Browsing for Security Policies - Page 2
Another good place to start is the National Security Information site. Offerings there range from "What Do I Put in a Security Policy?" -- a white paper with sample security policy outline included -- to "Real World Problem Cases Caused By Missing Policies," a set of "funny stories."
Additionally, you can access the Internet Engineering Task Force's Site Security Policies Procedure Handbook.Another document that can come in handy is the draft edition of a chapter on Computer and Information Security Policy, aimed at eventual inclusion in the NIST Computer Security Handbook.
Searching for Security
After getting an overview, you can then glom on to an Internet search engine to catch a gander of other companies' real world security policies. If you plan to adapt someone else's policies, though, you should keep copyright issues in mind. Also, it's quite likely that the policies needed by your organizations will be different from those already in place somewhere else.
A company that uses electronic funds transfer (EFT) systems is defintely going to need integrity policies, for instance. Meanwhile, another company, across the street, might be more worried leakage of confidential information from a database.
Topics covered in security policies cover a huge gamut, ranging from passwords and authentication to copyright, backup, and disaster recovery procedures. Many larger companies institute different policies for different facilities, departments, or groups of users.
Depending on the needs of your organization, and your own inclinations, it might make more sense to use ready-made software templates. The SANS Institute is now offering 25 of these for free download in Word format. Topics range from anti-virus process and acceptable encryption to analog/ISDN line and VPN policies.