information-security-policies-roles-and-responsibilities-made-easy-rothstein-publishing

Information Security Policies Made Easy PLUS Roles, Responsibilities Made Easy: SPECIAL OFFER

Name: Information Security Policies Made Easy PLUS Roles, Responsibilities Made Easy: SPECIAL OFFER
SKU: DR755
Price: 1095.00 USD
Availability: InStock

$1,095.00

Information Security Policies Made Easy is the “gold standard” information security policy template library, with over 1500 pre-written information security policies covering over 200 security topics. Based on the 25 year consulting experience of Charles Cresson Wood, CISSP, CISA, it is the most widely used policy library in the world, with over 10,000 customers in 60 countries. Take the work out of creating, writing, and implementing security policies.

Information Security Roles and Responsibilities Made Easy by security expert Charles Cresson Wood, provides over 70 pre-written job descriptions, mission statements, and organization charts that you can easily customize for your own organization.

Save $195 by purchasing them together!

Description

Information Security Policies Made Easy has everything you need to build a robust security policy program, including:

Thirty-eight (38) essential sample security policy documents:

Complete coverage of essential security topics including: Access Control Policy, Network Security Policy, Personnel Security, Information Classification, Physical Security, Acceptable Use of Assets, and many more.
All samples policies in our MS-Word Best Practices Policy Template. Customized in minutes!

Complete 1500+ information security policy statement library

1500 individual pre-written security policies covering of the latest technical, legal and regulatory issues
ISO 17799:2005 (ISO 27002) outline format, allowing for easy gap-analysis against existing standards and security frameworks
Expert commentary discussing the risks mitigated by each policy
Target audience (management, technical, or user) and security environment (low, medium, high) for each policy
Policy coverage maps for PCI-DSS, NIST, ISO 27002, FFIEC and HIPAA-HiTECH security

Expert information security policy development advice and tools

A step-by-step checklist of security policy development tasks to quickly start a policy development project
Helpful tips and tricks for getting management buy-in for information security policies and education
Tips and techniques for raising security policy awareness
Real-world examples of problems caused by missing or poor information security policies
Essential policy compliance forms such as Risk acceptance memo, incident Reporting Form and Security Policy Compliance Agreement.

Comprehensive Information Security Policy Coverage

Information Security Policies Made Easy covers over 200 essential information security topics including:

Access Control
Acceptable Use
Application Development
Biometrics
Computer emergency response teams
Computer viruses
Contingency planning
Corporate Governance
Data Classification and Labeling
Data Destruction
Digital signatures
Economic Espionage
Electronic commerce
Electronic mail
Employee surveillance
Encryption
Firewalls
FAX communications
Incident Response
Identity Theft
Information Ownership
Information Security Related Terrorism
Internet
Local area networks

Intranets
Logging controls
Microcomputers
Mobile Devices
Network Security
Outsourcing security functions
Password Management
Personnel Screening and Security
Portable computers (PDA, Laptops)
Physical Security
Privacy issues
Security Roles and Responsibilities
Social Engineering (including “phishing”)
SPAM Prevention
Telecommuting
Telephone systems
Third Party Access
User security training
Web Site Security
Wireless Security
Voice Over IP (VOIP)
And many more!

Information Security Roles & Responsibilities Made Easy provides:

Over 70 pre-written, time-saving information security documents

29 information-security-related committee, board, and department mission statements, with information security responsibilities reflecting the latest technical and legal requirements.
Over 40 information-security-related job descriptions.
12 separate information security organization structures with discussions of pros and cons of each.
Specification and discussion of 29 critical information security documents that every organization should have.
Standard practices that have been shown to be effective at over 125 organizations around the world.

How to persuade management to properly document information security roles and responsibilities, including an easily-customized sample management memorandum.

Reducing the total cost of information security services by properly documented roles and responsibilities.
Discussion of responsibility and liability as it relates to documented information security roles, including citations supporting the legal notion of the standard of due care.
Information security staffing data and analysis to help gain management support for additional resources.
Common mistakes many organizations make and how to avoid them.

Justification to help increase management’s awareness and funding of information security:

How to persuade management to properly document information security roles and responsibilities, including an easily-customized sample management memorandum.
Reducing the total cost of information security services by properly documented roles and responsibilities.
Discussion of responsibility and liability as it relates to documented information security roles, including citations supporting the legal notion of the standard of due care.
Information security staffing data and analysis to help gain management support for additional resources.
Common mistakes many organizations make and how to avoid them.

Specific advice on how to plan, document and execute an information security infrastructure project:

Information on how to properly review and update information security roles and responsibilities, including department interview techniques.
How to schedule project resources and time lines for documenting roles and responsibilities.
Detailed discussion of the Data Owner, Custodian and User roles.
Actions you should take to reduce your organization’s exposure to workers in information security related positions of trust.
The synergy between role based access control (RBAC) and clarification of information security roles and responsibilities.

How to Maintain Security Dealing with Third Parties:

Pros and cons of outsourcing security functions, including validation and security when outsourcing.
The security roles and responsibilities of software and hardware vendors.
Decision-making criteria for releasing or withholding roles and responsibilities documentation to/from various external parties

Valuable staffing advice for information security professionals:

Characteristics of effective information security professionals, including discussion about the pros and cons of hiring hackers and others who have been on the wrong side of the law.
Specific performance criteria for individuals and teams.
An expanded list of new information professional certifications with web sites, phone numbers, and addresses for each.

