Information Security Policies Made Easy by Charles Cresson Wood

INFORMATION SECURITY POLICIES MADE EASY:
A COMPREHENSIVE SET OF INFORMATION SECURITY POLICIES
Version 10
(Book + CD-ROM) by Charles Cresson Wood

- - - - - - - - - - -

Information Security Policies Made Easy is the definitive resource for information security
policies. Version 10 has everything you need to save money while building a due-care
security policy environment, including:

1. A complete policy library with over 1350 individual pre-written security policies
including:
- Coverage of the latest technical, legal and regulatory issues
- ISO 17799 outline format, allowing for easy gap-analysis against existing
standards and security frameworks
- Expert commentary discussing the risks mitigated by each policy
- Target audience (management, technical, or user) and security environment
(low, medium, high) for each policy
- Policy coverage maps for Sarbanes-Oxley (COBIT) and HIPAA security

2. Eighteen complete pre-written security policy documents that every company should
have, updated and ready to use "as is" or with easy customization, including:
- User-targeted policies such as: Electronic Mail Policy, Internet Security
Policy for End Users and Web Privacy Policy
- Organization-wide policies such as: High-Level Security Policy, Privacy
policy, Information Ownership Policy
- Technology-based policies such as: Firewall Policy, Data Classification
Policy and Network Security Policy
- Sample risk acceptance memo for the approval of out of compliance
situations, a sample non-disclosure agreement, and a user policy acceptance agreement.

3. Expert advice on the policy development and review process, including:
- A step-by-step checklist of policy development tasks to quickly start a
policy development project
- Helpful tips and tricks for getting management buy-in for information security
policies and education
- Tips and techniques for raising security policy awareness
- Real-world examples of problems caused by missing or poor security
policies
- Policy development resources such as Information Security Periodicals,
professional associations and related security organizations

4. All content available on an easy-to-use CD-ROM with an indexed and searchable
HTML interface for easy location, featuring:
- Policies available in HTML, PDF, MS-Word format
- Easy cut-and-paste into existing corporate documents
- Extensive cross-references between policies that help the user quickly
understand alternative solutions and complimentary controls

Information Security Policies Made Easy Version 10 covers virtually every aspect of corporate
information security including:
- Privacy issues
- Identity Theft
- Web pages
- Firewalls
- Employee surveillance
- Electronic commerce
- Digital signatures
- Computer viruses
- Encryption
- Contingency planning
- Logging controls
- Internet
- Intranets
- Corporate Governance
- Outsourcing security functions
- Computer emergency response teams
- Microcomputers
- Local area networks
- Voice Over IP
- Password selection
- Electronic mail
- SPAM Prevention
- Data Classification
- Telecommuting
- Telephone systems
- Portable computers
- User security training
- Information Security Related Terrorism

- - - - - - - - - - -

This electronic book includes both hardcopy and CD-ROM (MS Word and Word Perfect for
the IBM-PC, MS Word for the Macintosh, as well as ASCII flat files for any other word
processing package). Forget retyping, scanning, photocopying, etc. Simply do key word
searches, compare various policies, choose appropriate ones and "cut-and-paste" to create a
custom document. Additional LAN and PC indices accelerate location of pertinent material.

- - - - - - - - - - -

NEW IN VERSION 10

The following policies, with their corresponding policy reference number in the ISO 17799
outline, have been added to Information Security Policies Made Easy Version 10.

