Information Security Policies Made Easy

Posted on by Ben Rothke

Information Security Policies Made Easy (version 11) is the newest version of a vital information security reference.  Full disclosure: Information Shield is the publisher of this book and I am on theInformation Security Policy Expert Panel.  I have no relevant financial interests as part of being on the expert panel.

In technology, books are often obsolete shortly after publication. Given the dynamic nature of technology, very few technology books can stand the test of time and remain relevant for a few years, let alone a decade after their original printing. Some of those rare titles that seem timeless includeApplied Cryptography by Bruce Schneier, Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson (reviewed here in the RSA reading room), and the book I'll review here, Information Security Policies Made Easy (ISPME), which is one of the most important information security books available for those who are serious about creating a comprehensive set of information systems security policies. 

The importance of effective information security policies cannot be overemphasized, as they are the foundation toward implementing information security and ensuring the security of the people, systems, and networks within an organization. If an organization lacks security policies, they cannot inform employees and users of their specific security responsibilities. Policies define acceptable system use and user behavior, and those policies must be in place before they can be enforced. 

Version 11 of ISPME contains more than 1350 pre-written security policies that can be used as a framework for the creation of a comprehensive set of information security policies. The book comes with a CD-ROM that includes every policy. The beauty of ISPME is that it removes the huge burden and time required to create a global set of security policies. With ISPME, you can immediately begin exploring the myriad policies required for information security. 

One of the biggest mistakes you could make, however, when using ISPME, is to implement a policy too quickly, without deciding specifically how those policies with be selected, developed, deployed, maintained, and enforced. With that, Chapter 2 provides an orientation to the information security policy writing and development process. The books states that while it may be tempting to immediately start cutting and pasting policies together, it is crucial to understand both what the policies do and what you want to accomplish with them before you begin. If that is done, the subsequent policy writing tasks will be much more efficient and focused. 

Chapter 3 comprises the bulk of the book and contains the all of the specific policies. These policies are divided into 10 separate domains that are mapped to the ISO-17799 standard. This organization scheme makes it makes it easy to create a gap-analysis of your current policies against the ISO-17799 standard. This is helpful since many organizations are now embracing ISO-17799. 

Each of the policies contain the individual policy itself and a detailed commentary on why the policy is specifically needed. Each policy also has a cross-reference to related policies and an indication of the audience (management, technical, end-user) and the security environment (low, medium, high) for which it is written. 
The book contains numerous appendixes, which include secondary information such as awareness-raising methods, checklists, memos, and next steps to take. 

The CD-ROM that is included contains the entire set of policies in HTML, Word, and PDF formats. It also includes two documents that map the policies in the book against HIPAA and Sarbanes-Oxley. 

Organizations that take information security seriously will likely have used ISPME in its previous versions. But for those that have not yet taken the plunge, ISPME is a valuable tool that can be utilized to create a comprehensive set of information security policies in a cost- and time-effective manner. For those building corporate or organizational security policies, ISPME is clearly the definitive reference.

Ben Rothke

Senior Information Security Manager, Tapad

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs