CHAPTER 44

SECURITY POLICY GUIDELINES

M. E. Kabay and Bridgitt Robertson

44.1 INTRODUCTION

44.2 TERMINOLOGY

44.2.1 Policy

44.2.2 Controls

44.2.3 Standards

44.2.4 Procedures

44.3 RESOURCES FOR POLICY WRITERS

44.3.1 ISO/IEC 17799: 2005

44.3.2 COBIT

44.3.3 Informal Security Standards

44.3.4 Commercially Available Policy Guides

44.4 WRITING THE POLICIES

44.4.1 Orientation: Prescriptive and Proscriptive

44.4.2 Writing Style

44.4.3 Reasons

44.5 ORGANIZING THE POLICIES

44.5.1 Topical Organization

44.5.2 Organizational

44.6 PRESENTING THE POLICIES

44.6.1 Printed Text

44.6.2 Electronic One-Dimensional Text

44.6.3 Hypertext

44.7 MAINTAINING POLICIES

44.7.1 Review Process

44.7.2 Announcing Changes

44.8 SUMMARY

44.9 FURTHER READING

44.10 NOTES

44.1 INTRODUCTION.

This chapter reviews principles, topics, and resources for creating effective security policies. It does not propose specific guidelines except as examples. Many of the chapters in this Handbook discuss policy; a few examples are listed next:

Chapter 23 provides an extensive overview of physical security policies.

Chapter 25 discusses local area network security issues and policies.

Chapter 38 reviews software development policies.

Chapter 39 surveys quality assurance policies.

Chapter 45 provides guidance on employment policies from a security standpoint.

Chapter 47 includes policies for improving operations security and production.

Chapter 48 reviews specific recommendations for e-mail and Internet usage.

Chapter 49 looks at methods ...

Get Computer Security Handbook, Fifth Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial