Hi N,
The approach I've been most successful with has been heirarchical in nature,
establishing a top-level policy similar to what you describe that includes
an acceptable use agreement/policy. The end-user would then sign that
agreement, which would indicate that they agree to conform to the other
policies, standards, guidelines, procedures, etc., contained within the
entire body of governance documentation/legislation. FWIW, I also try to
limit the number of actual policies, putting greater focus on standards and
guidelines that can be addressed to more targetted areas, providing greater
specificity and value to the organization. For instance, in the last set of
policies I helped draft, we only had 12 policies that were fairly generic,
establish key verticals such as policy framework, risk mgmt, BCP/DR,
privacy, etc. Under each of these policies is then attached a series of
standards that expand into specific areas. I used ISO 17799 as a reference
for these verticals.
cheers,
-ben
---
Benjamin Tomhave, CISSP
falcon@secureconsulting.net
http://falcon.secureconsulting.net/
"We must scrupulously guard the civil liberties of all
citizens, whatever their background. We must remember
that any oppression, any injustice, any hatred is a
wedge designed to attack our civilization."
-President Franklin Delano Roosevelt
-----Original Message-----
From: Neksus [mailto:neksus@gmail.com]
Sent: Monday, January 09, 2006 4:05 PM
To: security-management@securityfocus.com
Subject: How to organize a lot of policies?
Hello,
I am currently working on rewriting / re-working security
policies and there are a *lot* of policies. I'm thinking it's
probably not a good idea to have users sign them all
(especialy if they don't apply to them). What I would like to
do is structure them in an easy to organize/update scheme.
I have a couple of strategies in mind and would appreciate some input.
1. Have a mother-security policiy which will basically say
"be nice", then point to other specific policies (email use,
VPN use, developper's code of conduit, etc.) for more
specific details. This approach is really a "company wide"
approach where 1 signature means the user agrees to all the
policies in place. It's easy but there is no or very low
customization possible.
2. Have a fair usage policies that is wider than the one
above and ask the user's supervisor to make sure the users
signs the right ones. I guess this could be seen as a
role-based. If a user is a developper, he would have to sign
X number of policies that would apply to him. I think this is
hard to track.
One of the major goal is to be able to have specific
policies/standards/procedures that are easily understandable
by the common user and not just a "sign here" type of
document. By focusing on the role of the user, I hope he/she
will take the time to read what applies to himself.
Any thoughts?
Thanks!
(N)
