Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
Topic-based Infosec Policy Templates

Set of topic-based policies

Topic-based
Information Security
Policies

 

Written and published by IsecT Ltd.

 

More than 40 policy templates
of approximately 4 pages each,
supplied as Microsoft Word files icon Word

 

Price: US$345*

 

PDF requires Acrobat Reader to open Adobe Acrobat PDF sampler
 

Introduction

Inspired by the excellent feedback from happy customers who have taken up the other security awareness and policy materials we sell, we have prepared a suite of employee-focused policies covering a wide range of common information security topics:

  1. Access control policy - covers the linkages between access rights, permissions and roles;
  2. Audit and security logging policy - log analysis, of course, plus specification and development of logging and log analysis functions;
  3. Backup and archival policy - important, fundamental controls against loss of data;
  4. Business continuity policy - distinguished resilience and high availability from recovery and contingency;
  5. Released Feb 2012 BYOD (Bring Your Own Device) security policy - a clear policy is vital if your organization allows employees to use their personal ICT devices for work;
  6. Change and configuration management security policy - mostly IT changes but the security principles are broader;
  7. Cloud computing security policy - promotes the controls applicable to cloud computing and IT outsourcing;
  8. Compliance policy - compliance with security policies, standards, laws, regulations and contracts;
  9. Contractors and consultants security policy - special security arrangements for these special temps;
  10. Cryptography policy - covers both encryption and authentication;
  11. Database security policy - emphasizes the specification, design and implementation of a broad spectrum of security controls in database systems;
  12. Digital forensics policy - the collection and analysis of forensic evidence must be formalized, hence a formal policy is entirely appropriate;
  13. Disposal of information policy - don’t just throw used storage media away!;
  14. Division of responsibilities policy - also known as segregation of duties;
  15. Email and person-to-person messaging security policy - no shortage of security issues here!;
  16. Ethics policy - moral guidance promotes an ethical stance in relation to information protection;
  17. Fraud policy - covers issues such as identity theft, impersonation and deception;
  18. Hacking policy - distinguishes hackers from crackers but lays down the law for both;
  19. Identification and authentication policy - mostly concerns the methods used to authenticate the identities claimed by individuals;
  20. Incident management policy - covers the coordination and handling of information security incidents;
  21. Information asset ownership policy - the Information Asset Owner concept is vital for accountability for the protection of information assets;
  22. Information classification policy - lays out four classification levels for confidentiality, plus two for integrity and three for availability, but of course you can simplify or enhance the scheme as you wish;
  23. Information exchanges security policy - specifies security controls appropriate to business relationships, network connections and other information shared or exchanged with third parties;
  24. Information governance policy - complements the organization’s governance policy with specific reference to the governance processes associated with information assets;
  25. Information integrity policy - maintaining the completeness, accuracy and timeliness of information;
  26. Information risk management policy - identifying, treating and monitoring information security risks;
  27. Insider threats policy - deals with the information security threats presented by employees and trusted third parties with inside access to the organization;
  28. Intellectual property rights policy - controls such as copyright, trademarks and patents protecting intellectual property belonging to the organization and third parties;
  29. IT audit policy - IT audits complement and support information security management;
  30. Malware policy - specifies key controls necessary to prevent, detect and correct incidents caused by viruses, worms, Trojans and other malicious software (not just antivirus!);
  31. Network security policy - a high level policy links to more detailed policies for cryptography, identification and authentication, access control, email security, information exchange etc.
  32. Office information security policy - information security matters relevant to the office environment;
  33. Physical information security policy - physical protection includes physical access controls plus essential services for IT systems such as power and air conditioning;
  34. Portable IT security policy - protection for laptops, PDAs and other ICT gadgets;
  35. Privacy compliance policy - privacy requirements are largely enshrined in law, hence the policy promotes compliance with the legal obligations toward protection of personal information;
  36. Proprietary information security policy - a twin for the privacy policy concerning protecting the organization’s trade secrets and other valuable/sensitive information;
  37. Reporting information security incidents policy - requires employees to report information security incidents and near-misses promptly;
  38. SCADA-ICS security policy - security aspects of industrial control systems, embedded systems and plant management interfaces;
  39. Security awareness and training policy - specifies an information security awareness and training program to inform and motivate all workers regarding their information security obligations
  40. Social engineering policy - employees must recognize and respond to social engineering attacks, and not use the techniques inappropriately themselves;
  41. Social networking and social media security policy - defines what employees may and may not disclose through social media;
  42. Software development and acquisition security policy - requires that developed software incorporates suitable information security controls, and development assets are protected;
  43. Software implementation security policy - information security and process controls relating to the implementation (primarily the testing and release) of computer systems;
  44. Wireless networking security policy - wireless networking is permitted provided it is adequately secured.

As you will see, each policy covers a different information security ‘topic’ - 44 so far and we are open to suggestions if you need others.  The policies are written in a formal style, but as simply and straightforwardly as we can to keep them readable (e.g. no unhelpful pseudo-legal phrasing such as “include, but are not limited to”).  The policies mandate typical good practice security controls that, in our experience, are normally used to address common security risks. 

The information security controls mandated by the policies are a balanced mixture of procedural, technological and physical countermeasures as appropriate.  Preventive/deterrent controls are generally emphasized over detective and corrective controls, but again we have tried to maintain a balance in case prevention/deterrence fails.