Information Security Policies Made Easy and Information Security Roles and Responsibilities Made Easy are available for electronic download. Each product contains a print-ready PDF, editable MS-Word templates and an organization-wide license to republish the materials. (No physical CD or book).

Information Security Policies Made Easy and Information Security Roles and Responsibilities Made Easy are also available separately.

ISPME Contents

Comprehensive Information Security Policy Coverage

Information Security Policies Made Easy covers over 200 essential information security topics including:

Access Control
Acceptable Use
Application Development
Biometrics
Computer emergency response teams
Computer viruses
Contingency planning
Corporate Governance
Data Classification and Labeling
Data Destruction
Digital signatures
Economic Espionage
Electronic commerce
Electronic mail
Employee surveillance
Encryption
Firewalls
FAX communications
Incident Response
Identity Theft
Information Ownership
Information Security Related Terrorism
Internet
Local area networks

Intranets
Logging controls
Microcomputers
Mobile Devices
Network Security
Outsourcing security functions
Password Management
Personnel Screening and Security
Portable computers (PDA, Laptops)
Physical Security
Privacy issues
Security Roles and Responsibilities
Social Engineering (including “phishing”)
SPAM Prevention
Telecommuting
Telephone systems
Third Party Access
User security training
Web Site Security
Wireless Security
Voice Over IP (VOIP)
And many more!

Information Security Policies Made Easy, Version 13 is available for electronic download. Each product contains a print-ready PDF, MS-Word templates and an organization-wide license to republish the materials.

Information Security Policy – Product Contents

Information Security Policies Made Easy has all of the templates and tools you need to develop information security policies quickly and effectively.

How to Develop Information Security Policies

Expert help by Charles Cresson Wood on how to develop information security policies that really work in your organization. Topics include:

Defining Information Security Policies
Importance of Security Policies
Considerations In The Policy Development Process
Policy Development Time Line
Policy Document Length
Policy Usage
Policy Objectives And Scope

Information Security Policy Statement Library

The complete library contains over 1500 information security policy statements with expert commentary on the following information security topics within the Common Policy Library (CPL).

IT Risk Management

1.1. Risk Management Program

Security Policies & Procedures

2.1. Security Policy and Procedure Development

2.2. Security Policy Management

Security Program Management

3.1. Security Program Governance

3.2. Information Security Organization

3.3. Security Compliance Evaluation

Asset Management

4.1. Asset Procurement

4.2. Asset Inventory

4.3. Asset Accountability

4.3.1. Asset Classification

4.3.2. Asset Ownership Assignment

4.4. Asset Protection

4.4.1. Asset Assignment

4.4.2. Configuration Control

4.4.3. Asset Management

4.5. Acceptable Use of Assets

4.6. Asset Removal and Transfer

4.7. Asset Disposal

4.8. Mobile Computing

Information Management

5.1. Information Collection

5.2. Information Classification

5.3. Information Exchange and Transit

5.4. Information Storage and Retention

5.5. Information Disposal

Third Party Management

6.1. Third Party Risk Management

6.2. Third Party Contracts

6.3. Third Party Service Delivery

Personnel Security

7.1. Personnel Security Management

7.2. Security Awareness and Training *

Access Control

8.1. Access Control Systems

8.2. User Access Management

8.3. User Account Management

8.4. Remote Access and Mobile Computing

Network Security

9.1. Intrusion Protection

9.2. Network Controls

9.3. Wireless Networks

Physical & Environmental Security

10.1 Physical Security Planning

10.1. Site Security

10.2. Processing Facilities Security

10.3. Office and Facility Security

Operations Management

11.1. Security Operations Management

11.2. System Planning

11.3. Systems Management

11.4. Change Management

11.5. Malicious Software

11.6. Encryption and Key Management

Application Security Management

12.1. Application Development Security

12.2. Transaction Controls

12.3. Web Site Security

Incident Detection & Management

13.1. Security Incident Planning

13.2. Security Incident Response

13.3. Data Breach Management

IT Business Continuity and Contingency Planning

14.1. Information Backup

14.2. IT Business Continuity Governance

14.3. Business Continuity Planning

Security Monitoring and Audit

15.1. Information Security Logs

15.2. System Monitoring and Audit

Data Privacy and Personal Information

16.1. Employee Privacy

16.2. Customer Privacy

16.3. Identity Theft Prevention

16.4. Privacy Governance

Sample Information Security Policy Documents

All the security topics you need! ISPME contains each of the following complete security policy documents in MS-Word format and organized in our best-practices security policy template. Easily to customize and use.

