1st Edition

Information Security Policies, Procedures, and Standards Guidelines for Effective Information Security Management

By Thomas R. Peltier Copyright 2001
    312 Pages 50 B/W Illustrations
    by Auerbach Publications

    By definition, information security exists to protect your organization's valuable information resources. But too often information security efforts are viewed as thwarting business objectives. An effective information security program preserves your information assets and helps you meet business objectives. Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management provides the tools you need to select, develop, and apply a security program that will be seen not as a nuisance but as a means to meeting your organization's goals.

    Divided into three major sections, the book covers: writing policies, writing procedures, and writing standards. Each section begins with a definition of terminology and concepts and a presentation of document structures. You can apply each section separately as needed, or you can use the entire text as a whole to form a comprehensive set of documents. The book contains checklists, sample policies, procedures, standards, guidelines, and a synopsis of British Standard 7799 and ISO 17799.

    Peltier provides you with the tools you need to develop policies, procedures, and standards. He demonstrates the importance of a clear, concise, and well-written security program. His examination of recommended industry best practices illustrates how they can be customized to fit any organization's needs. Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management helps you create and implement information security procedures that will improve every aspect of your enterprise's activities.

    Writing Mechanics and the Message
    Attention Spans
    Key Concepts
    Topic Sentence and Thesis Statement
    The Message
    Writing Don'ts
    Policy Development
    Policy Definitions
    Frequently Asked Questions
    Polices are Not Enough
    What is a Policy
    Policy Format
    Policy Content
    Program Policy Examples
    Topic-Specific Policy Statements
    Additional Hints
    Topic-Specific Subjects
    Things to Remember
    Additional Examples
    Where Does a Standard Go?
    Policies are not Enough
    What is a Standard
    Security Organization
    Assets Classification and Control
    Personnel Security
    Physical and Environmental Security
    Computer and Network Management
    Systems Access Control
    Business Continuity Planning
    Writing Procedures
    Writing Commandants
    Key Elements in Procedure Writing
    Procedure Checklist
    Getting Started
    Procedure Styles
    Creating a Procedure
    Security Awareness Program
    Key Goals of an Information Security Program
    Key Elements of a Security Program
    Security Awareness Program Goals
    Identify Current Training Needs
    Security Awareness Program Development
    Methods Used to Convey the Awareness Message
    Presentation Key Elements
    Typical Presentation Format
    When to do Awareness
    The Information Security Message
    Information Security Self-Assessment
    Video Sources
    Why Manage the Process as a Project
    First Things First - Identify the Sponsor
    Defining the Scope of Work
    Time Management
    Policies and Procedures Project Sample WBS
    Cost Management
    Planning for Quality
    Managing Human Resources
    Creating a Communications Plan
    Mission Statement
    Setting the Scope
    Background on your Position
    Business Goals Versus Security Goals
    Computer Security Objectives
    Mission Statement Format
    Allocation of Information Security Responsibilities
    Mission Statement Examples
    Support for the Mission Statement
    Key Roles in Organizations
    Business Objectives
    Information Technology - Code of Practice for Information Security Management
    Terms and Definitions
    Information Security Policy
    Organization Security
    Asset Classification and Control
    Personnel Security
    Physical and Environmental Security
    Systems Development and Maintenance
    Business Continuity Planning


    Thomas R. Peltier