3.01.01.12 "Policy-Driven Information Systems Security Architecture"
4.01.03.09 "Systems Administrators Don't Handle Security Administration"
4.01.03.14 "Authorization To Review Any Information System"
4.01.03.27 "Information Access Delegation Path"
4.01.03.28 "Information Security Is A Management Responsibility"
4.01.03.29 "Clear Assignment Of Internal Controls Accountability"
4.01.03.30 "Board Of Directors Audit Committee"
4.02.01.11 "Publicly Posting Only Generic Information"
4.02.01.15 "Annual Evaluation Of Information Security Operations Outsourcing"
4.02.01.16 "Outsourcing Information Security Requires A Risk Assessment"
4.02.02.19 "Software Vendors Must Perform Security Tests"
4.02.02.20 "Software Vendors Must Submit Third Party Testing Documentation"
4.02.02.21 "Operating Systems Must Be Evaluated And Deemed Trustworthy"
4.03.01.03 "Third Party Software Developers Access To Source Code"
4.03.01.13 "Sensitive Business Activities Performed In Foreign Countries"
4.03.01.14 "Remote Alarms Indicate Equipment Area Is Being Accessed"
4.03.01.15 "Outsourced Security Must Be At Least As Robust As In-House Security"
5.02.01.03 "Internet Domain Name And Host Name Approval Process"
5.02.02.16 "Labeling Unbound Hardcopy Material"
6.01.02.11 "Worker History Of Computer Crime Or Abuse"
6.01.02.22 "Annual Personal Financial Disclosure For Trusted Workers"
6.01.04.02 "Ownership Of Employees' Ideas"
6.02.01.07 "Specification Of Minimum Information Security Training"
6.02.01.18 "Technical Training And Apprenticeship"
6.02.01.19 "Training In Software Defect Testing & Correction"
6.02.01.21 "Accepting Security Assistance From Outsiders"
6.03.01.20 "Reporting Suspected Security Breaches To Third Parties"
6.03.01.21 "Initial Response To Report Of Identity Theft"
6.03.01.24 "Reporting Unexpected Requests For Log-In Information"
6.03.01.27 "Requests To Cooperate In Investigations"
6.03.02.6 "Schedule For Responses To Reported Security Problems"
7.01.02.20 "Repair People Who Show Up Without Being Called"
7.01.02.48 "Return Of Badges By Terminated Workers"
7.01.04.04 "Work With Sensitive Materials In Public Areas"
7.01.04.06 "Third Party Service Providers Work During Office Hours"
7.02.01.17 "Wireless Access Points Need Strong Physical Security"
7.02.06.03 "Approval For Removal Of Any Equipment"
8.01.01.14 "Reconciling Statistics From Service Providers"
8.01.02.07 "Only Widely-Deployed Information Systems Technology"
8.03.01.08 "Virus Disclaimer For Downloaded Files"
8.03.01.22 "Portable Computers Issued With Standard Configuration"
8.04.01.17 "All Electronic Communications Are Recorded And Archived"
8.05.01.11 "Security For Domain Name Registrations"
8.05.01.12 "Monitoring Shadow Internet Domain Names"
8.05.01.13 "Central Registration Of Company X Web And Commerce Sites"
8.05.01.14 "Legal Audit For Web And Commerce Sites"
8.05.01.24 "Firewall Policy Defining Denied And Permitted Services"
8.05.01.25 "Firewall Policy Rule Testing"
8.05.01.26 "Immediate Local Backup Of Firewalls After Deployment"
8.05.01.27 "Remote Access To Firewalls"
8.05.01.38 "Terminating Communications Lines As Soon As Possible"
8.05.01.55 "Wireless Access Points Disabled Unless Approved"
8.05.01.59 "War Driving To Discover Unauthorized Wireless Access Points"
8.05.01.60 "Production Wireless Systems And Fail-Over Alternative Networks"
8.06.02.06 "Trash Container Contents Review"
8.06.02.07 "Destroying Documents Relevant To Litigation"
8.06.02.08 "Secondary Review For Materials Slated For Destruction"
8.06.02.13 "Physically Securing Trash Dumpsters"
8.06.03.13 "Protecting Outbound Secret Computerized Information"
8.07.03.10 "Scripted Response To Detected Intrusions On Commerce Systems"
8.07.03.20 "No Storage Of Credit Card Information"
8.07.03.21 "Credit Card Fraud Detection And Mitigation System"
8.07.03.22 "Signature Required For Delivery Of Internet Orders"
8.07.03.25 "Web-Based Secure Channel For Electronic Mail Communications"
8.07.03.28 "Individuals Involved With Fraud"
8.07.04.07 "Automatic Forwarding Of Electronic Mail Externally"
8.07.04.13 "Electronic Mail Message Storage Schedule And Allotment"
8.07.04.22 "Centralized Control Over Electronic Mail Systems"
8.07.04.29 "Outbound Electronic Mail Footer Approval"
8.07.04.36 "Blocking To Field On Systems Containing Private Information"
8.07.04.42 "Permissible Uses Of Instant Messaging Facilities"
8.07.04.43 "Instant Messaging Without Installed Auditing Tool"
8.07.04.44 "All Mail Servers Must Run Approved Spam-Filtering Software"
8.07.04.45 "All Outbound Electronic Mail Is Automatically Scanned"
8.07.04.46 "Anti-Spam Notices Embedded In Electronic Mail Marketing Messages"
8.07.04.47 "Consequences Of Sending Spam Messages"
8.07.05.61 "Typing Passwords When Others Are Watching"
8.07.06.40 "Web Pages Expressing Views Of Author Only"
8.07.06.41 "Disclaimer For Information Posted On Web Site"
8.07.07.06 "Fair Disclosure Of Material Financial Information"
8.07.07.28 "Logically Separate Voice And Data On IP Networks"
8.07.07.29 "VOIP Remote Management Or Auditing Requires Encrypted Channel"
8.07.07.30 "Critical Telephone Services Must Not Be Supported Via VOIP"
8.07.07.31 "Use Of Softphones That Support VOIP On Personal Computers"