00 -Sample High-Level Information Security Policy

1.0 Sample IT Risk Management Security Policy

2.0 Sample Information Security Program Policy

3.0 Sample Information Security Organization Policy

4.0 Sample Audit and Compliance Assessment Policy

5.0 Sample Asset Management Policy

6.0 Sample Acceptable Use of Assets Policy

7.0 Sample Acceptable Use of Social Networking Policy

8.0 Sample Cloud Computing Security Policy

9.0 Sample Mobile Computing Security Policy

10.0 Sample Remote Working (Telecommuting) Security Policy

11.0 Sample Personally Owned Devices (BYOD) Security Policy

12.0 Sample Information Classification Policy

Sample Information Exchange Policy
Sample Information Storage and Retention Policy
Sample Information and Media Disposal Policy
Sample Third Party Security Management Policy
Sample Personnel Security Management Policy
Sample Security Awareness and Training Policy
Sample Access Control Security Policy
Sample Account and Privilege Management Policy
Sample Remote Access Security Policy
Sample Network Security Management Policy
Sample Firewall Security Policy
Sample Wireless Network Security Policy
Sample Physical Security Policy
Sample System Configuration Management Policy
Sample Change Management Policy
Sample Malicious Software Management Policy
Sample Encryption and Key Management Policy
Sample Application Development Security Policy
Sample Security Incident Response Policy
Sample Data Breach Response Policy
Sample Backup and Recovery Policy
Sample IT Business Continuity Policy
Sample Log Management and Monitoring Policy
Customer Data Privacy Policy
Sample Best Practices Information Security Policy Template

Sample Security Policy Compliance Documents

In addition to sample policy documents, the following forms and agreements help you implement your information security program.

Information Security Policy Compliance Agreement
Management Risk Acceptance Memo
Two-Page Simple Non-Disclosure Agreement
Sample Data Classification Quick Reference Table
Sample Identity Token Responsibility Statement
Sample Employment Termination Procedure
Sample Security Incident Reporting Form

Sample Information Security Policy Glossary

Information Security Policy Development Resources

Policy Development Plan Checklist (Appendix D)
Suggested Next Steps after Policy Development (Appendix E)

List Of Suggested Awareness-Raising Methods (Appendix F)
Regulatory Requirements for Information Security Policies (Appendix G)

Using This Guide for Regulatory Requirements
Using this guide for PCI-DSS.
Using this guide for HIPAA/HiTECH Security Requirements
Using this guide for Sarbanes-Oxley Requirements
Using this guide for NIST (FISMA) Security Requirements

Index Of New Information Security Policies
About the Author

Authors

About Charles Cresson Wood

Recipient of Computer Security Institute’s Lifetime Achievement Award

Charles Cresson Wood, CISSP, CISM, CISA is an author, researcher, and management consultant based in Mendocino, California. In the information security field on a full-time basis since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute), as well as lead network security consultant at Bank of America. He has done information security work with over 120 organizations, many of them Fortune 500 companies, including a significant number of financial institutions and high-tech companies. His consulting work has taken him to over twenty different countries around the world.

He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in information security architectures, information security requirement statements, risk assessments, project plans, policy statements, and other clear and action-oriented documents.

He has published over 375 technical articles and six books in the information security field. In addition to various TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented cutting-edge information security ideas at over 100 technical and professional conferences around the globe.

For over 10 years, Mr. Wood was a Senior North American Editor for the Elsevier academic research journal called “Computers &Security” and the practitioner’s newsletter entitled “Computer Fraud & Security Bulletin.” For over 17 years, for the Computer Security Institute, he wrote a monthly column about information security policies for the newsletter entitled “Computer Security Alert.” He as also been an information security strategy columnist for the global technology media company called TechTarget.

He holds an MBA in financial information systems, an MSE in computer science, and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He has also passed the Certified Public Accountant (CPA) examination. He is a Certified Information Security Manager (CISM), a Certified Information Systems Auditor (CISA), and a Certified Information Systems Security Professional (CISSP). In November 1996 he received the Lifetime Achievement Award from the Computer Security Institute for his “sincere dedication to the computer security profession.” Mr Wood is currently attending St. Francis School of Law, on a part-time basis, and when he graduates and passes the California bar exam, he intends to specialize in intellectual property protection and privacy matters.

Here is a sampling of the over 375 security related articles by Charles Cresson Wood:

“Researchers Must Disclose All Sponsors And Potential Conflicts,” Computer Security Alert, No. 197, March 2000; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.220]
“Integrated Approach Includes Information Security,”Security, pp. 43-44,February 2000; Publisher: Cahners, Des Plains, IL. [pub. no.219]

“Get Data Safety Policies In Place,” American Banker, 11 February 2000, p. 7;Publisher: American Banker, New York, NY.[pub. no. 218]
“All Internet Personal Data Gathering Techniques Must Be Disclosed,” Computer Security Alert, No. 196,
February 2000; Publisher: Computer SecurityInstitute, San Francisco, CA. [pub.no. 217]

“The Information Security Profession: Evolutionary Career Paths,” Information Security, November 1999;Publisher: published by ICSA.net, Norwood, MA. [pub. no. 214]

“Disclosures Of Private Information Without Data Subject Consent,” Computer Security Alert, No. 193, November 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.212]

“Termination Of Outsourcing Contracts For Security Violations,” Computer Security Alert, No. 191, September 1999; Publisher:Computer Security Institute, San Francisco, CA. [pub. no. 210]

“Top Ten Impediments To Implementing An Information Security Policy,” Information Security, September 1999, Publisher: Information Security, Norwood, MA (cover story). [pub. no.209]
“A Functional Comparison Of Tandem Data Replication Software Packages,”
an extensive independent report prepared for customers and prospects, August 1999; Publisher: Compaq Corporation, Cupertino,CA. [pub. no. 207]

