All,
The members of this list are very helpful. All of the web sites suggested have
been a great help in forming my checklist of necessary security elements or
processes in IT policy and procedures. Also, these resources will have even
higher value once we start filling the "gaps" in our P-n-Ps.
Thank you very much.
-----Original Message-----
From: Khan, Imran (Imran) [mailto:ikhan@lucent.com]
Sent: Friday, January 14, 2005 5:45 PM
To: 'Matthew Caston'; Chris Downing; 'arif.jatmoko@sea.ccamatil.com'
Cc: security-management@securityfocus.com
Subject: RE: Reviewing Policies and Procedures
Folks,
Charles Cresson Wood http://www.baselinesoft.com/products.html is an
excellent resource to have.
In addition, you might want to look into Callio http://callio.com/. It is a
policy definition and deployment software based on ISO17799.
Cheers,
IK
-----Original Message-----
From: Matthew Caston [mailto:mattcaston@mchsi.com]
Sent: Thursday, January 13, 2005 2:39 PM
To: Chris Downing
Cc: security-management@securityfocus.com
Subject: Re: Reviewing Policies and Procedures
Chris Downing wrote:
Another popular one I've used, also based on the ISO standard, is NetIQ's
"Security Polcicies Made Easy."
Chris Downing CISM CISSP
-----Original Message-----
From: arif.jatmoko@sea.ccamatil.com [mailto:arif.jatmoko@sea.ccamatil.com]
Sent: Thursday, January 13, 2005 3:18 AM
To: security-management@securityfocus.com
Subject: Re: Reviewing Policies and Procedures
Hi,
The best sources for policy and procedure are based on ISO17799, the common
standard of security industries. However if you lookin for some sort of
security policy template, you could try RuSecure - Information Security
Policies at www.rusecure.co.uk. It's a collection of security policies
template based on ISO17799, but it's not free.
SANS also good source for policy reference :
http://www.sans.org/resources/policies.
good luck.
Arif Jatmoko
|+-------------------------------+----------------------------------------|
|| "Miller, Joseph" | |
|| <Joseph_Miller@jeffersonwell| To: |
|| s.com> | <security-management@securityfocus.co|
|| | m> |
|| 01/13/2005 06:12 AM | cc: (bcc: Arif |
|| | Jatmoko/IDN/SEA/CCA) |
|| | Subject: Reviewing |
|| | Policies and Procedures |
|| | |
|+-------------------------------+----------------------------------------|
First - CW's Policies Made Easy is a terrible resource, it's nothing more
than a clearing house (a massive one, at that) of oftentimes outdated
policy material. There is no single resource for reviewing policy, as Good
Policy is context-based, and should be organization specific. That is to
say, simply having a well-written policy does not a good policy make....it
needs to be supported, enforced, measured and practical. It should also
support the organization business and Risk Management objectives; as should
the underlying process and standards documentation. You should view
policies in a heirarchical contaxt looking for language which shows the
policy was crafted to meet a specific risk management objective and that it
is consistently enforced and measured. "Secure Internet Practices" (by
METASeS) ISBN 0-9704049-0-5 is one of the better books dealing with the
entire Policy and securirty managment lifecycle, as it puts the Policy
Problem in context and looks at Security Policy from a Risk Management
perspective. DISCLOSURE: I am a former employee of and am listed as a
technical reviewer for this publication but am not compensated for its sale
and do not currently work for METASeS (META Security Group) You should be
able to get a used copy on Amazon for under 20....
Good Luck!
Hello,
I am a rookie at reviewing policies and procedures for information security
and IT controls. Is there an online resource I can use to locate a
checklist of P-n-Ps? One of my tasks is to assure that all network
infrastructure, server and mainframe subject matters are addressed?
Joe Miller
Jefferson Wells
Project Professional
Technology Risk Management
(480)540-3588
-----------------------------------------
********* Internet Email Confidentiality *********
The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that it is strictly prohibited (a) to disseminate, distribute or copy this
communication or any of the information contained in it, or (b) to take any
action based on the information in it. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
-----------------------------------------
********* Internet Email Confidentiality *********
The information contained in this message may be privileged and confidential
and protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that it is strictly
prohibited (a) to disseminate, distribute or copy this communication or any of
the information contained in it, or (b) to take any action based on the
information in it. If you have received this communication in error, please
notify us immediately by replying to the message and deleting it from your
computer.