9.01.01.07 "Role-Based Access Control Privileges"
9.01.01.10 "Every User ID Reflected In Centralized Access Database"
9.02.01.15 "Third Party Agreements And User ID Establishment"
9.02.01.18 "Project Manager Notification Regarding Third Party Access"
9.02.01.23 "Opening Accounts With Discrepancies In Customer Information"
9.02.01.24 "Special Procedures For Opening Accounts With A Fraud Alert"
9.02.01.25 "Thumbprints Required To Open A New Account"
9.02.01.26 "Reuse of authentication credentials on public web sites"
9.02.02.09 "Two Person Integrity Rule For Sensitive Information Access"
9.02.03.02 "Passwords Set To Expired After Intrusion"
9.02.03.12 "Password Changes Performed By Involved User"
9.03.01.16 "Password Disclosure Terminates Relationship"
9.03.01.23 "Script Files On Portable Computers, PDAs, And Smart Phones"
9.03.01.24 "Disclosure Of Sensitive Information Via Web Sites"
9.04.02.03 "Machines Connected Only To Internal LAN Or Intranet"
9.04.07.05 "Powering Down Network-Connected Workstations At Night"
9.05.04.05 "Null Passwords Always Prohibited"
9.05.04.19 "User Notification Of Changed Password"
9.07.02.15 "Honeypots And Intrusion Detection Systems"
9.07.02.24 "Unusual Transaction Activity Detects Identity Theft"
9.07.03.25 "Real-Time Monitoring Of Spam To Detect Phishing"
9.08.01.03 "Single Vendor Of Personal Digital Assistants"
9.08.01.07 "Poison Pills For Portable Computers With Secret Information"
9.08.01.15 "Boot And Utilities CD-ROM For Mobile Computers"
9.08.01.16 "Storage Of Remote Access Information In Portable Computers"
9.08.01.17 "Remote Client Machines Automatically Disabled If Lost/Stolen"
9.08.01.18 "Downloaded Software On PDAs & Smart Phones"
9.08.01.19 "Storage Of Company X Information On PDAs & Smart Phones"
9.08.01.20 "Portable Computers, PDAs, And Smart Phones Out Of Sight"
10.01.01.03 "Renewal Of Information Technology Project Funding"
10.02.02.04 "Announcing System Unavailability To Users"
10.03.02.03 "Encryption Usage Aside From That In Browsers"
10.03.02.07 "Vendor's Willingness To Reveal Source Code"
10.03.02.12 "Encryption Keys Not Resident In Main Memory"
10.03.05.12 "Systems Design Encryption Key Length"
10.03.05.15 "Two Of Four People With Access To Master Keys"
10.03.05.16 "At Least Two People With Access To Master Keys"
10.04.01.03 "Peer-To-Peer File-Sharing Software Prohibited"
10.04.01.04 "Conditions For Use Of Open Source Software"
10.04.01.05 "Security Testing Process For Open Source Software"
10.04.01.06 "Availability Of Consulting For Open Source Software"
10.04.01.07 "Derivative Versions Of Open Source Software"
10.05.01.02 "Use Of Automated Software Testing Routines"
10.05.01.03 "Web Code Review Tools"
10.05.01.15 "Change Log On Every Server"
10.05.01.21 "Systems Administrators Install/Update Server Software"
10.05.02.03 "Digital Signature And Source Approval For Patches"
10.05.02.04 "Frequency Of Installing Non-Emergency Patches, Fixes, And Upgrades"
10.05.02.05 "Documenting Reasons Why Patches And Fixes Were Not Installed"
10.05.02.06 "Development Testing For Software Patches, Fixes, And Updates"
11.01.01.03 "Vendors Providing Mission Critical Hardware & Software"
11.01.01.04 "Plan For Every Critical Application And Infrastructure Component"
11.01.01.05 "Mission Critical Systems And Refurbished/Reconfigured Equipment"
11.01.03.03 "Crisis Management Plan"
11.01.04.03 "Work At Home Requirements For Staff Performing Critical Tasks"
12.01.02.15 "Redistribution Of Information Posted On-Line"
12.01.03.07 "Vital Paper Records Captured In Electronic Imaging Form"
12.01.04.05 "Written Privacy Consent Needed For Provision Of Services"
12.01.04.06 "Retroactive Consent For Private Information Usage"
12.01.04.13 "Full And Accurate Description Of Private Data Collection"
12.01.04.14 "Routine Disclosure Of Full Private Record"
12.01.04.16 "Notice Of Privacy Practices Provided Before Consent Received"
12.01.04.18 "Place No Software Or Information On User's Machine"
12.01.04.19 "No Undisclosed Tracking Or Identification Software"
12.01.04.21 "Parental Access To Information Collected From Children"
12.01.04.24 "Centralization Or Synchronization Of Customer Databases"
12.01.04.27 "De-Identification Of Private Information"
12.01.04.48 "Private Information Shared When Recipient Has Comparable Policy"
12.01.04.55 "Only Privacy Policy Text Is Binding"
12.01.04.80 "Social Security Numbers Shown On Statements"
12.01.04.85 "Opt-In For Sensitive Data And Opt-Out For Other Types"
12.01.04.89 "Revoking Previously-Granted Consent To Disclose Private Data"
12.01.04.92 "Deleting Voluntarily Provided Personal Information"
12.01.04.95 "Private Data Movement To Third Party Custodians"
12.01.04.108 "Minimum Contents Of Posted Privacy Policy"
12.01.04.110 "Privacy Policy And Internet Personal Data Gathering Points"
12.01.04.111 "Opt Out From New Privacy Policy Provisions"
12.01.05.05 "Prohibition Against All Forms Of Adult Content"
12.01.05.08 "After Hours Web Shopping And Auction Business"
12.01.05.20 "Financial Transaction Accounts Reconciled Monthly"
12.02.01.07 "Privacy Policy And Practices Annual Audit"
12.02.02.04 "Scanning Network Exposed Systems Components"

