RFC2196 (Site Security Handbook):
a guide to developing computer security policies and procedures for
sites that have systems on the Internet. Published 1997.
http://www.cis.ohio-state.edu/htbin/rfc/rfc2196.html
Email Policy.com:
Learn how to create a company e-mail policy and enforce it using
email security software. Also lists sample email policies, books and
links.
http://www.email-policy.com
Computer and Information Security Policy:
Formal IT security policy helps establish standards for IT resource
protection by assigning program management responsibilities and
providing basic rules, guidelines, and definitions for everyone in
the organization. Policy thus helps prevent inconsistencies that can
introduce risks, and policy serves as a basis for the enforcement of
more detailed rules and procedures.
http://secinf.net/info/policy/hk_polic.html
IT Security Cookbook:
An excellent guide to computer & network security with a strong
focus on writing and implementing security policy. This is primarily
for security managers and system administrators.
http://www.boran.com/security/
Internet/Network Security Policy Development:
How to write an effective network security policy. This is Part 4 of
a 5 part tutorial on Internet and network security.
http://netsecurity.about.com/compute/netsecurity/library/weekly/aa080299.htm?iam=mt
Enhancing Enterprise Security:
This is a solid site with a good overview of all factors which
should go into to the design of a security policy.
http://www.3com.com/technology/tech_net/white_papers/503023.html
Outsourcing Security Management:
This purpose of this paper is to highlight some high-level security
issues, faced by organizations when outsourcing security management.
Some key factors regarding preparation and management of the
outsourcing partnership are also included.
http://www.sans.org/infosecFAQ/policy/outsourcing.htm
Policy Over Policing:
InfoWorld article - It's easy to develop e-mail and Internet
policies, but education and documentation are crucial to their
success.
http://archive.infoworld.com/cgi-bin/displayArchive.pl?/96/34/e01-34.55.htm
How to Develop a Network Secuity Policy White Paper:
This document is for business executives, and others, who want to
know more about Internet and internetworking security, and what
measures you can take to protect your site.
http://www.sun.com/software/white-papers/wp-security-devsecpolicy/
CERT Practice Modules: Improving Security:
Determine contractor ability to comply with your organization's
security policy.
http://www.cert.org/security-improvement/practices/p019.html
Make Your Web Site P3P Compliant:
How to create and publish your company's platform for privacy
performance policy, a W3C initiative, in 6 steps.
http://www.w3.org/P3P/details.html
Information Security Program Development:
Security standards are needed by organizations because of the amount
of information, the value of the information, and ease with which
the information can be manipulated or moved.
http://www.blackmagic.com/ses/bruceg/progmgt.html
Structured Approach to Computer Security:
A security policy is a set of rules written in general terms stating
what is permitted and what is not permitted in a system during
normal operation.
http://www.ce.chalmers.se/staff/ulfl/pubs/tr122to.pdf
Firewalls and Internet Security:
Good paper with theory and firewalls description. Network security
policy example.
http://secinf.net/info/fw/steph/
Toward Standardization of Information Security: BS 7799:
This paper describes BS 7799, the "Code of Practice for Information
Security Management" as an information security management system,
identifies the industry movement toward BS 7799 certification,
reports the current effort involving the transformation of BS 7799
into ISO 17799 and suggests a need for the information security
professional to familiar with BS 7799.
http://www.sans.org/infosecFAQ/policy/standardization.htm
World of Information Security Management:
This site contains information on BS 7799 (ISO/IEC 17799) including
the official Register of BS 7799 Certificates, International BS 7799
User Group, papers on the application of BS 7799 produced by
business around the world.
http://www.xisec.com
Developing Effective Information Systems Security Policies:
This paper takes a top-down approach and provides a high-level
overview for developing effective information systems policies.
http://www.sans.org/infosecFAQ/policy/effective.htm
Create Order with a Strong Policy:
A well-written, well-run security policy keeps cracks from appearing
in your network's foundation.
