Browsing for Security Policies
It's pretty clear that networks are going to need to pay special attention to security this year, and now is still not too late to review (or put into place) effective security policies. Jacqueline Emigh reports that there are a good many resources that offer templates to get you started.
In the aftermath of September 11, organizations everywhere are shoring up their security defenses. If you're a network manager, chances are good that you'll be called upon to either set up security policies, or to update existing policies. Luckily, though, there are some free resources now available on the Web to help you out.
This month, the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) shone a national spotlight on the need for security policies by issuing a report called Cybersecurity Today and Tomorrow: Pay Now or Pay Later.
Meanwhile, though, in Internet news groups and chat rooms many systems administrators say they are stumped by the policy preparation task.. One administrator asks, for example, "I'm preparing to write a security policy (from scratch) and I'm trying to gather as much information as possible. Where should I begin?"
Even if your company already has security policies in place, bear in mind that these policies need to stay up-to-date. In an earlier report, issued in 1991, the CSTB pointed to viruses as a then-emerging security threat that ought to be rolled into organizational policies.
In 2002, many experts are recommending the integration of physical security into policy statements. Organizations are pulling together information system (IS) security policies with policies for physical access rights, smart-card readers, and CCTV digital cameras, for instance.
In the health care arena, organizations are now updating their policies to comply with the 68 different security conditions mandated by the Health Insurance Portability and Accountability Act (HIPAA).
Ideally, you won't be called upon to set up security policies until your company has done a risk assessment. Typically involving top-ranking company personnel, the risk assessment process weighs various security threats, assigns a level of concern to each, and articulates policies about which threats are serious enough to be worth resisting.
If you are assigned to write the security policies for your company, where should you start? One popular book on the subject is Information Security Policies Made Easy, by Charles Cresson Wood.
However, there are free resources on the Web that include backgrounders and white papers as well as sample security policies and modifiable software templates.