Disaster Recovery Planning (DRP)
Business Continuity Planning (BCP)
Binomial International
| HOME | Phoenix Software | Seminars | Consulting | Resources | Newsletter | Bookstore | Contact Us |
|
|
Disaster Recovery Planning (DRP)
Business Continuity Planning (BCP)
Binomial International
|
|
||||||||
| ||||||||||
![[Home]](http://www.binomial.com/bookstore/b_home.jpg)
![[Catalog]](http://www.binomial.com/bookstore/b_catl.jpg)
![[Category]](http://www.binomial.com/bookstore/b_catg.jpg)
![[Previous Item]](http://www.binomial.com/bookstore/b_left.jpg)
![[Next Item]](http://www.binomial.com/bookstore/b_right.jpg)
![[Checkout]](http://www.binomial.com/bookstore/b_chkout.jpg)
![[Review Cart]](http://www.binomial.com/bookstore/b_review.jpg)
![[Button]](http://www.binomial.com/bookstore/ordrinfo.jpg)
The Binomial Bookstore
Rothstein Associates Inc.
Management Issues
INFORMATION SECURITY POLICIES MADE EASY:
A COMPREHENSIVE SET OF INFORMATION SECURITY POLICIES Version 10 (Book + CD-ROM) by Charles Cresson Wood - - - - - - - - - - - Information Security Policies Made Easy is the definitive resource for information security policies. Version 10 has everything you need to save money while building a due-care security policy environment, including: 1. A complete policy library with over 1350 individual pre-written security policies including: - Coverage of the latest technical, legal and regulatory issues - ISO 17799 outline format, allowing for easy gap-analysis against existing standards and security frameworks - Expert commentary discussing the risks mitigated by each policy - Target audience (management, technical, or user) and security environment (low, medium, high) for each policy - Policy coverage maps for Sarbanes-Oxley (COBIT) and HIPAA security 2. Eighteen complete pre-written security policy documents that every company should have, updated and ready to use "as is" or with easy customization, including: - User-targeted policies such as: Electronic Mail Policy, Internet Security Policy for End Users and Web Privacy Policy - Organization-wide policies such as: High-Level Security Policy, Privacy policy, Information Ownership Policy - Technology-based policies such as: Firewall Policy, Data Classification Policy and Network Security Policy - Sample risk acceptance memo for the approval of out of compliance situations, a sample non-disclosure agreement, and a user policy acceptance agreement. 3. Expert advice on the policy development and review process, including: - A step-by-step checklist of policy development tasks to quickly start a policy development project - Helpful tips and tricks for getting management buy-in for information security policies and education - Tips and techniques for raising security policy awareness - Real-world examples of problems caused by missing or poor security policies - Policy development resources such as Information Security Periodicals, professional associations and related security organizations 4. All content available on an easy-to-use CD-ROM with an indexed and searchable HTML interface for easy location, featuring: - Policies available in HTML, PDF, MS-Word format - Easy cut-and-paste into existing corporate documents - Extensive cross-references between policies that help the user quickly understand alternative solutions and complimentary controls Information Security Policies Made Easy Version 10 covers virtually every aspect of corporate information security including: - Privacy issues - Identity Theft - Web pages - Firewalls - Employee surveillance - Electronic commerce - Digital signatures - Computer viruses - Encryption - Contingency planning - Logging controls - Internet - Intranets - Corporate Governance - Outsourcing security functions - Computer emergency response teams - Microcomputers - Local area networks - Voice Over IP - Password selection - Electronic mail - SPAM Prevention - Data Classification - Telecommuting - Telephone systems - Portable computers - User security training - Information Security Related Terrorism - - - - - - - - - - - This electronic book includes both hardcopy and CD-ROM (MS Word and Word Perfect for the IBM-PC, MS Word for the Macintosh, as well as ASCII flat files for any other word processing package). Forget retyping, scanning, photocopying, etc. Simply do key word searches, compare various policies, choose appropriate ones and "cut-and-paste" to create a custom document. Additional LAN and PC indices accelerate location of pertinent material. - - - - - - - - - - - NEW IN VERSION 10 The following policies, with their corresponding policy reference number in the ISO 17799 outline, have been added to Information Security Policies Made Easy Version 10. 