http://www.networkmagazine.com/article/NMG20000710S0015
Policies and Procedures:
A presentation from the SANS institute course "Building an Effective
Security Infrastructure", which outlines the elements to be included
when designing a corporate security policy. Also available for
download in Power Point format.
http://www.sans.org/newlook/resources/policies/bssi3/index.htm
Do you have an intrusion detection response plan?:
Discussion of what should go into the creation of an intrusion
detection plan and the expected results.
http://www.nwfusion.com/newsletters/sec/0913sec1.html
P3P Guiding Principles:
Principles behind the W3C Platform for Privacy Preferences
initiative.
http://www.w3.org/TR/NOTE-P3P10-principles
Windows 2000 Group Policy and Security:
The use of Group Policy to simplify the network security tasks that
you face as a network administrator. With Group Policy, you can
ensure that the machines on your network remain in a secure
configuration after you deploy them.
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9169
What's Your Policy?:
If your company doesn't have written security policies, it's time it
did, and Mark Edwards has some resources to help.
http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=9764
Why Security Policies Fail:
Objective analysis reveals that many breaches are linked to common
weaknesses in the security policy...accidents waiting to happen.
This article focuses on strategic and systematic weaknesses that can
slowly degrade security operations.
http://www.securityfocus.com/data/library/Why_Security_Policies_Fail.pdf
Site Security Policy Development:
This paper outlines some issues that the writer of a Site Computer
Security Policy may need to consider when formulating such a
document.
http://secinf.net/info/policy/AusCERT.html
Best Practices in Network Security:
Knowing how and what to protect and what controls to put in place is
difficult. It takes security management, including planning, policy
development and the design of procedures.
http://enterprisesecurity.symantec.com/article.cfm?articleid=42&PID=372347
Internet Security Policy: A Technical Guide - Contents:
This document is intended to help an organization create a coherent
Internet-specific information security policy.
http://secinf.net/info/policy/isptg.en/ISPTG-Contents.html
Herding Cats 101: Development & Implementation of Security Policies
at a University:
The widely-publicized denial of service attacks of February 2000
showcase the need for a basic security policy which governs and
oversees the type of activities that are allowed on university
computing and network resources.
http://www.sans.org/infosecFAQ/policy/herding.htm
How to Develop Your Companys First Security Baseline Standard:
The goal of this document is to provide a guide for those charged
with designing and implementing baseline security standards for the
first time.
http://www.sans.org/infosecFAQ/policy/baseline.htm
Information Security Awarewness Policy:
This document will explain the implementation of a security
awareness policy and in what ways it is used to involve the user to
be more alert towards security issues.
http://www.sans.org/infosecFAQ/policy/infosec_awareness.htm
What Do I Put in a Security Policy?:
Discussion of how to use all the available information on security
policies to create a client specific policy. Contains a sample
policy outline.
http://www.sans.org/infosecFAQ/policy/policy.htm
Developing a Computer Security Proposal for Small Businesses - How
to Start:
It has been widely reported that computerization has played a
significant role in the current economic expansion. However, when it
comes to systems management in general, and systems security in
particular, small businesses are ill prepared to deal with the
challenges that increased automation and increased connectivity
bring.
http://www.sans.org/infosecFAQ/policy/cssb.htm
Network Security Policy A Managers Perspective:
The tool that a Network Manager has to facilitate and manage good
Network Security is policy.
http://www.sans.org/infosecFAQ/policy/netsec_policy.htm
Considerations for an Acceptable Use Policy for a Commercial
Enterprise:
Computer security policies are the high cover that allow the
computer security professional to effectively operate in an
enterprise where the ultimate goal is to produce a product at a cost
that allows the company to successfully compete in the marketplace.
