Security policies are like fiber (the kind you eat, not the telco type). Everyone agrees they are important, but often don’t want to deal with it. Most organizations eventually realize there comes a time that they are forced to tame the beast known as information security policies. They are often forced into this when it they get requests for a 3rd-party audit, PCI DSS compliance, visit from the FTC, and the like. With that, information security policies are an important part (but contrary to popular belief, not the only part) of a comprehensive security program.

In Information Security Policies, Procedures, and Standards: A Practitioner's Reference (Auerbach Publications ISBN 978-1482245899), author Douglas Landoll has written a helpful resource for those looking to tame the security policy beast as they embark on their journey towards creating (or updating) security policies.


Google information security policy and you’ll get tens of millions of hits. While there’s no shortage of publically available policies, the key (and challenge) is to craft and customize polices to ensure they work for the specific organization they are to protect.

While the second half of the book does have such polices that the author created for the State of Arizona, the real value is in the first half where he shows what it takes to create a set of effective security policies.

The cutting and pasting of public policies is bound to fail, to which the book shows how to develop security policies using a consistent set of terminology and methods, in addition to a common policy format and structure.

For anyone on their first rodeo of information security policy creation, or looking to improve their existing policy set, Information Security Policies, Procedures, and Standards: A Practitioner's Reference is a worthwhile reference.