The sans reading room is a good source to start with and many of the
links are good but with all the information dont forget the primary
point you should keep in your head while writing one is that if it is
even the slightest bit complicated most users wont follow it without
active enforcement.
Keep things simple regardless what you do, a simple item from a
security standpoint such as making passwords longer and changed more
regularly also causes a larger security risk with an increase the
likelyhood of someone writing it down. Many pentesters search for
passwords on whiteboards, postit notes, and written under, or on the
back of, your keyboard. The sad thing is that they find alot of them.
Michael Santarcangilo(sp?) from the security roundtable has alot of
good information about how to develop business security practices on
his blog http://www.securitycatalyst.com/ and should be happy to
respond to an email query on his project to improve the way people
practice information security.
Hope it helps
On 10/25/06, Francois Yang <francois.y@gmail.com> wrote:
Can anyone please point me in the right direction.
I need to write some security policies, but I'm not sure where to begin.
I know there are alot of examples and templates out there, but what do
I include in the policy.
I see seperated policies for e-mail, password, remote access,
acceptable use, etc...but I was also told that it is better to try to
make all of those fit into one so that we don't have to keep track of
10 different policies. The question is, which one do I include in one
big security policy and which ones to I make them seperate?
thank you.
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
--
You can do anything you set your mind to when you have vision,
determination, and and endless supply of expendable labor.
<No tree's were harmed during this transmission. However, a great
number of electrons were terribly inconvenienced>
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