http://www.sans.org/infosecFAQ/policy/considerations.htm
How to Check Compliance with your Security Policy:
In an age were security is becoming more important to many
organisations, it is important for such organisations to document
their security policy, just as they would document their marketing
policy, client service policy or accounting policies. But the effort
of just documenting policies is insufficient, since it is no use
going through the effort and costs of developing a security policy
and not implementing or updating it.
http://www.sans.org/infosecFAQ/policy/compliance.htm
When a Security Policy Matures into a Security Solution:
It is only through the implementation of security policies with a
policy framework and testing to see whether the security exposures
were reduced that one can measure if the security policy matured
into a security solution.
http://www.sans.org/infosecFAQ/policy/matures.htm
Enterprise Security Management (ESM): Centralizing Management of
Your Security Policy:
This paper will define Enterprise Security Management (ESM). It will
discuss motivations for implementing ESM. It will also look at
security policy development and overview some of the items that
security policy should contain.
http://www.sans.org/infosecFAQ/policy/ESM.htm
Creating Security Policies Lessons Learned:
After attending SANS training or other security classes we return to
work with an eagerness to move forward with hardening servers,
tightening firewalls, and implementing intrusion detection systems.
This paper shows the reader some steps we have taken on our
continuing journey towards a full set of security policies and
procedures.
http://www.sans.org/infosecFAQ/policy/creating.htm
ISO 17799 Service & Software Directory:
Services and software for ISO 17799 audit, compliance,
implementation and security risk analysis.
http://www.iso17799software.com/
ITworld.com - Security's human side:
IT World article - essentially a review of Pentasafe's VigilEnt
security policy management product.
http://www.itworld.com/Man/3903/IWD010529securityshuman/
Introduction and Education of Information Security Policies to
Employees:
Information Security Policies are necessary to ensure that important
data, business plans and other confidential information are
protected from theft or unauthorized disclosure. If employees of any
organization are not aware of these policies, they will not know
what is expected of them.
http://www.sans.org/infosecFAQ/aware/infosec_policies.htm
Steps to a Secure Network:
The typical corporate security objective of the past has been to
protect the Enterprise network from the Internet, but as we are
reading in the news today, this has not been enough. The first step
in protecting the Enterprise is to set realistic expectations.
http://www.sans.org/infosecFAQ/policy/steps.htm
A System Security Policy for You:
The purpose of this document is to meet the requirements of the GIAC
Security Essentials assignment and to provide other interested
parties with a reference document that they can use to get their
System Security Policy (SSP) document started.
http://www.sans.org/infosecFAQ/policy/sys_sec.htm
Security Awareness Are Your Users "clued in" or "clueless"?:
A sound security policy is the foundation of any successful security
program. The policy defines the organizations overall posture toward
security.
http://www.sans.org/infosecFAQ/policy/sec_aware.htm
Browsing with a Loaded Gun:
A strong web Security Policy is key to keeping your company safe in
the net-centric world. (PDF format)
http://www.pentasafe.com/whitepapers/LoadedGun.PDF
PKI Policy Whitepaper:
This PKI Note provides general information about PKI policy, the
role that policy plays in a PKI and how that policy applies to both
traditional and PKI-enabled business environments.
http://www.pkiforum.org/pdfs/pki_policy.pdf
The Information Security Forum:
It has produced the standard to provide guidelines on all aspects of
information security including IT, data, and computer controls.
http://www.isfsecuritystandard.com
E-Policy:
E-policy is a corporate statement and set-of-rules to protect the
organisation from casual or intentional abuse that could result in
the release of sensitive information, IT system failures or
litigation against the organisation by employees or other parties.
http://www.c2c.com/industry/whitepapers_policy.htm
Leveraging a Securing Awareness Program from a Security Policy:
Activities and procedures that give the Security Polices credibility
and visibility. That is, a program that uses activities such as news
and anecdotal stories, situational examples and discussion to lend
relevance and pertinence to the policies.
http://www.sans.org/infosecFAQ/policy/leveraging.htm
The Clark-Wilson Security Model:
This paper explores the nature and scope of the Clark-Wilson (CW)
model, which focuses on information integrity.