“Subjects Given Opportunity To Block Private Information Disclosures,”Computer Security Alert, No. 189, June 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 205]

“Use Of Personal Digital Assistants, Hand-Held Computers, And Smart Phones For Corporate Business Information,” Computer Security Alert, No. 186, March 1999; Publisher: Computer Security Institute,
San Francisco, CA. [pub. no.202]

“All Systems Access Privileges Cease When Workers Terminate,” Computer Security Alert, No. 185, February 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.202]

“Non-Compliance And Disciplinary Action,” Computer Security Alert, No. 182, November 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 198]

“Convenience Versus Multi-Factor User Authentication,” Computer Security Alert, No. 181, October 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.196]

“Twelve New Vulnerabilities Introduced by Internet Commerce,” Information Security Bulletin, September 1998 (volume 3, issue 6, cover story), Publisher: Chi Publishing Ltd., London, England. [pub. no.195]

“All Telephone Transactions Require Positive Caller Identification,” Computer Security Alert, No. 179, August 1998; Publisher: Computer Security Institute,San Francisco, CA. [pub. no.193]

“TheTruth About Masquerading and Spoofing,” Network Magazine, February 1998; Publisher: Miller Freeman,San Francisco, CA. [pub. no.183]

“Unauthorized Information Disclosure and Loss of Stock Options,” Computer Security Alert, No. 173, December 1997; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.185]

“Managing Perceptions About Internet Electronic Commerce Security,” Computer Security, Audit & Control, February 1997; Publisher: Management Advisory Services Publications, Wellesley Hills,MA. [pub. no. 165]

“Information Security: Are We Winning the Game?” Computer Fraud &Security Bulletin, January 1997;
Publisher: Elsevier Science Technology,Oxford, England. [pub. no.162]

“Encryption for Files Left on Anonymous FTP Servers,” Computer SecurityAlert, No. 163, October 1996; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.159]

“Encryption Systems Must Include Key Escrow,” Computer Security Alert, No. 157, April 1996; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 152]

“Cryptography Plays Central Role in Future Electronic Commerce,” March 1996, pp. 9-10, Computer Fraud & Security Bulletin; Publisher: Elsevier Science Technology, Oxford, England. [pub. no.151]

“Users Must Not Attempt to Eradicate Viruses,” Computer Security Alert, No. 156, March 1996; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.150]

“EDPAudit Must Be Independent of Information Security,” Computer Security Alert, No. 155, February1996; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.147]

“Reliance on Information Downloaded From Internet,” Computer Security Alert, No. 153, December 1995; Publisher:Computer Security Institute, SanFrancisco, CA. [pub. no.145]

“When to Report Computer Crimes to Law Enforcement,” Computer Security Alert, No. 151, October 1995; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.141]

“New Intellectual Property and the Need for Information Security,” ComputerFraud & Security Bulletin, September 1995, pp. 18-19; Publisher: Elsevier Science Ltd., Oxford, England. [pub.no. 139]

“Require Approval for Official Statements Posted to the Internet,” Computer Security
Alert, No. 149, August 1995; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.136]

“Internet Anarchy and the Effectiveness of Laws,” Computerworld, 12 June1995. Expanded version also appears as “Need for Worldwide Internet Laws,” inComputer Fraud & Security Bulletin, p.10, July 1995, Elsevier Science Publishers, Oxford, England. [pub. no.133]

“ISO9000 and Information Security,” Computers & Security, vol. 14, no. 4,pp. 287-288, October 1995; Publisher: Elsevier Science Publishers, Oxford,England (co-author Karen Snow). [pub.no. 131]

“WhySATAN Should Not Have Been Distributed As It Was,” Computer Security Alert,No. 146, May 1995; Publisher: Computer Security Institute, San Francisco, CA.[pub. no. 128]

“Destroy Archived Electronic Mail Periodically,” Computer Security Alert, No. 142, January 1995; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.124]

“Wireless Network Security,” Proceedings of Wireless Datacom ’94 Conference held in Washington, DC, 6-8 December 1994;Publisher: Business Communications Review,Hinsdale, IL. [pub. no.122]

“Fifty Ways to Secure Dial-Up Communications,” Computers & Security, May 1994, vol. 13, no. 3, pp. 209-215; Publisher: Elsevier Advanced Technology, Oxford, England. [pub. no.118]

“Identity Token Usage at American Commercial Banks,” Computer Fraud & Security Bulletin, March 1995; Publisher:Elsevier Science Publishers, Oxford England, pp. 14-16. [pub. no.114]

“Security Problems in Collaborative Computing,” Network World, October 1994; Publisher: International Data Group, Framingham,MA. [pub. no. 113]“The Newest Threat to Information Security: Open Book Management,” EDPACS, August 1994; Publisher: WarrenGorham Lamont, Boston,MA. [pub. no. 110]

“Principles of Secure Information Systems Design with Groupware Examples,” Proceedings of the Groupware ’92 Conference, held in San Jose, California 3-5 August 1992; Publisher: Morgan Kaufmann Publishers, San Mateo, CA. [pub. no. 75]“A Strategy for Developing Information Security Documents,”
Journal of Information Systems Security, vol. 1, issue 2,Summer 1992, pp. 71-78; Publisher: Auerbach Publishers, New
York, NY (co-author: Juhani Saari). [pub. no. 68]

