IT Security Policy

[dgcombs at gmail.com (Dan McGinn-Combs)]

Well, the policy statements that are out there, SANS and elsewhere are
guides only. You should really think through a few things before writing a
policy.

1) What are your biggest risks to the business?
2) How can you address those risks?
3) What is the balance with business operations you need?
4) How are you going to measure policy compliance?
5) Do procedures need to change to ensure compliance?

... and so on.

Once you have some of these items down, you can come up with a security plan
(i.e. a broad plan of how to address the issues). Taken together, these can
help you format your policy. Hopefully you'll get total buy-in from the
company owner/management.

I don't think it's wise to write a policy in a vacuum or write a policy that
includes stuff you can't do (because the business won't support it) or can't
enforce and measure.

Dan

On Wed, Apr 14, 2010 at 12:12 PM, Craig Freyman <craigfreyman at gmail.com>wrote:

> I have to write a security policy for our company. We are a mall shop, and
> the "policy" that is in place is a mess. Are there any specific templates
> the group recommends?
>
> I see that SANS has a number of very specific policies but was wondering if
> there was an overall template that people find effective.
>
> Thanks,
> Craig
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
Dan McGinn-Combs, Security+, GSEC, CISSP, CISA
dgcombs at gmail.com
Google Voice: +1 404 492 7532
Peachtree City, Georgia USA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100414/1ea7e76b/attachment.htm