Writing Information Security Policy for SMEs webcast
Writing Information Security Policy for SMEs webcast
Feb 22, 2012
On Feb 22, I presented “Writing Information Security Policy for SMEs”, the third webcast in the SANS Institute’s “Information Security for SMEs” webcast series.
Many people consider information security policy a tedious and boring subject. This reputation is perhaps justified, as many information security policies are long, difficult to understand, and out-of-date. In this webcast, I explained a simple,3-step process for writing concise, easy-to-understand, and relevant policy that’s appropriate for SMEs.
Most organizations misunderstand the purpose of information security policy, which is not to lay out detailed rules and regulations. The primary role of policy should be to document management decisions about how to respond to information security risks.
Here’s an example from the webcast, regarding network-related risk:
Step 1) Identify the risk being managed: the risk of attack via the network.
Step 2) State the risk management decision/control objective: to reduce the occurrence and severity of network attacks.
Step 3) Provide guidance on how risk is to be managed: implement a securely designed network, implement a securely designed wireless network, implement a securely designed network perimeter, use secure network device configurations, prevent unauthorized access to network services. (Guidance is from ISO 27001.)
Once this 3-step “worksheet” has been completed, it’s relatively straightforward to transform it into a policy:
Network Policy
To reduce the occurrence and severity of attack via the network:
- A securely designed network shall be implemented.
- A securely designed wireless network shall be implemented.
- A securely designed network perimeter shall be implemented.
- Secure network device configurations shall be used.
- Access controls shall be used to prevent unauthorized access to network services.
This example in the webcast was taken from the soon-to-be-published CPI-RISC Information Security Policy Template. The webcast provided details on how the the Policy Template could be used to help SMEs implement their information security policies.
The webcast may be viewed at the SANS Webcast Archive:
https://www.sans.org/webcasts/writing-information-security-policy-smes-94939.
Slide handout: PDF file (English)
NOUVEL Blogs > InfoSec for SMEs