Ben's Book of the Month: Review of "Information Security Policies Made Easy"


Posted on by Ben Rothke

This month’s theme is policy & government. As information security becomes even more important in government, business and life, information security policies are being developed to combat the emerging threats and regulate industry.

The importance of effective information security policies cannot be overemphasized, as they are the foundation toward implementing information security and ensuring the security of the people, systems, and networks within an organization. If an organization lacks security policies, they cannot inform employees and users of their specific security responsibilities. Policies define acceptable system use and user behavior, and those policies must be in place before they can be enforced.

I’ve been a big fan of Information Security Policies Made Easy (ISPME) for a long while. My review of version 11 in 2010 is here and version 12 in 2012 is here

Now in version 13, the ISPME information security policy template library has more than 1,500 information security policies, on over 200 security topics.  The policies are based on ISO 27002, and has coverage maps for PCI, NIST, ISO 27002, FFIEC and HIPAA/HITECH.

Organizations that take information security seriously will likely have used ISPME in its previous versions. But for those that have not yet taken the plunge, ISPME is a valuable tool that can be utilized to create a comprehensive set of information security policies in a cost- and time-effective manner. For those building corporate or organizational security policies, ISPME is clearly the definitive reference.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community