I. STARTING THE POLICY PROCESS.
1. What Information Security Policies Are.
About Information Security Policies. Why Policies Are Important. When Policies Should Be Developed. How Policies Should Be Developed.
2. Determining Your Policy Needs.
Identify What Is to Be Protected. Identify From Whom It Is Being Protected. Data Security Considerations. Backups, Archival Storage, and Disposal of Data. Intellectual Property Rights and Policies. Incident Response and Forensics.
3. Information Security Responsibilities.
Management Responsibility. Role of the Information Security Department. Other Information Security Roles. Understanding Security Management and Law Enforcement. Information Security Awareness Training and Support.
II. WRITING THE SECURITY POLICIES.
4. Physical Security.
Computer Location and Facility Construction. Facilities Access Controls. Contingency Planning. General Computer Systems Security. Periodic System and Network Configuration Audits. Staffing Considerations.
5. Authentication and Network Security.
Network Addressing and Architecture. Network Access Control. Login Security. Passwords. User Interface. Access Controls. Telecommuting and Remote Access.
6. Internet Security Policies.
Understanding the Door to the Internet. Administrative Responsibilities. User Responsibilities. World Wide Web Policies. Application Responsibilities. VPNs, Extranets, Intranets, and Other Tunnels. Modems and Other Backdoors. Employing PKI and Other Controls. Electronic Commerce.
7. Email Security Policies.
Rules for Using Email. Administration of Email. Use of Email for Confidential Communication.
8. Viruses, Worms, and Trojan Horses.
The Need for Protection. Establishing the Type of Virus Protection. Rules for Handling Third-Party Software. User Involvement with Viruses.
Legal Issues. Managing Encryption. Handling Encryption and Encrypted Data. Key Generation Considerations. Key Management.
10. Software Development Policies.
Software Development Processes. Testing and Documentation. Revision Control and Configuration Management. Third-Party Development. Intellectual Property Issues.
III. MAINTAINONG THE POLICIES.
11. Acceptable Use Policies.
Writing the AUP. User Login Responsibilities. Use of Systems and Network. User Responsibilities. Organization's Responsibilities and Disclosures. Common-Sense Guidelines About Speech.
12. Compliance and Enforcement.
Testing and Effectiveness of the Policies. Publishing and Notification Requirements of the Policies. Monitoring, Controls, and Remedies. Administrator's Responsibility. Logging Considerations. Reporting of Security Problems. Considerations When Computer Crimes Are Committed.
13. The Policy Review Process.
Periodic Reviews of Policy Documents. What the Policy Reviews Should Include. The Review Committee.
Appendix A. Glossary.
Appendix B. Resources.
Incident Response Teams. Other Incident Response Information. Virus Protection. Vendor-Specific Security Information. Security Information Resources. Security Publications. Industry Consortia and Associations. Hacker and “Underground” Organizations. Health Insurance Portability and Accountability Act. Survivability. Cryptography Policies and Regulations. Security Policy References.
Appendix C. Sample Policies.
Sample Acceptable Use Policy. Sample Email Security Policy. Sample Administrative Policies.