= = = = = = = = = = =
===

"This is the gold standard Policy reference for any serious security practitioner to have in their
arsenal of tools, a must have! The instructions and examples for establishing security polices
and implementation processes add real value to this edition"
- John B. Kramer, CISSP, CISA, Information Security Manager - UPMCHS

- - - - - - - - - - -

"Wood has created a complete kit of proven best practices that any organization can use and
customize to make policies meeting their exact needs."
- Jay Heiser, Columnist, "Information Security" magazine

- - - - - - - - - - -

"In 1993, I was asked to develop my first information security policy. I began by cutting and
pasting a serious of thoughts and calling that a policy. Usually these policies were rejected
by management. To ensure that my organization had strong Information Security policies in
place, I purchased a copy of Information Security Policies Made Easy. Quickly I learned that
creating a policy was a process that included writing policies, editing policies, obtaining
management approval, communicating policies, and implementing controls to meet the policy
requirements. The book provides the reader with the tools necessary to develop policies,
including an easy to use CD ( fully-linked and searchable)."
- Diana-Lynn Contesti, CISSP, SSCP, Information Security Officer - Dofasco Inc.

- - - - - - - - - - -

"Charles Cresson Wood, who heads Baseline, is an expert's expert, and knows more about
computer security policies than anyone I know." -- Michael Alexander, Editor, Datamation
- - - - - - - - - - -

"It gave us everything we needed to help us write standards and communicate [policies] in a
clear, concise manner with no ambiguity or technical jargon ... the book paid for itself in two
weeks." --Jonah Goldsmith, Data Security Consultant to Large Medical Insurance Company,
LAN Times

- - - - - - - - - - -

"If I could have only six books in my professional library, this would be one of them.� - Dr.
Harold Highland, Editor Emeritus of Computers & Security magazine

- - - - - - - - - - -

�The guidelines [ISPME] have saved three months of manual effort that would have been
required to research and write policies." - Douglas Feil, EDP Audit Manager, City & County of
San Francisco, Network Management Systems & Strategies

- - - - - - - - - - -

"Here is an idea whose time has really come! [ISPME] is well done and comprehensive ... the
cost is reasonable considering the years of research needed to compile such a complete
work.� - Donald E. Greenwood, Editor, Don Greenwood's Information Protection Advisor

- - - - - - - - - - -

"Considering the cost of hiring an external consultant to come up with similar suggestions,
the price tag is a real bargain." - Jess Birtcher, EDP Auditor Journal
- - - - - - - - - - -

�It gave us everything we needed to help us write standards and communicate [policies] in a
clear, concise manner with no ambiguity or technical jargon ... the book paid for itself in two
weeks.� - Jonah Goldsmith, Data Security Consultant to Large Medical Insurance Company

- - - - - - - - - - -

�I wish I had written this book - the product of both erudite knowledge and rich experience ...
offers powerful recommendations ... any security manager who wants an education in
automated information systems security needs this book ... Buy the book.� - Peter Pitorri,
Consultant, Security Management

- - - - - - - - - - -

"An outstanding piece of work ... should become the standard for people doing this type of
work." - Officer Ed Dreslinski, Detroit Police Department

- - - - - - - - - - -

"This book is invaluable to those responsible for creating or maintaining an information
security policy manual or similar documents.� - Belden Menkus, Editor, EDPACS

- - - - - - - - - - -

�An excellent book for companies which need a serious and comprehensive information
security policy but which desire some suggestions on how to formulate the specifics of that
policy.� - David L. Oppenheimer, Writer, ;login.

- - - - - - - - - - -

�Fortunately there are resources for LAN managers who lack either the time or the
specialized training to sit down and develop a network security policy for their organization
from scratch. The best single resource we know is �Information Security Policy Made Easy.� -
Marc M. Groz, Editor, Managing LAN Costs.

