Featured Policy – Security in Outsourced Network Services
An increased focus for both state and Federal information security laws is the monitoring of third-party vendors. Vendor security is becoming more critical with the trend toward outsourced networking services via cloud computing. One way to make sure that vendor security is not overlooked is to include these requirements as part of all third party service provider contracts. To formalize this requirement, consider this sample policy: Security Requirements in Outsourced Network Services.
Policy: All third-party agreements with network service providers must contain defined security requirements so that external networks are at least as secure as Company X internal networks.
Commentary: This policy requires the specific inclusion of information security requirements in any contract with third-party network service providers. While many organizations are concerned with published metrics such as throughput and availability, any vendor review should include security features of the network services provider. One way to accomplish this is to have the vendor sign an agreement to comply with security controls as specified in a separate network security policy, which much be reviewed and audited annually by the information security and information technology departments. The separation of security controls from contract language allows for modification and acceptance of new controls as security requirements change over time.
(One of over 1400 sample policies and commentary from Information Security Policies Made Easy, by Charles Cresson Wood.)
Information Security Policies Made Easy is your definitive resource for a comprehensive information security policies for your enterprise.
Information Security Policies Made Easy is the “gold standard” information security policy resource based on the 25 year consulting experience of Charles Cresson Wood, CISSP, CISA. The most complete security policy library available, ISPME contains over 1360 pre-written information security policies covering over 200 security topics and organized in ISO 17799 format. Take the work out of creating, writing, and implementing security policies!
Information Security Policies Made Easy has everything you need to save time and money building or updating written security policies, including:
1. A complete information security policy library with over 1360 individual pre-written security policies including:
- Coverage of the latest technical, legal and regulatory issues
- ISO 17799 outline format, allowing for easy gap-analysis against existing standards and security frameworks
- Expert commentary discussing the risks mitigated by each policy
- Target audience (management, technical, or user) and security environment (low, medium, high) for each policy
- Policy coverage maps for Sarbanes-Oxley (COBIT) and HIPAA security
2. Eighteen complete pre-written security policy documents that every company should have, updated and ready to use “as is” or with easy customization, including:
- User-targeted policies such as: Electronic Mail Policy, Internet Security Policy for End Users and Web Privacy Policy
- Organization-wide policies such as: High-Level Security Policy, Privacy policy, Information Ownership Policy
- Technology-based policies such as: Firewall Policy, Data Classification Policy and Network Security Policy
- Sample risk acceptance memo for the approval of out of compliance situations, a sample non-disclosure agreement, and a user policy acceptance agreement.
3. Expert advice on the security policy development and review process, including:
- A step-by-step checklist of security policy development tasks to quickly start a policy development project
- Helpful tips and tricks for getting management buy-in for information security policies and education
- Tips and techniques for raising security policy awareness
- Real-world examples of problems caused by missing or poor information security policies
- Policy development resources such as Information Security Periodicals, professional associations and related security organizations
4. All content included on an easy-to-use CD-ROM with an indexed and searchable HTML interface for easy location, featuring:
- Policies available in HTML, PDF, MS-Word format
- Easy cut-and-paste into existing corporate documents
- Extensive cross-references between policies that help the user quickly understand alternative solutions and complimentary controls
Information Security Policies Made Easy covers virtually every aspect of corporate information security including:
- Privacy issues
- Identity Theft
- Web pages
- Firewalls
- Employee surveillance
- Electronic commerce
- Digital signatures
- Computer viruses
- Encryption
- Contingency planning
- Logging controls
- Internet
- Intranets
- Corporate Governance
- Outsourcing security functions
- Computer emergency response teams
- Microcomputers
- Local area networks
- Voice Over IP
- Password selection
- Electronic mail
- SPAM Prevention
- Data Classification
- Telecommuting
- Telephone systems
- Portable computers
- User security training
- Information Security Related Terrorism
=====================================================================
Tags: charles cresson wood, information security policies, information security policies made easy, InfoSecurity, ISPME, policies