The sample policy is representative, demonstrating the style and structure of them all:

  • In one short paragraph, the summary tells readers quickly what the policy is about;
  • An applicability paragraph states to whom the policy applies and is relevant;
  • The background briefly introduces the security topic, setting the scene and providing context for the policy;
  • The policy axiom/s succinctly lay out the key control requirements, stating what the following policy statements are intended to achieve;
  • The detailed policy statements amplify and expand upon the axiom/s, giving a little practical guidance on how the control requirements are to be satisfied in practice;
  • The responsibilities section identifies which functions/roles/people in the organization are expected to enact, comply and ensure compliance with the policy;
  • A table of references directs readers to related policies and other supporting materials;
  • The support section sends readers to the IT Help/Service Desk or Information Security’s intranet Security Zone for further advice and information;
  • The disclaimer is our reminder that you must consider your security risk and control requirements, adapting the generic policy template accordingly.  Take this out before issuing yours!  You may choose to replace it with a standard ‘document control’ section instead, typically stating things such as the policy owner, version, issue date, authorization status and planned policy review date.

 

Our policies are entirely vendor-neutral.  For obvious reasons, there is a bias towards relatively simple and cost-effective controls over those that are more complex and/or expensive, but feel free to refer to your state-of-the-art  Intrusion Prevention System bling! 

Intended audience

The writing style is quite formal as befits policies, but not stilted legalese.  They are intended to be read and understood by all employees and are written with a general, non-technical audience in mind.  We’ve done our best to avoid jargon, and respect the rules of English grammar and US American spelling.

Most are three or four pages long, including just a page or so of policy statements.  They could easily be cut down by removing the other sections if you are determined to make your policies skeletal, but don’t underestimate the value of the bits you would be chopping out: should you maybe offer full versions as well for those who prefer more meat on their bones?

These topic-based policies complement and support the Corporate Information Security Policy (which is primarily intended for senior management) and Information Security Policy Manual (aimed at information security professionals) if you have licensed those too. 

What you will actually get

Unlike the PDF sampler, the actual policies are delivered to customers as ordinary Microsoft Word 2010 .docx files, packaged up in a zip file for delivery as a set. 

The Word files are unlocked and fully-editable.  We consciously choose not to apply Digital Rights Management that would make them more difficult for you to use, but naturally we do protect our intellectual property using copyright law and a signed license agreement. 

The documents use Word headings and styles consistently, making it straightforward to adopt your own house style if you don’t like ours.

The templates include an image as a placeholder on the front page but you are encouraged to replace it with something more appropriate, ideally your own information security logo.  The idea is to make your policies look polished and professional, and provide a distinctive visual cue or branding to associate all your policies together in the readers’ minds.

Provided you can open the files and read the content, there is no particular reason for you to stick to MS Word.  If you need to move them to HTML, PDF, WordPerfect, Notepad, Morse code or wax tablets, go right ahead.  Feel free to cut-n-paste relevant sections into your own corporate policy templates, incorporate and merge additional policy content from other sources, pop them into your in-house policy management system or Information Security’s intranet website, incorporate stuff into your induction and training course materials, put them up on posters, circulate them as desk-drops, mouse mats or coasters ... pretty much whatever you like really provided you stick within the terms of the license.

What the topic-based policy templates are not

The policy templates are not legal advice.  Your specific obligations and commitments towards information security and privacy compliance are not explicitly covered.  We have no knowledge, for example, of your contractual commitments on security and privacy, or the particular laws and regulations that apply to your organization.

In the same vein, we don’t know about your particular information security risks, your risk appetite nor your control requirements.  We haven’t analyzed your unique information security risks ... but hopefully you have.  The policies are generic, not tailored to your organization, which is why we refer to them as ‘templates’.  They document our understanding of commonplace good practice or baseline controls.  Customizing or building from this base saves you a lot of time and effort compared to starting from scratch, but you must still make the effort to check and where necessary adapt the content.  You may for example have some unusual security controls addressing specific risks in addition to or in place of the generic controls described.  Don’t forget to reference your corporate policies, procedures and standards, and state the contact details for your help desk and support people.  We can’t do that for you.

Policy pyramidThe policy templates do not include or incorporate the content of the ISO/IEC 27000-series standards, although a few of the policy templates make passing reference to the ISO standards and they are all at least broadly aligned with them in terms of the good practice controls recommended.  They also align with and support the Corporate Information Security Policy and Information Security Policy Manual.

The policy templates sit in the middle area of the policy pyramid as shown here.  They are not totally comprehensive, nor do they provide generally-applicable security objectives or statements that are normally documented in a high-level corporate security policy.  Likewise they are not technical security policies or standards giving explicit security configuration details for particular IT systems, applications or devices.  The specific details tend to vary between organizations and, of course, across different platforms.  These settings would normally be described within your technical security standards and configuration guides, citing higher-level policy requirements in your version of the Information Security Policy Manual and/or the Corporate Information Security Policy.  Lower-level security procedures, guidelines etc. are not provided although a few common ones are mentioned and referenced in the policy templates.  You will have to fill-in the gaps.

How to purchase the policy templates

Email us for the license agreement and an invoice for US$345*.  We ask you to sign and return a perpetual license governing your use of the materials in order to protect our intellectual property.  You are welcome to settle the invoice through PayPal using your credit card, or by international bank transfer. 

We will send you a zip file containing the policy templates shortly after receiving both your payment and the signed license.

Please note: you can save well over US$100* by purchasing the Corporate Information Security Policy, the Information Security Policy Manual and the Topic-based Information Security Policies together as a complete set.  As an incentive to subscribe to the NoticeBored security awareness service, the complete policy set is provided free of charge to NoticeBored subscribers.  Please contact us for details.

 

* plus GST (sales tax) for New Zealand customers
HomePolicies > Topical Policy Templates >

Copyright © 2013  IsecT Ltd.