= = = = = = = = = = =
===

Take a look at who uses ISPME:
- Ford Motor Company
- Reuters
- Amoco Corporation
- Harvard University
- RJR Tobacco
- American Telephone and Telegraph
(AT&T)
- Hewlett Packard
- Rykoff-Sexton
- Swiss Bank Corp
- Simon & Schuster
- Hyundai Electronics
- Sumitomo Bank
- Automatic Data Processing (ADP)
- Sun Microsystems
- Blue Cross/Blue Shield
- International Moscow Bank
- ITT Aerospace
- Johnson & Johnson
- British Airways
- Burroughs Wellcome
- Exxon
- Joint Chiefs of Staff - Pentagon
- Timex
- Center for Disease Control
- Lever Bros.
- US Department of Energy
- Volkswagen of America
- London Stock Exchange
- US Secret Service
- Chase Manhattan Bank
- Citibank
- MGM
- NASA Research Center
- Naval Surface Warfare Center
- Pfizer
- Weyerhauser
- DHL Express International
- Philip Morris
- World Bank
- Price Waterhouse
- Ernst & Young
- Proctor & Gamble
- Prudential
... and many others.

= = = = = = = = = = =
===

ONE STOP POLICY SHOPPING:
- Web pages
- Firewalls
- Employee surveillance
- Electronic commerce
- Digital signatures
- Computer viruses
- Encryption
- Contingency planning
- Logging controls
- Internet
- Intranets
- Privacy issues
- Outsourcing security functions
- Computer emergency response teams
- Microcomputers
- Local area networks
- Password selection
- Electronic mail
- Data Classification
- Telecommuting
- Telephone systems
- Portable computers
- User training

= = = = = = = = = = =
===

SAMPLE POLICY TITLES

�Here's a sample of the many Internet policies... the list below presents a few of the Internet
policy titles. These policies can be especially useful when setting up a web site, an
electronic commerce arrangement and other Internet connections. The policies can also be
used to bolster the security of an existing Internet connection, guide an audit effort, and the
like.

56. Internet Use for Personal Purposes Prohibited
57. Personal Use of Company X Internet Facilities Only on Personal Time
58. Permissible Uses of Company X Information
121. Required Process for Checking Software Down-Loaded from Internet
476. Permissible Internet Access Without Firewalls
480. Direct Network Connections With Outside Organizations (Tunnels)
481. Inter-Processor Commands From Outside Locations Prohibited
482. Isolate Systems Containing Secret Information from Network
487. Prior Approval Required for System Interconnection
489. Approval Required for Internet Connection Establishment
493. Formation of Binding Contracts via Electronic Systems
494. Trading Partner Agreement Required Prior to Use of EDI
496. Criteria for Accepting and Acting on Computerized Transactions
497. Multiple Communication Channels for Electronic Offers & Acceptances
500. Secret Data Sent Over Networks Must Be Encrypted
502. Secret Information Must Be Encrypted When Not In Active Use
130. Virus Eradication Requires Support of Systems Administrator
310. Responsibility for Assigning Data Classification System Labels
437. Required Actions Following Suspected System Intrusion
658. Company X Blocks Certain Non-Business Internet Web Sites
674. Disabling Java Within Internet Web Browsers
678. All Content Posted to Intranet is Owned by Company X
690. Webmaster Review of Intranet Web Pages Prior to Posting
169. Disabling Unnecessary Software Features at Installation Time
742. Return of Information By Contractors. Consultants, and Temporaries
627. Prohibition Against Use of Scanned Hand-Rendered Signatures
215. Removal of Unauthorized Copyrighted Information and Software
620. Message Content Restrictions for Company X Information Systems�

- - - - - - - - - - -

A Sample Policy From INFORMATION SECURITY POLICIES MADE EASY:

�Every policy is indexed in multiple places by both name and number. The table of contents
additionally provides a structured way to think about all the important considerations related
to information security policies.

�Each policy comes with the actual words you can use in your own policy statement, in
addition to commentary that describes a justification for the policy. The commentary provides
alternative positions to take on the issue addressed by the policy as well as optional ways in
which the policy could be implemented. Also included in the commentary are warnings about
the circumstances that might cause trouble when the policy is implemented. The
commentary furthermore includes references to related policies, an indication of the intended
audiences, and an indication of the types of organizations to which the policy applies.�

�325. REMOVAL OF SENSITIVE INFORMATION FROM COMPANY X PREMISES

�Policy: Sensitive Company X information may not be removed from Company X premises
unless there has been prior approval from the information's owner. This policy includes
portable computers with hard disks, floppy disks, hard-copy output, paper memos, and the
like. An exception is made for authorized off-site back-ups,

�Commentary: The intention of this Policy is to prevent sensitive information from traveling
around, and in the process being disclosed in unauthorized ways. The more information stays
in one place, the easier it is to track and control. Note that this policy may restrict the
activities of telecommuters and employees who wish to take work home with them. If such
sensitive information routinely travels over computer networks, it may be difficult to identify its
location at any particular point in time; in these cases, this policy will be difficult to
implement and is most often inappropriate. On another note, this policy assumes the term
"owner" has been previously defined. For more about owners, see the policy entitled
"Information Ownership and Management's Responsibilities." Separately, this policy
assumes that a data classification system has already been adopted. The word "sensitive"
could be replaced by one or several data classification terms used by the organization in
question, For a policy showing recommended definitions for terms like this, see the policy
entitled �Four Category Data Classification Scheme." Also see the policies entitled "'Log for
Sensitive Information Removed From Company X Premises," "Provision of Lockable Metal
Furniture to Staff Working at Home," and "Recovery of Computer-Related Property Belonging
to Company X" A: EMT; E: MH.�

