Chapter 28 – |
Security Policy Guidelines |
M. E. Kabay, PhD, CISSP
Chapter Contents:
|
28.1 |
|
Introduction
|
|
28.2 |
|
Terminology
|
|
28.2.1 |
|
Policy
|
|
28.2.2 |
|
Controls
|
|
28.2.3 |
|
Standards
|
|
28.2.4 |
|
Procedures
|
|
28.3 |
|
Resources for Policy Writers
|
|
28.3.1 |
|
ISO 17799
|
|
28.3.1.1 |
|
Overview of BS7799 and ISO 17799
|
|
28.3.1.2 |
|
ISO 17799 Resources
|
|
28.3.2 |
|
COBIT
|
|
28.3.2.1 |
|
Overview of COBIT
|
|
28.3.2.2 |
|
COBIT Framework
|
|
28.3.2.3 |
|
Control Objectives
|
|
28.3.2.4 |
|
Audit Guidelines
|
|
28.3.2.5 |
|
Implementation Tool Set
|
|
28.3.2.6 |
|
Management Guidelines
|
|
28.3.2.7 |
|
Summary of COBIT
|
|
28.3.3 |
|
Informal Security Standards
|
|
28.3.3.1 |
|
CERT-CC Documentation
|
|
28.3.3.2 |
|
NSA Security Guidelines
|
|
28.3.3.3 |
|
U.S. Federal Best Security Practices
|
|
28.3.3.4 |
|
RFC2196 (Site Security Handbook)
|
|
28.3.3.5 |
|
IT Baseline Protection Manual
|
|
28.3.4 |
|
Commercially Available Policy Guides
|
|
28.3.4.1 |
|
ISPME (Charles Cresson Wood)
|
|
28.3.4.2 |
|
Tom Peltier's Practitioner's Reference
|
|
28.3.4.3 |
|
SANS Resources
|
|
28.4 |
|
Writing the Policies
|
|
28.4.1 |
|
Orientation: Prescriptive and Proscriptive
|
|
28.4.2 |
|
Writing Style
|
|
28.4.3 |
|
Reasons
|
|
28.5 |
|
Organizing the Policies
|
|
28.5.1 |
|
Topical Organization
|
|
28.5.2 |
|
Organizational
|
|
28.6 |
|
Presenting the Policies
|
|
28.6.1 |
|
Printed Text
|
|
28.6.2 |
|
Electronic One-Dimensional Text
|
|
28.6.3 |
|
Hypertext
|
|
28.6.3.1 |
|
HTML and XML
|
|
28.6.3.2 |
|
Rich Text Format and Proprietary Word-Processor Files
|
|
28.6.3.3 |
|
Portable Document Format
|
|
28.6.3.4 |
|
Help Files
|
|
28.7 |
|
Maintaining Policies
|
|
28.7.1 |
|
Review Process
|
|
28.7.2 |
|
Announcing Changes
|
|
28.8 |
|
Summary
|
|
28.9 |
|
For Further Reading
|
|
|
|