“Using Information Security to Achieve Competitive Advantage,” Proceedings of the 18th Annual CSI Conference, Miami, Florida, November 11-15, 1991; Publisher: Computer Security Institute, San Francisco, California.[pub. no. 58]“Data Dictionaries and Information Security,” Proceedings of SECURICOM ’84 International Conference, Cannes, France,29 February – 2 March 1984, pp. 55-63; Publisher: SEDEP, Paris,
France. [pub. no. 24

“International Barriers to Information Flows,” SRI International Business Intelligence Report, Report #1057, March 1981; Publisher: SRI International, Menlo Park, CA. [pub. no. 10]

“Computer Crime: Criminal Justice Resource Manual,” with Parker, Donn B., Publisher: U.S. Government Printing Office, Washington, DC; prepared for U.S. Department of Justice; order no. 1979-311-379/1710,
1979. [pub. no. 1]

WHAT's NEW in ISPME Version 13?

New and Updated Sample Security Policy Documents

Information Security Policies Made Easy, Version 13 contains these updates:

Security Policy Library Update for the Common Policy Library (CPL) and ISO 27002:2013

The ISPME Version 13 security policy library has been updated to reflect the new Common Policy Library (CPL). The CPL is a set of common information security policies that enable organizations to comply with multiple data protection laws including ISO 27002, PCI-DSS and HIPAA/HiTECH. ISPME is the most complete library of security policies available covering over 200 different information security topics.

38 Updated “Ready-to-Go” Sample Security Policy Templates

Version 13 now contains 38 complete, pre-written sample information policy documents in MS-Word format, including:

Sample High-Level Information Security Policy
Sample IT Risk Management Security Policy
Sample Information Security Program Policy
Sample Information Security Organization Policy
Sample Audit and Compliance Assessment Policy
Sample Asset Management Policy
Sample Acceptable Use of Assets Policy
Sample Acceptable Use of Social Networking Policy
Sample Cloud Computing Security Policy
Sample Mobile Computing Security Policy
Sample Remote Working (Telecommuting) Security Policy
Sample Personally Owned Devices (BYOD) Security Policy
Sample Information Classification Policy
Sample Information Exchange Policy
Sample Information Storage and Retention Policy
Sample Information and Media Disposal Policy
Sample Third Party Security Management Policy
Sample Personnel Security Management Policy
Sample Security Awareness and Training Policy
Sample Access Control Security Policy
Sample Account and Privilege Management Policy
Sample Remote Access Security Policy
Sample Network Security Management Policy
Sample Firewall Security Policy
Sample Wireless Network Security Policy
Sample Physical Security Policy
Sample System Configuration Management Policy
Sample Change Management Policy
Sample Malicious Software Management Policy
Sample Encryption and Key Management Policy
Sample Application Development Security Policy
Sample Security Incident Response Policy
Sample Data Breach Response Policy
Sample Backup and Recovery Policy
Sample IT Business Continuity Policy
Sample Log Management and Monitoring Policy
Customer Data Privacy Policy
Sample Best Practices Information Security Policy Template

New Policy Compliance Tools

The updated Master Policy List allows easy gap-analysis for your existing policies. A newly-added Best Practices Policy Template enables your organization to easily reference existing policies to compliance frameworks such as HIPAA, COBIT or PCI-DSS.

Information Security Policy Compliance Agreement
Management Risk Acceptance Memo
Two-Page Simple Non-Disclosure Agreement
Sample Data Classification Quick Reference Table
Sample Identity Token Responsibility Statement
Sample Employment Termination Procedure
Sample Security Incident Reporting Form
Sample Information Security Policy Glossary

120+ New Information Security Policies

Version 13 contains 120 additional pre-written information security policy statements with expert commentary covering the latest security threats and technologies, including:

Audit Logging
BYOD (Bring Your Own Device)
Cloud Computing
Corporate governance
Data Breaches Response
Disposal of equipment
Email security including phishing
Instant messaging
Information Security Coordination
USB storage
Mobile device security
Personnel Security
Physical Security
Risk Management
Social Networking
Supply Chain Security
Security Department coordination
Remote Access and Teleworking
FAX and office machine security
Third-Party Software Development
Third-Party Service Management
Third-Party Information Disclosure
And much more…

Featured Sample Information Security Policies

Classification Of Information Security Policies And Procedures

Policy: All Company X information security documentation including, but not limited to, policies, standards, and procedures, must be classified as “Internal Use Only,” unless expressly created for external business processes or partners.

Commentary:

This policy prevents workers from disclosing to outsiders the specifics of how Company X secures its information and systems. These details could be used to compromise Company X information and systems. For example, knowledge about an internal process may help an industrial spy commit credible social engineering fraud. Because some information security policies are made public (for example on a web page), some workers may get the impression that other information security policies may be publicly released without adverse consequence. Information security policies should be revealed to outsiders only when it is required for business reasons, legal requirements, or because it is the ethical thing to do. Not all of the information security policies need to be released in these instances, and a summary statement is not only advisable but is appreciated by the recipients. Each information security policy document should be marked with an appropriate classification in order to communicate whether or not the policies are public information.