- - - - - - - - - - -

A Sample Policy From INFORMATION SECURITY POLICIES MADE EASY:

DATA DESTRUCTION

In conversations with vendors in the field of computer equipment disposal, we hear continuous
stories of potentially valuable data left on personal computers, laptops, routers and switches.
The data range from simple IP addresses to userids and personal customer data. Even for
conscientious employees who to try to destroy data, most companies are not aware of the
recovery technology that is now possible to retrieve files that were thought to be deleted.
Simple file deletion is generally not sufficient. The files must be expunged or repeatedly
overwritten by a separate systems utility to be truly irretrievable. Do you have policies and
procedures for proper data disposal? If you do, are the people responsible for disposing of
your equipment familiar with the policies and procedures? If not, consider this sample policy:

Policy: Department managers are responsible for the disposal of surplus property no longer
needed for business activities in accordance with procedures established by the Information
Systems Security department, including the irreversible removal of information and software.

Commentary: This process can be complex, so separate procedures are often issued by the
Information Security department. The way the policy is written, the procedures can be
changed as the technology changes, without the need to change this policy. While the focus
of this policy often is on equipment, the real concern is the information stored on the
equipment. This policy also prevents inadvertent violation of the license terms for copyrighted
software. (Sample policy from Information Security Policies Made Easy, version 9.0 by
Charles Cresson Wood.)

- - - - - - - - - - -

A Sample Policy From INFORMATION SECURITY POLICIES MADE EASY:

LIMITED DATA COLLECTION

One of the largest regulatory trends concerns the privacy of personal information, including
how it is collected, used, protected and destroyed. (Last month we looked at data destruction
policies, and their importance for safeguarding information during equipment disposal.) Even if
you don't fall under a traditional privacy-regulated industry such as Financial Services or
healthcare, it is a good idea to establish some best-practices policies for handling customer
information. For example, if you are collecting information from citizens of European Union
member countries, you are subject to the provisions of the EU Data Protection Directive. If
you collect information from children under the age of 13 (either on purpose or by accident)
you are subject to COPPA.

One of the first and most critical policies to implement would be limits on personal data
collection. Basically, you are establishing rules that insure that you limit the collection of
personal customer information to only the data necessary for providing the business function
required. This requirement is clearly identified in many privacy- related regulations. It also
limits the amount of information the organization must maintain for accuracy and protection.

Does your organization have data collection policies and procedures? If so, are your
customer service personnel aware of these polices? As an example, consider this sample
policy:

Policy: Company X must collect, process, store, and disseminate only that information that
is necessary for the proper functioning of its business.

Commentary: This policy preserves the privacy rights of employees, customers, and others
who may have some contact with the organization. This policy simplifies the information
systems by keeping the amount of information retained by Company X to a minimum. The
scope of this policy is broader than just privacy matters. It pertains to all information. The
policy does not provide detailed guidance about determining whether certain information is
necessary. This is a deliberate omission because both the decision process and the
information to which it pertains may change dramatically over time. (Sample policy from
Information Security Policies Made Easy, version 9.0 by Charles Cresson Wood.)

- - - - - - - - - - -

A Sample Policy From INFORMATION SECURITY POLICIES MADE EASY:

PERSONAL INFORMATION COLLECTION NOTICE

As illustrated by our discussion of the USA PATRIOT ACT, one of the largest regulatory
trends concerns the privacy of personal information, including how it is collected, used,
protected and destroyed. Last month we looked at a sample policy for limitations on the
collection of personal information. This month we look at another best-practice for privacy
policies: The Personal Information Collection Notice.

For example, the USA PATRIOT ACT requires the establishment of Customer Identity
Verification Procedures (CIP). These procedures require the collection of specific personal
information to reasonably verify the identity of the person applying for a bank account or credit
card. Within this procedure are specific requirements to notify the customer why this
collection is taking place. Even if you don't fall under a traditional privacy-regulated industry
such as Financial Services or healthcare, it is a good idea to establish some best-practices
policies for handling customer information collection. As an example, consider the following
sample policy: Information Collection Notice. [Organizations who are subject to the USA
PATRIOT ACT should consider adopting this policy with specific wording as recommended by
the Us Department of Treasury.]

Policy: In every instance where personally- identifiable information is collected, an explicit
and understandable notice must be provided at the time and place the information is
collected.

