011 06:00:56 -0400
On Sun, 11 Sep 2011 20:05:44 CDT, Mohamed Elhindi said:
We are in the process of reviewing our information security policy. We are looking for a process that other universities have used to create university information security policies and guidelines. If possible, would you please share your flowchart and procedures used for creating information security policies and guidelines?
Beware any such flowchart that doesn't include "Step 17: Be prepared to use a baseball bat on the recalcitrant security policy comittee members".. Also beware any such flowchart that doesn't result in a policy that includes "We have authorized the use of a baseball bat on recalcitrant users". :) Seriously, if you already have a policy in place, this should be pretty simple: Step 0: Most places have a distinction between "Policies" (which need approval from on high) and "Procedures/Guidelines" (which require less approval). Consider how much of your Policies you can push down a level (which will make them easier to update in the future - and also future-proof them more. Our AUP was last modified in 2002, mostly because most of the "Thou shalt/shalt nots" are pushed down into a Guideline. Step 1: Create a list of known deficiencies. Remember to include all the stuff that made you decide to update the policies in the first place.... 1a - new technologies and services your current policy doesn't address. (try re-writing your policy so it's not technology-specific - if it said "thou shalt not email PII", maybe it needs to say "Thou shalt not transmit PII in the clear"or something). Also, see Step 0. 1b - Corner cases and deficiencies - "Our old policy doesn't cover if somebody does unexpected thing xyz". 1c - Things that get in the way - places where the policy has actively impeded legitimate business processes. Step 2: Address each item found in Step 1. Step 3: If you're ambitious, go through the policys line by line and see if you overlooked any Step 1 candidates. Step 4: Get consensus and approval, hopefully without resorting to a baseball bat. :) Really - it doesn't have to be more complicated than that. Any complications above and beyond what's above are all in the "how do we get steps 1-4 done in our organization" - and there's no way somebody else's flowchart could include that stuff...
Attachment:
_bin
Description:
Current thread:
- FW: process for creating Information security policies and guidelines Mohamed Elhindi (Sep 11)
- Re: FW: process for creating Information security policies and guidelines Barrett, Bruce R. (Sep 11)
- Re: FW: process for creating Information security policies and guidelines James Farr '05 (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Sarazen, Daniel (Sep 12)
- Re: FW: process for creating Information security policies and guidelines James Farr '05 (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Valdis Kletnieks (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Matthew Gracie (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Drew Perry (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Valdis Kletnieks (Sep 12)
- Re: FW: process for creating Information security policies and guidelines A. Harry Williams (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Matthew Gracie (Sep 12)
- Re: FW: process for creating Information security policies and guidelines Barrett, Bruce R. (Sep 11)