Risk Assessment – Documented Methodology

Policy: Company X must specify and document a formal methodology for performing risk assessments. The specification must include, at a minimum, the risk methodology (quantitative or qualitative) used, specific criteria for ranking assets, sources of vulnerability and threat data, and acceptable risk thresholds.

Commentary: This policy ensures that Company X uses a consistent, documented methodology for performing system risk assessments. By their very nature, risk assessments can be very subjective. By providing documentation of the risk methodology used, the organization can provide some level of consistency between different organizational units or teams performing risk assessments. One example of such a methodology is the Facilitated Risk Assessment (FRA). This process, which utilizes a qualitative risk analysis, is geared to a specific application, system or network. It allows risks to be addressed in financial and non-financial terms, as well as taking into consideration secondary impacts. It is a formal methodology that is driven by the system’s owners, conducted by a facilitator, and can be completed in a relatively short period of time.

Annual Review of Applicable Security Policies

Policy: All Company X employees and contractors must review and acknowledge acceptance of the information security policies which apply to them at least on an annual basis.

Commentary:

One of the key controls in any information security program is the education and training of users on both generic information security principles and specific company policies. This policy requires each user within the organization to read each set of security policies which applies to them, and sign an agreement to acknowledge that they have read and agree to abide by these policies. This policy has been in practice for many years in some organizations, without being formally documented. While many organizations require a user to sign an agreement to abide by policies when they first join the company, many times this form ends up in a personnel file never to be seen again. This policy is not only required by many security-related laws, it is critical documentation for any potential lawsuit involving employee violations of policy. While this seems like a large administrative burden, automated security policy tools that automate much of this process are now available.

Information Ownership Assignment

Policy: The Chief Information Officer (CIO) must clearly specify in writing the assignment of Information Ownership responsibilities for those databases, master files, and other shared collections of information used to support production business activities.

Commentary: This policy establishes a clear and documented delegation of information access control-related authority. A definition of delegated authorities is useful when determining access control permissions. This policy clarifies who is responsible for security and related matters for shared information resources such as a database or network file share (the Owner is). Often information security activities are forgotten when several people are potentially responsible but no one has been specifically assigned responsibility. This policy will be particularly helpful within organizations that rely on database management systems and application programs to enforce access controls.

ISR&RME Contents

1: What This Tool Can Do For You

2: Reasons To Establish Clear Roles & Responsibilities

3: Persuading Management To Document Roles and Responsibilities

Sample Memo To Management – Why Document Security Roles and Responsibilities

4: Before You Document Roles & Responsibilities

5: Updating Roles & Responsibilities

6: Who Should Write Roles & Responsibilities Documents

7: Review & Approval Of Roles &Responsibilities

8: Resources Required To Document Roles & Responsibilities

9: Time Estimates To Document Roles & Responsibilities

10: Key Information Security Documents

Information Security Department and Other Department Missions
Information Security Staff and Other Staff Job Descriptions
Information Security Department Reporting Relationships Diagram
Information Security Awareness Pamphlet
Information Security Awareness Reminder Memos
Information Security Policy Manual
Information Security Standards Document
Information Security Architecture Document
Information Security Action Plan
Information Security Forms
Systems Administration Procedures Manual
Risk Acceptance Memos
Information Systems Contingency Planning Manual
Organizational Code of Conduct
Standard Operating Procedures (SOP) Manual
Systems Development Process Manual
Application System Requirements Documents
User and Computer Operations Application Manuals
Records Management Policies and Procedures Manual
Worker Performance Reviews
Systems Usage Responsibility Agreements
Outsourcing and Consulting Agreements
Confidentiality and Non-Compete Agreements
Human Resources Manual
Physical Security Pamphlet

Sample Organizational Mission Statements (Ch. 11)

Information Security Department
Physical (Industrial) Security Department
Internal Audit Department
EDP Audit Unit
Ethics and Compliance Unit
External Auditing Firm
Records Management Department
Information Technology Department
Help Desk Unit
Network Operations Unit
Computer Operations Unit
Systems Administration Unit
Database Administration Unit
Data Administration Unit
Insurance and Risk Management Department
Contingency Planning Unit
Computer Emergency Response Team
Legal Department
Human Resources Department
Information Security Management Committee
Information Technology Steering Committee
Board of Directors – Audit Committee
Internal Control Committee
Facilities Management Outsourcing Firm

Sample Job Descriptions For Specific Roles

Information Security Department Manager
Access Control System Administrator
Internal Information Security Consultant
Information Security Engineer
Information Security Documentation Specialist
Information Systems Contingency Planner
Local Information Security Coordinator
Chief Information Officer
Information Systems Analyst/Business Analyst
Systems Programmer
Business Applications Programmer
Computer Operations Manager
Computer Operator
Information Systems Quality Assurance Analyst
Help Desk Associate
Archives Manager/Records Manager
Telecommunications Manager
Systems Administrator/Network Administrator
Web Site Administrator/Commerce Site Administrator
Database Administrator
Data Administration Manager
Physical Security Department Manager
Physical Asset Protection Specialist
Building and Facilities Guard
Office Maintenance Worker
Internal Audit Department Manager
EDP Auditor
Internal Intellectual Property Attorney
Human Resources Department Manager
Human Resources Consultant
Receptionist
Outsourcing Contract Administrator
In-House Trainer
Insurance and Risk Management Department Manager
Insurance and Risk Management Analyst
Business Contingency Planner
Public Relations Manager
Chief Financial Officer
Purchasing Agent
Chief Executive Officer