http://www.sans.org/infosecFAQ/policy/clark-wilson.htm
Security Policy: What it is and Why - The Basics:
A security policy is nothing more than a well-written strategy on
protecting and maintaining availability to your network and its
resources.
http://www.sans.org/infosecFAQ/policy/sec_policy.htm
Controlling Inside Threats: Stalking the Wild End User:
Threats come to a computer system from two sources: those outside
the firewall, and those inside the firewall. Outside threats are
often more dramatic than inside threats - the cola crazed hacker
breaching the firewall at 3 AM is a popular stereotype. However,
inside threats will occur more often and consume more of a Security
Manager's time.
http://www.sans.org/infosecFAQ/policy/wild_end.htm
Danger Within:
The threats to a network come in many forms - from disgruntled
employees, corporate espionage, lax system administrators, faulty
products and poorly educated users. All of these fall into one of
three categories: malicious attacks, misconfiguration (vendor or
administrator), and user ignorance.
http://www.sans.org/infosecFAQ/policy/danger.htm
Federal Systems Level Guidance for Securing Information Systems:
The need for security guidelines and defense-in-depth strategies has
never been greater. As a result Federal legislation has been / is
being enacted to aid in securing of national information systems.
http://www.sans.org/infosecFAQ/policy/fed_sys.htm
Development of an Effective Communications Use Policy:
Development of a good Communications Use Policy (also called an
Acceptable Use Policy) is the cornerstone of a strong information
security program.
http://www.sans.org/infosecFAQ/policy/com_use.htm
Managing Internet Use: Big Brother or Due Diligence?:
This paper describes the major risks of granting widespread Internet
access along with suggestions to mitigate them. It also covers
monitoring policies and the privacy issues that arise from
monitoring Internet use.
http://www.sans.org/infosecFAQ/policy/internet_use.htm
Security Policies in a Global Organization:
In order to deal with the issues around security policies in a
global organization it is probably necessary to create a tiered
structure of information security policies with some policies
applying globally throughout the organization, and other policies
applying to individual geographical, or regional entities.
http://rr.sans.org/policy/global_org.php
Encryption Policies: A Task-Oriented Approach:
This paper presents a comprehensive set of encryption policies and
best practices that should be considered by an organization.
http://rr.sans.org/policy/encryption_policies.php
An Overview of Corporate Computer User Policy:
A corporate security policy is the gateway to a companys
intellectual property. In todays world of information technology,
the main threat to information security within a company is its
employees.
http://rr.sans.org/policy/corp_user.php
Security, It's Not Just Technical:
The goal of this paper is to introduce the need for an adequate
information security policy within your respective
workplace/organization.
http://rr.sans.org/policy/tech.php
Creating an Information Systems Security Policy:
The following paragraphs are going to be a general outline as to
what should be included in an Information Systems Security Policy.
http://rr.sans.org/policy/infosys.php
Technical Writing for IT Security Policies in Five Easy Steps:
This paper points new policy technical writers in the right
direction and provides a solid foundation from which to start.
Follow these five easy steps when writing IT Security policies.
http://rr.sans.org/policy/tech_writing.php
What makes a good security policy and why is one necessary?:
Security does not come from automated applications, rather it is
compromised of security applications or systems, processes and
procedures and the personnel to implement both the systems and
processes. In order to properly address security, the most
fundamental item necessary is a security policy.
http://www.giac.org/practical/Caroline_Reyes_GSEC.doc
Formulating a Wireless LAN Security Policy: Relevant Issues,
Considerations and Implications:
[Word Document] This paper represents the security issues related to
the use of wireless (vs wired) LAN technology and recommends a
number of key implementation guidelines to ensure the secure
deployment of wireless LAN services in the company.
