PaulDotCom mailing list archives
IT Security Policy
From: dgcombs at gmail.com (Dan McGinn-Combs)
Date: Wed, 14 Apr 2010 17:06:39 -0400
Well, the policy statements that are out there, SANS and elsewhere are guides only. You should really think through a few things before writing a policy. 1) What are your biggest risks to the business? 2) How can you address those risks? 3) What is the balance with business operations you need? 4) How are you going to measure policy compliance? 5) Do procedures need to change to ensure compliance? ... and so on. Once you have some of these items down, you can come up with a security plan (i.e. a broad plan of how to address the issues). Taken together, these can help you format your policy. Hopefully you'll get total buy-in from the company owner/management. I don't think it's wise to write a policy in a vacuum or write a policy that includes stuff you can't do (because the business won't support it) or can't enforce and measure. Dan On Wed, Apr 14, 2010 at 12:12 PM, Craig Freyman <craigfreyman at gmail.com>wrote:
I have to write a security policy for our company. We are a mall shop, and the "policy" that is in place is a mess. Are there any specific templates the group recommends? I see that SANS has a number of very specific policies but was wondering if there was an overall template that people find effective. Thanks, Craig _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Dan McGinn-Combs, Security+, GSEC, CISSP, CISA dgcombs at gmail.com Google Voice: +1 404 492 7532 Peachtree City, Georgia USA -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100414/1ea7e76b/attachment.htm
Current thread:
- IT Security Policy Craig Freyman (Apr 14)
- IT Security Policy Dan McGinn-Combs (Apr 14)
- IT Security Policy Rob Fuller (Apr 15)