Chris Downing wrote:
Another popular one I've used, also based on the ISO standard, is NetIQ's
"Security Polcicies Made Easy."
Chris Downing CISM CISSP
-----Original Message-----
From: arif.jatmoko@sea.ccamatil.com [mailto:arif.jatmoko@sea.ccamatil.com]
Sent: Thursday, January 13, 2005 3:18 AM
To: security-management@securityfocus.com
Subject: Re: Reviewing Policies and Procedures
Hi,
The best sources for policy and procedure are based on ISO17799, the common
standard of security industries. However if you lookin for some sort of
security policy template, you could try RuSecure - Information Security
Policies at www.rusecure.co.uk. It's a collection of security policies
template based on ISO17799, but it's not free.
SANS also good source for policy reference :
http://www.sans.org/resources/policies.
good luck.
Arif Jatmoko
|+-------------------------------+----------------------------------------|
|| "Miller, Joseph" | |
|| <Joseph_Miller@jeffersonwell| To: |
|| s.com> | <security-management@securityfocus.co|
|| | m> |
|| 01/13/2005 06:12 AM | cc: (bcc: Arif |
|| | Jatmoko/IDN/SEA/CCA) |
|| | Subject: Reviewing |
|| | Policies and Procedures |
|| | |
|+-------------------------------+----------------------------------------|
First - CW's Policies Made Easy is a terrible resource, it's nothing more than a clearing house (a massive one, at that) of oftentimes outdated policy material. There is no single resource for reviewing policy, as Good Policy is context-based, and should be organization specific. That is to say, simply having a well-written policy does not a good policy make....it needs to be supported, enforced, measured and practical. It should also support the organization business and Risk Management objectives; as should the underlying process and standards documentation. You should view policies in a heirarchical contaxt looking for language which shows the policy was crafted to meet a specific risk management objective and that it is consistently enforced and measured. "Secure Internet Practices" (by METASeS) ISBN 0-9704049-0-5 is one of the better books dealing with the entire Policy and securirty managment lifecycle, as it puts the Policy Problem in context and looks at Security Policy from a Risk Management perspective. DISCLOSURE: I am a former employee of and am listed as a technical reviewer for this publication but am not compensated for its sale and do not currently work for METASeS (META Security Group) You should be able to get a used copy on Amazon for under 20....
Good Luck!
Hello,
I am a rookie at reviewing policies and procedures for information security
and IT controls. Is there an online resource I can use to locate a
checklist of P-n-Ps? One of my tasks is to assure that all network
infrastructure, server and mainframe subject matters are addressed?
Joe Miller
Jefferson Wells
Project Professional
Technology Risk Management
(480)540-3588
-----------------------------------------
********* Internet Email Confidentiality *********
The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that it is strictly prohibited (a) to disseminate, distribute or copy this
communication or any of the information contained in it, or (b) to take any
action based on the information in it. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