http://www.giac.org/practical/David_Quay_GSEC.doc
How to Develop Good Security Policies and Tips on Assessment and
Enforcement:
[Word Document] Invest the time up front to carefully develop sound
policies and then identify ways to gauge their effectiveness and
assess the level of compliance within your organization. Commit to
spending the time and resources required to ensure that the policies
are kept current and accurately reflect your company's security
posture.
http://www.giac.org/practical/Kerry_McConnell_GSEC.doc
Developing Security Policies: Charting an Obstacle Course:
This paper discusses the issues faced by those at my educational
institution in trying to develop security policies. Some highlights
include battling the myth of security, deciphering the meaning of
security, receiving mixed signals about the importance of security,
trying to keep it simple, trying to get it done quickly and trying
to prevent it from failing.
http://rr.sans.org/policy/course.php
Defining Policies Using Meta Rules:
This paper seeks to initiate a discussion on how to design and
implement security policies within a company through the use of meta
rules.
http://rr.sans.org/policy/meta_rules.php
A Preparation Guide to Information Security Policies:
This paper introduces security policies, as an information paper
pertaining to what one should know prior to writing a security
policy.
http://rr.sans.org/policy/prep_guide.php
Sensitive But Unclassified:
As a portion of virtually every organizations policy, there will
necessarily be rules and procedures that address the handling of
information within that organization. Whether it is a corporation or
a non-profit organization or the federal government, the loss of
critical information can be damaging.
http://rr.sans.org/policy/sensitive.php
The Basics of an IT Security Policy:
This paper is intended to address the importance of having a written
and enforceable Information Technology (IT) security policy, and to
provide an overview of the necessary components of an effective
policy.
http://www.giac.org/practical/jack_albright_gsec.doc
When Policies that have Always Worked, Don't:
The scenario described in this paper outlines a failure of our human
systems due to a limitation in our thinking about our procedures
that could easily have had catastrophic results.
http://rr.sans.org/signup/login.php?e327cfa29894664110d30f2e80d45368
The BS7799 Security Zone:
Information, guidence and resources to address the BS7799 security
standard.
http://www.thewindow.to/bs7799/
ISO 17799 Resource:
A guide to ISO 17799 the International standard for Information
Security Management, based on the British Standard BS 7799 -
Building awareness of Information Security Management,
implementation of an information security management system and BS
7799 registration and assessment.
http://www.iso17799resource.com/index.xalter
GASSP Home Page:
Generally Accepted System Security Principles, developed by The
International Information Security Foundation.
http://web.mit.edu/security/www/gassp1.html
Policy Primer:
This short primer of developing security policies is taken from a
full day tutorial titled "Proven Practices for Managing the Security
Function".
http://www.sans.org/newlook/resources/policies/Policy_Primer.pdf
Developing an Information Security Strategy:
This whitepaper describes the steps needed to develop an
organization-wide information security strategy.
http://www.hartgregorygroup.com/sec-strategies/LogicalSecurityStrategy.PDF
ISO17799 Document from ISO:
Purchase ISO17799 security standard document from ISO.
http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441&ICS1=35&ICS2=40&ICS3=
RUsecure Information Security Policies:
The source site, including free to access download, for the ISO
17799-aligned RUsecure Information Security Policies.
http://www.information-security-policies.com
The ISO 17799 Community Portal:
Community site and portal dedicated exclusively to the ISO 17799
security standard.
http://www.17799.com
Acceptable Use Policy Report:
A report on Acceptable Usage Policy: what corporations expect of it,
a case study, and a framework for creating your own policy.
http://members.iinet.net.au/~colinwee/mbt/acceptableuse/
An Induction to BS7799 and ISO 17799:
A presentational site describing the specification and definition
within Part 2 of the standard.
http://www.induction.to/bs7799/
Building and Implementing a Successful Information Security Policy:
White paper providing the reader with new and innovative aspects on
the process of building a Security Policy, as well as managing a
Security Awareness Program.
http://www.windowsecurity.com/pages/security-policy.pdf
