Information Security Policies, Procedures, and Standards: A Practitioner's Reference

Posted on by Ben Rothke

Security policies are like fiber (the kind you eat, not the telco type). Everyone agrees they are important, but often don’t want to deal with it. Most organizations eventually realize there comes a time that they are forced to tame the beast known as information security policies. They are often forced into this when it they get requests for a 3rd-party audit, PCI DSS compliance, visit from the FTC, and the like. With that, information security policies are an important part (but contrary to popular belief, not the only part) of a comprehensive security program.

In Information Security Policies, Procedures, and Standards: A Practitioner's Reference (Auerbach Publications ISBN 978-1482245899), author Douglas Landoll has written a helpful resource for those looking to tame the security policy beast as they embark on their journey towards creating (or updating) security policies.


Google information security policy and you’ll get tens of millions of hits. While there’s no shortage of publically available policies, the key (and challenge) is to craft and customize polices to ensure they work for the specific organization they are to protect.

While the second half of the book does have such polices that the author created for the State of Arizona, the real value is in the first half where he shows what it takes to create a set of effective security policies.

The cutting and pasting of public policies is bound to fail, to which the book shows how to develop security policies using a consistent set of terminology and methods, in addition to a common policy format and structure.

For anyone on their first rodeo of information security policy creation, or looking to improve their existing policy set, Information Security Policies, Procedures, and Standards: A Practitioner's Reference is a worthwhile reference.




Ben Rothke

Senior Information Security Manager, Tapad

risk management security awareness professional development & workforce

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs