|
Security Policies are the cornerstone of good security. They are the
'rules', the basic definition of security requirements for the organization
itself. As such, their importance can hardly be over-emphasized.
It is important that they not only exist, and that they are not only of
suitable quality, but that they are implemented, and supported from the very
top of the organization.
The following offers a reasonable starting point. It is not a template in the
strict definition of the term, but rather a typical table of contents for a
comprehensive policy set:
INTRODUCTION 6
CHAPTER 01 CLASSIFYING INFORMATION AND DATA 9
Section 01 Setting Classification Standards 10
CHAPTER 02 CONTROLLING ACCESS TO INFORMATION
AND SYSTEMS 18
Section 01 Controlling Access to Information
and Systems 19
CHAPTER 03 PROCESSING INFORMATION AND
DOCUMENTS 32
Section 01 Networks 33
Section 02 System Operations and
Administration 38
Section 03 E-mail and the Worldwide Web 54
Section 04 Telephones & Fax 73
Section 05 Data Management 82
Section 06 Backup, Recovery and Archiving 106
Section 07 Document Handling 113
Section 08 Securing Data 126
Section 09 Other Information Handling and Processing 138
CHAPTER 04 PURCHASING AND MAINTAINING
COMMERCIAL SOFTWARE 151
Section 01 Purchasing and Installing Software 152
Section 02 Software Maintenance & Upgrade 158
Section 03 Other Software Issues 167
CHAPTER 05 SECURING HARDWARE, PERIPHERALS
AND OTHER EQUIPMENT 9
Section 01 Purchasing and Installing Hardware 170
Section 02 Cabling, UPS, Printers and Modems 175
Section 03 Consumables 182
Section 04 Working Off Premises or Using
Outsourced Processing 185
Section 05 Using Secure Storage 194
Section 06 Documenting Hardware 199
Section 07 Other Hardware Issues 202
CHAPTER 06 COMBATING CYBER CRIME 215
Section 01 Combating Cyber Crime 216
CHAPTER 07 CONTROLLING E-COMMERCE INFORMATION SECURITY 228
Section 01 E-Commerce Issues 229
CHAPTER 08 DEVELOPING AND MAINTAINING
IN-HOUSE SOFTWARE 169
Section 01 Controlling Software Code 235
Section 02 Software Development 242
Section 03 Testing & Training 249
Section 04 Documentation 256
Section 05 Other Software Development 258
CHAPTER 09 DEALING WITH PREMISES RELATED CONSIDERATIONS 260
Section 01 Premises Security 261
Section 02 Data Stores 267
Section 03 Other Premises Issues 270
CHAPTER 10 ADDRESSING PERSONNEL ISSUES
RELATING TO SECURITY 274
Section 01 Contractual Documentation 275
Section 02 Confidential Personnel Data 286
Section 03 Personnel Information Security Responsibilities 293
Section 04 HR Management 313
Section 05 Staff Leaving Employment 316
Section 06 HR Issues Other 320
CHAPTER 11 DELIVERING TRAINING AND STAFF
AWARENESS 322
Section 01 Awareness 323
Section 02 Training 329
CHAPTER 12 COMPLYING WITH LEGAL AND POLICY REQUIREMENTS 228
Section 01 Complying with Legal Obligations 336
Section 02 Complying with Policies 344
Section 03 Avoiding Litigation 347
Section 04 Other Legal Issues 347
CHAPTER 13 DETECTING AND RESPONDING TO IS
INCIDENTS 347
Section 01 Reporting Information Security
Incidents 347
Section 02 Investigating Information Security Incidents 347
Section 03 Corrective Activity 347
Section 04 Other Information Security Incident
Issues 347
CHAPTER 14 PLANNING FOR BUSINESS CONTINUITY 347
Section 01 Business Continuity Management
(BCP) 347
This is extracted from the well known RUsecure set (used with permission), but
will hopefully give a good idea of what is required.
|
