This month’s theme is policy & government. As information security becomes even more important in government, business and life, information security policies are being developed to combat the emerging threats and regulate industry.

The importance of effective information security policies cannot be overemphasized, as they are the foundation toward implementing information security and ensuring the security of the people, systems, and networks within an organization. If an organization lacks security policies, they cannot inform employees and users of their specific security responsibilities. Policies define acceptable system use and user behavior, and those policies must be in place before they can be enforced.

I’ve been a big fan of Information Security Policies Made Easy (ISPME) for a long while. My review of version 11 in 2010 is here and version 12 in 2012 is here

Now in version 13, the ISPME information security policy template library has more than 1,500 information security policies, on over 200 security topics.  The policies are based on ISO 27002, and has coverage maps for PCI, NIST, ISO 27002, FFIEC and HIPAA/HITECH.

Organizations that take information security seriously will likely have used ISPME in its previous versions. But for those that have not yet taken the plunge, ISPME is a valuable tool that can be utilized to create a comprehensive set of information security policies in a cost- and time-effective manner. For those building corporate or organizational security policies, ISPME is clearly the definitive reference.