Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

basics logo Security Basics mailing list archives

General security policy vs. security awareness
From: "Gideon T. Rasmussen, CISSP, CISA, CISM, CFSO, SCSA" <lists () infostruct net>
Date: Mon, 28 Feb 2005 20:05:37 -0500
This is my response to a post asking how many pages a general security policy should be. It also expressed concerns 
about getting the salient points across. I thought it might be of interest to you...


I would not limit a general security policy to any number of pages per se. One way to keep it relatively compact is to 
write with the average employee as the intended audience (e.g. the sales team does not need to know about the system 
development life cycle). Departmental policies should detail how the general policy applies in that functional area. 
The general policy should include security best practices and be written with applicable regulations in mind (e.g. SOX, 
HIPAA, etc.). This may push the content up to 30-40 pages. Check SANS for policy resources 
(http://www.sans.org/resources/policies).

As for your concerns about employees picking up the salient points...

1. Ask the CEO to introduce the policy by e-mail with a letter stating that security is everyone's responsibility, 
appointing an information security steering committee, and a brief overview of the framework in use (e.g. ISO 17799, 
CoBIT, etc.). Repeat annually.

2. Create a power point presentation based on the policy. Hold security orientation briefings for all employees and 
contractors. Record attendance with a sign-in sheet and require everyone to sign off on the policy within 1 week. That 
should be enough time to answer outstanding questions and consider possible exceptions. Repeat the briefings annually 
and brief new employees as they are hired.

3. Create an internal security web site. Post the policy, presentation, incident report template, security awareness 
tips, etc.

4. Start a formal security awareness program:

http://www.ussecurityawareness.org/highres/security-awareness.html

In essence, the policy is just that, a policy. Getting the point across speaks to a change in culture. For that an 
awareness program is required.

Just my $.02.

Kind regards,

Gideon

Gideon T. Rasmussen
CISSP, CISA, CISM, CFSO, SCSA
Boca Raton, FL
gideon () infostruct net

  By Date           By Thread  

Current thread:
  • General security policy vs. security awareness Gideon T. Rasmussen, CISSP, CISA, CISM, CFSO, SCSA (Feb 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]