Chapter 13: Information Security Reporting Relationships

Option 1: Information Technology
Option 2: Security
Option 3: Administrative Services
Option 4: Insurance & Risk Management
Option 5: Strategy & Planning
Option 6: Legal
Option 7: Internal Audit
Option 8: Help Desk
Option 9: Accounting & Finance through I.T.
Option 10: Human Resources
Option 11: Facilities Management
Option 12: Operations
Summary

Chapter 14: Template Customization Factors

Local Laws and Regulations
Industry Category
Criticality to the Business
Line or Staff Organizational Culture
Scope of Information Security Function
Information Security Effort Sophistication
Size of Organization
Outsourcing
Intended Audience
Separation of Duties
Cross-Training and Backup
Formatting

Chapter 15: Owner, Custodian, And User Roles

Chapter 16: Roles & Responsibilities Of Product Vendors

Chapter 17: Roles & Responsibilities Of Outsourcing Firms

Chapter 18: Adjustments For Smaller Organizations

Chapter 19: A Centralized Organizational Structure

A Few Critical Distinctions
Information Security Activities That Should Be Centralized
Why Centralized Information Security Management Is Advisable
Drawbacks Of Centralized Information Security Management
Resolving A Variety Of Implementation Issues

Chapter 20: Workers In Information Security Related Positions Of Trust

Nature Of The Problem

Suggested Strategies

Chapter 21: Common Mistakes You Should Avoid

Appendix A: Information Security Staffing Levels Information Security Staffing: Calculating the Standard of Due Care

Appendix B: Personal Qualifications

Excellent Communication Skills
Ability to Resolve Conflicts Between Security and Business Objectives
Ability to See the Big Picture
Basic Familiarity with Information Security Technology
Commitment to Staying on Top of the Technology
Familiarity with Information Security Management
Tolerance for Ambiguity and Uncertainty
Ability to Manage Many Important Projects Simultaneously
Ability to Work Independently
A Certain Amount of Polish

Appendix C: Performance Criteria

Information Security Department Metrics
Individual Worker Metrics

Appendix D: Professional Certifications

Appendix E: Responsibility and Liability

Appendix F: Sample User Responsibility Agreement

Appendix G: Disclosing Roles and Responsibilities

Appendix H: Role Based Access Control

About the Author: Charles Cresson Wood

What's New in ISR&RME Version 3

Information Security Roles and Responsibilities Made Easy, Version 3 is the new and updated version of the best-selling security resource by Charles Cresson Wood, CISSP, CISA, CISM. Version 3 is based on the 30 year consulting and security experience of Mr. Wood and contains these new, updated features to help you save money while establishing a due-care information security organization:

New Department Mission Statements

1. Updated information-security-related committee, board, and department mission statements, including new descriptions for Disaster Recovery Team, Change Control Committee, Privacy Oversight Committee, and a Board Of Directors Governance Committee.

New information-security-related job descriptions

2. Over forty updated information-security-related job descriptions including brand new job descriptions for Chief Privacy Officer (CPO), Chief Security Officer (CSO), Chief Knowledge Officer (CKO), Ethics Officer and Data Librarian.

3. Expanded job descriptions and mission statements reflecting the latest business and technological developments (such as digital rights management systems and wireless networks) and legislative and regulatory requirements such as those of the Sarbanes Oxley Act.

More Expert Advice on Building the Security Organization

4. Additional management justifications for compiling, documenting and updating roles and responsibilities, including ways in which this effort minimizes the cost of providing adequate information security services.

5. A significantly expanded discussion of the pros and cons of outsourcing the information security function, including outsourcing-firm due-diligence, secure outsourcing procedures, and possible conflicts of interest when retaining a third party.

6. Actions you should take to reduce your organization’s exposure to workers in information security related positions of trust.

7. Added citations supporting the legal notion of the standard of due care as it relates to management responsibility, including discussion of the Hooper Doctrine, to help justify an investment in information security organizational infrastructure.

8. An expanded discussion of the personality characteristics needed for work in information security, including discussion about the pros and cons of hiring hackers and others who have been on the wrong side of the law

9. New decision-making criteria for releasing or withholding roles and responsibilities documentation to/from various external parties.

10. Updated information security professional certifications with web sites, phone numbers, and addresses so the reader can easily get more information about them.

11. A new appendix which explores the synergy between role based access control (RBAC) and clarification of information security roles and responsibilities.

Information Security Roles and Responsibilities Made Easy, Version 3.0 contains easily-customized documents in MS-Word format

Reviews

Most Recommended by Security Pros!