Commentary: This policy is intended to clarify when and where a notice about information
collection should be provided. The policy places the greatest emphasis on collection of
personally-identifiable information, such as an electronic mail address, and requires all web
locations where such collection is being performed to be marked irrespective of user
knowledge or participation in the collection process. If electronic mail addresses were
collected automatically from user web browsers when users visited a web site, this fact would
need to be disclosed. Of lesser concern is information that is not personally-identifiable.
Because this latter type of information is not associated with any particular person, the
potential for abuse is considerably less, and this fact is reflected in the lack of need for a
notice. Some organizations may wish to mention an exception where private information may
be collected secretly, such as investigation of a suspected crime or an allegedly abusive
activity.

(Sample policy from Information Security Policies Made Easy, version 9.0 by Charles
Cresson Wood.)

- - - - - - - - - - -

A Sample Policy From INFORMATION SECURITY POLICIES MADE EASY:

INFORMATION SECURITY TRAINING

There is no better way to demonstrate to employees and auditors that you are serious about
security awareness training then to formally include security awareness in your corporate
security policies. This is provided, of course, that you follow through and do the training! Your
corporate policies should be considered a contract of expectations between your organization
and its employees. By including a formal statement of management's intent to train all users,
you are committing to provide the funding, time and resources required to complete your
training.

Another important consideration is the organizations responsibility for security awareness
training. Does the organization have an official training department that will perform this role,
or will the information security department be responsible? Equally important to defining the
policy is documenting the roles and responsibilities for enforcing and complying with the
policy and supporting standards and procedures.

As an example, consider the following high-level sample policy: Information Security Training.

Policy: All workers must be provided with sufficient training and supporting reference material
to permit them to properly protect Company X information resources.

Commentary: This policy requires that sufficient information security training and
documentation be delivered to those workers who handle Company X information. The
specific material to be delivered to workers will vary based on the nature of the jobs that these
workers perform. For example, telephone order-takers should generally receive different
training than computer programmers. In many organizations, nearly every worker accesses
Company X information in order to do their job. Nonetheless, many workers need only
rudimentary training. The policy communicates from top management to lower level
management requirements for training and documentation, which could be online rather than
in hardcopy form. This policy relies on local management to decide what constitutes
sufficient information security training. Some organizations may prefer to say that the
Information Security department determines what constitutes sufficient training.

(Sample policy and commentary from Information Security Policies Made Easy, version 9.0
by Charles Cresson Wood, Copyright 2005, Information Shield.)

- - - - - - - - - - -

TABLE OF CONTENTS

Chapter 1: Introduction

Chapter 2: Instructions
Instruction
Information Security Policies
Importance Of Policies
Considerations In The Policy Development Process
Policy Development Time Line
Policy Document Length
Policy Usage
Policy Objectives And Scope
Disclaimers

Chapter 3: Specific Policies
Security Policy
Information Security Policies
Organizational Security
Information Security Infrastructure
Security Of Third-Party Access
Outsourcing
Asset Classification And Control
Accountability For Assets
Information Classification
Personnel
Security In Job Definition And Resourcing
User Training
Responding To Security Incidents And Malfunctions
Physical And Environmental Security
Secure Areas
Equipment Security
General Controls
Communications And Operations Management
Operational Procedures And Responsibilities
System Planning And Acceptance
Protection Against Malicious Software
Housekeeping
Media Handling and Security
Exchanges Of Information And Software
Access Control
Business Requirement For Access Control
User Access Management
User Responsibilities
Network Access Control
Operating System Access Control
Application Access Control
Monitoring System Access And Use
Mobile Computing
Systems Development And Maintenance
Security Requirements Of Systems
Security In Application Systems
Cryptographic Controls
Security Of System Files
Security In Development And Support Processes
Business Continuity Management
Aspects Of Business Continuity Management
Compliance
Compliance With Legal Requirements
Reviews Of Security Policy And Technical Compliance
System Audit Considerations

Chapter 4: Sample High-Level Information Security Policy

Chapter 5: Sample Detailed Information Security Policy

Chapter 6: Sample Telecommuting and Mobile Computer Security Policy
Management Issues
Access Control
Backup And Media Storage
Communications Links
Communications Links
System Management
Travel Considerations
Physical Security

Chapter 7: Sample External Communications Security Policy

Chapter 8: Sample Personal Computer Security Policy

Chapter 9: Sample Electronic Mail Policy

Chapter 10: Sample Computer Network Security Policy
Purpose
Scope
General Policy
Responsibilities
System Access Control
End-User Passwords
Password System Set-Up
Logon and Logoff Process
System Privileges
Establishment Of Access Paths
Computer Viruses, Worms, And Trojan Horses
Data And Program Backup
Encryption
Portable Computers
Remote Printing
Privacy
Logs And Other Systems Security Tools
Handling Network Security Information
Physical Security Of Computer And Communications Gear
Exceptions
Violations
Glossary

Chapter 11: Sample Internet Security Policy For Users
Introduction
Information Integrity
Information Confidentiality
Public Representations
Intellectual Property Rights
Access Control
Personal Use
Privacy Expectations
Reporting Security Problems