Information Security Policies Made Easy is recommended by your peers, including top information security and data privacy experts. Here are a few of them:

“If I could have only six books in my professional library, this would be one of them.”
Dr. Harold Highland
Editor, Emeritus of Computers & Security Magazine

“Information Security Policies Made Easy (ISPME) is one of the most important information security books available for those who are serious about creating a comprehensive set of information systems security policies. Given the dynamic nature of technology, very few technology books can stand the test of time and remain relevant for a few years, let alone a decade after their original printing.”
Ben Rothke CISSP, CISM
Director – Security Technology Implementation, AXA Technology Services

“The [ISPME] guidelines have saved three months of manual effort that would have been required to research and write policies.”
Douglas Feil
EDP Audit Manager, City & County of San Francisco,
Network Management Systems & Strategies

“It gave us everything we needed to help us write standards and communicate [policies] in a clear, concise manner with no ambiguity or technical jargon … the book paid for itself in two weeks.”
Jonah Goldsmith
Data Security Consultant to Large Medical Insurance Company, LAN Times

“If you are an auditor, business security or InfoSec specialist, part of corporate management or other business professional, and want to be sure you have a strong foundation for your InfoSec program, you must get and use this book. This book contains not only policies but also a guideline on how to use the policies; provides matrices that make it easier to understand how they all fit together; and many useful appendices. Some may say that this book is too expensive and one can find cheaper books of InfoSec policies. If you go cheap you get cheap. Can you afford to do that when mistakes can be costly and when the protection of your company’s information and competitive edge may be at stake? Buy this book, use it and start building a comprehensive InfoSec program for your company.”
Dr. Gerald L. Kovacich
ShockwaveWriters.Com

“Information Security Policies Made Easy is an indispensable tool for anyone who needs to develop a HIPAA security policy. Those who are familiar with the hardbound version of the classic work by Charles Cresson Woods will be amazed by this interactive format. Navigation aids such as the ‘find’ command allowed me to cut my development time considerably.”
Harry E. Smith, CISSP, Co-Founder
PrivaPlan Associates, Inc.

“This is the gold standard Policy reference for any serious security practitioner to have in their arsenal of tools, a must have! The instructions and examples for establishing security polices and implementation processes add real value to this edition.”
John B. Kramer, CISSP, CISA
Information Security Manager – UPMCHS

“Wood has created a complete kit of proven best practices that any organization can use and customize to make policies meeting their exact needs.”
Jay Heiser
Columnist, Information Security Magazine.

“In 1993, I was asked to develop my first information security policy. I began by cutting and pasting a series of thoughts and calling that a policy. Usually these policies were rejected by management. To ensure that my organization had strong Information Security policies in place, I purchased a copy of Information Security Policies Made Easy. Quickly I learned that creating a policy was a process that included writing policies, editing policies, obtaining management approval, communicating policies, and implementing controls to meet the policy requirements. The book provides the reader with the tools necessary to develop policies, including an easy to use CD (fully-linked and searchable).”
Diana-Lynn Contesti, CISSP, SSCP
Information Security Officer – Dofasco Inc.

“Charles Cresson Wood…is an expert’s expert, and knows more about computer security policies than anyone I know.”
Michael Alexander
Editor, Datamation

“This book is invaluable to those responsible for creating or maintaining an information security policy manual or similar documents.”
Belden Menkus
Editor, EDPACS

================================

Review of ISR&RME by John Machin, SC Magazine

The many aspects of setting up a security function program in an organization can be hard to understand, let alone perform. Charles Cresson Wood’s latest book, …aims to help organizations through the issues. Though written largely with a North American audience in mind, the book includes many standard practices, which have been effective worldwide.

Information Security Roles and Responsibilities Made Easy is best described as a reference manual, although it is also more than that, as explained below. It is aimed at large organizations that can afford to implement a fully scaled security function. The author, however, recognizes that smaller organizations often have to operate with restricted budgets and resources that are not required on a full-time basis. There is a chapter that deals specifically with options available to smaller organizations.

The book provides, in an easy-to-digest format, what is required to develop information security job descriptions, mission statements and reporting relationships. The author recognizes that IT security is not merely the responsibility of the IT security department, but of the whole enterprise.

The earlier sections of the book deal with information security roles and responsibilities within an organization. The author describes, at some length, the steps required. The book gives good examples of various security based memos and manuals such as risk acceptance memos and the information security policy manual that should be found in a large organization.

The middle section of the book deals with what the author calls mission statements. These are designed to be partial mission statements dealing with the wide-ranging information security responsibilities of various departments. The examples given are informative and cover a wide range of departments, from internal audit to facilities management and outsourcing. Information security staff responsibilities and duties are extensively detailed. The author also touches on information security-related responsibilities and roles for the likes of the chief financial officer and the purchasing agent, in line with the premise that the whole organization must be involved in security.

A further chapter is devoted to information security reporting lines and responsibilities, including the relative merits of centralized and decentralized structures. Here the author discusses various possible reporting lines for information security in organizational chart format and goes on to discuss the pros and cons of each. Examples of these include reporting via the technology department to the strategy and planning department.

A crucial feature of this publication is not merely the information and guidance contained in the 255 pages of the hardcover book. Included in the price is an organization-wide license to republish materials. The accompanying CD-ROM contains what Information Shield describes as “cut-and-paste ready-to-go words” – in other words, do-it-yourself security documents, which the licensed organization may utilize quickly and easily to set up their own documentation.

In conclusion, although this book may not portray anything radically new, it brings the various information on IS under one roof. With the inclusion of the… publication license it is more than just a source of good reference material, it is an excellent resource designed to be easily adapted to an organization’s needs.