Chapter 12: Sample Intranet Security Policy

Chapter 13: Sample Privacy Policy - Stringent
Overview And Applicability
Definitions
Specific Requirements
Information To Be Given To The Individual
Individual's Right Of Access To Data
Individual's Right To Object
Disclosure Of Personal Data To Third Parties
Processing Confidentiality And Security
Monitoring Of Internal Activities

Chapter 14: Sample Privacy Policy - Lenient
Company Intentions and Management Responsibilities
Disclosure Of Private Information
Appropriate Handling of Private Information
Private Information on Computer and Communication System
Activity Monitoring
Handling Personnel Information
Private Information from Job Seekers
Private Information About Customers

Chapter 15: Sample Web Privacy Policy

Chapter 16: Sample Data Classification Policy

Chapter 17: Sample Data Classification Quick Reference Table

Chapter 18: Sample External Party Information Disclosure Policy

Chapter 19: Sample Information Ownership Policy

Chapter 20: Sample Firewall Policy

Appendix A: List Of Information Security Policy References

Appendix B: List Of Information Security Periodicals

Appendix C: List Of Professional Associations And Related Organizations

Appendix D: List Of Suggested Awareness-Raising Methods
In Person
In Writing
On Systems
On Other Things

Appendix E: External Network Interface Security Policy Harmonization
Access Control Considerations
Encryption And Public Key Infrastructure Considerations
Change Control And Contingency Planning Considerations
Network Management Considerations

Appendix F: Checklist Of Steps In Policy Development Process

Appendix G: Overview Of Policy Development Process Tasks

Appendix H: Real World Problem Cases Caused By Missing Policies
Government Agency
Law Firms
Oil Company
Local Newspaper
Midwest Manufacturing Company
West Coast Manufacturing Company
Major Online Service Company

Appendix I: Suggested Next Steps

Appendix J: Agreement To Comply With Information Security Policies

Appendix K: Identify Token Responsibility Statement

Appendix L: Management Risk Acceptance Memo

Appendix M: Two-Page Simple Non-Disclosure Agreement

Appendix N: Index Of New Policies

Appendix O: Regulatory Requirements for Information Security Policies

About the Author

Index

- - - - - - - - - - -

ABOUT THE AUTHOR

CHARLES CRESSON WOOD, CISA, CISSP is an author and independent information
security consultant based in Sausalito California. In the information security field on a
full-time basis since 1979, he has worked as an information security management consultant
at SRI International (formerly Stanford Research Institute) as well as lead network security
consultant at Bank of America. He has done information security work with over 120
organizations, many of them Fortune 500 companies, including a large number of financial
institutions and high-tech companies. His consulting work has taken him to over twenty
different countries around the world.

He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility
and security) in customized and practical compromises that are acceptable to all parties
involved. Acknowledging that information security is multi-disciplinary, multi-departmental,
and often multi-organizational, he is additionally noted for his ability to synthesize a large
number of complex considerations and then to document these in security architectures,
system security requirements, risk assessments, project plans, policy statements, and other
clear and action-oriented documents.

He has published over 225 technical articles and five books in the information security field. In
addition to TV and radio appearances, he has been quoted as an expert in publications such
as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld,
LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and
Time. He has also presented cutting-edge information security ideas at over 100 technical
and professional conferences around the globe.

Mr. Wood is Senior North American Editor for the journals "Computers & Security" and
"Computer Fraud & Security Bulletin", as well as a monthly columnist for "Computer Security
Alert". He holds an MBA in financial information systems, an MSE in computer science, and
a BSE in accounting from the Wharton School of Business at the University of Pennsylvania.
He has passed the Certified Public Accountant (CPA) examination and is both a Certified
Information Systems Auditor (CISA) and a Certified Information Systems Security
Professional (CISSP). In November 1996 he received the Lifetime Achievement Award from
the Computer Security Institute for "sincere dedication to the computer security profession."

- - - - - - - - - - -

ALSO AVAILABLE:
INFORMATION SECURITY ROLES & RESPONSIBILITIES MADE EASY
See Order #DR571.

- - - - - - - - - - -

Save $95! Purchase INFORMATION SECURITY POLICIES MADE EASY together
with INFORMATION SECURITY ROLES & RESPONSIBILITIES MADE EASY
See Order #DR755

- - - - - - - - - - -

ALSO AVAILABLE:
Information Security Policies Made Easy, Version 9, SPANISH EDITION Hardcover -
730 pages. Includes CD-ROM and organization-wide license to republish the materials
internally.
Order DR-303-SP, $595.00 (Special Order),

- - - - - - - - - - -
(Version 10) 2005, 780 pages + CD-ROM and organization-wide license to republish
the materials internally.
Order #DR-303-PC or DR-303-MAC
SPECIAL ORDER ITEM.
*** specify PC or MAC format ***
- PC format will be shipped unless otherwise specified.
- MAC Format is not returnable.
- - - - - - - - - - -

The Disaster Center Bookstore

MORE Software, CD Products

Disaster Center Bookstore-a service of Rothstein Associates