3.01.01.12 "Policy-Driven Information Systems Security Architecture" 4.01.03.09 "Systems Administrators Don't Handle Security Administration" 4.01.03.14 "Authorization To Review Any Information System" 4.01.03.27 "Information Access Delegation Path" 4.01.03.28 "Information Security Is A Management Responsibility" 4.01.03.29 "Clear Assignment Of Internal Controls Accountability" 4.01.03.30 "Board Of Directors Audit Committee" 4.02.01.11 "Publicly Posting Only Generic Information" 4.02.01.15 "Annual Evaluation Of Information Security Operations Outsourcing" 4.02.01.16 "Outsourcing Information Security Requires A Risk Assessment" 4.02.02.19 "Software Vendors Must Perform Security Tests" 4.02.02.20 "Software Vendors Must Submit Third Party Testing Documentation" 4.02.02.21 "Operating Systems Must Be Evaluated And Deemed Trustworthy" 4.03.01.03 "Third Party Software Developers Access To Source Code" 4.03.01.13 "Sensitive Business Activities Performed In Foreign Countries" 4.03.01.14 "Remote Alarms Indicate Equipment Area Is Being Accessed" 4.03.01.15 "Outsourced Security Must Be At Least As Robust As In-House Security" 5.02.01.03 "Internet Domain Name And Host Name Approval Process" 5.02.02.16 "Labeling Unbound Hardcopy Material" 6.01.02.11 "Worker History Of Computer Crime Or Abuse" 6.01.02.22 "Annual Personal Financial Disclosure For Trusted Workers" 6.01.04.02 "Ownership Of Employees' Ideas" 6.02.01.07 "Specification Of Minimum Information Security Training" 6.02.01.18 "Technical Training And Apprenticeship" 6.02.01.19 "Training In Software Defect Testing & Correction" 6.02.01.21 "Accepting Security Assistance From Outsiders" 6.03.01.20 "Reporting Suspected Security Breaches To Third Parties" 6.03.01.21 "Initial Response To Report Of Identity Theft" 6.03.01.24 "Reporting Unexpected Requests For Log-In Information" 6.03.01.27 "Requests To Cooperate In Investigations" 6.03.02.6 "Schedule For Responses To Reported Security Problems" 7.01.02.20 "Repair People Who Show Up Without Being Called" 7.01.02.48 "Return Of Badges By Terminated Workers" 7.01.04.04 "Work With Sensitive Materials In Public Areas" 7.01.04.06 "Third Party Service Providers Work During Office Hours" 7.02.01.17 "Wireless Access Points Need Strong Physical Security" 7.02.06.03 "Approval For Removal Of Any Equipment" 8.01.01.14 "Reconciling Statistics From Service Providers" 8.01.02.07 "Only Widely-Deployed Information Systems Technology" 8.03.01.08 "Virus Disclaimer For Downloaded Files" 8.03.01.22 "Portable Computers Issued With Standard Configuration" 8.04.01.17 "All Electronic Communications Are Recorded And Archived" 8.05.01.11 "Security For Domain Name Registrations" 8.05.01.12 "Monitoring Shadow Internet Domain Names" 8.05.01.13 "Central Registration Of Company X Web And Commerce Sites" 8.05.01.14 "Legal Audit For Web And Commerce Sites" 8.05.01.24 "Firewall Policy Defining Denied And Permitted Services" 8.05.01.25 "Firewall Policy Rule Testing" 8.05.01.26 "Immediate Local Backup Of Firewalls After Deployment" 8.05.01.27 "Remote Access To Firewalls" 8.05.01.38 "Terminating Communications Lines As Soon As Possible" 8.05.01.55 "Wireless Access Points Disabled Unless Approved" 8.05.01.59 "War Driving To Discover Unauthorized Wireless Access Points" 8.05.01.60 "Production Wireless Systems And Fail-Over Alternative Networks" 8.06.02.06 "Trash Container Contents Review" 8.06.02.07 "Destroying Documents Relevant To Litigation" 8.06.02.08 "Secondary Review For Materials Slated For Destruction" 8.06.02.13 "Physically Securing Trash Dumpsters" 8.06.03.13 "Protecting Outbound Secret Computerized Information" 8.07.03.10 "Scripted Response To Detected Intrusions On Commerce Systems" 8.07.03.20 "No Storage Of Credit Card Information" 8.07.03.21 "Credit Card Fraud Detection And Mitigation System" 8.07.03.22 "Signature Required For Delivery Of Internet Orders" 8.07.03.25 "Web-Based Secure Channel For Electronic Mail Communications" 8.07.03.28 "Individuals Involved With Fraud" 8.07.04.07 "Automatic Forwarding Of Electronic Mail Externally" 8.07.04.13 "Electronic Mail Message Storage Schedule And Allotment" 8.07.04.22 "Centralized Control Over Electronic Mail Systems" 8.07.04.29 "Outbound Electronic Mail Footer Approval" 8.07.04.36 "Blocking To Field On Systems Containing Private Information" 8.07.04.42 "Permissible Uses Of Instant Messaging Facilities" 8.07.04.43 "Instant Messaging Without Installed Auditing Tool" 8.07.04.44 "All Mail Servers Must Run Approved Spam-Filtering Software" 8.07.04.45 "All Outbound Electronic Mail Is Automatically Scanned" 8.07.04.46 "Anti-Spam Notices Embedded In Electronic Mail Marketing Messages" 8.07.04.47 "Consequences Of Sending Spam Messages" 8.07.05.61 "Typing Passwords When Others Are Watching" 8.07.06.40 "Web Pages Expressing Views Of Author Only" 8.07.06.41 "Disclaimer For Information Posted On Web Site" 8.07.07.06 "Fair Disclosure Of Material Financial Information" 8.07.07.28 "Logically Separate Voice And Data On IP Networks" 8.07.07.29 "VOIP Remote Management Or Auditing Requires Encrypted Channel" 8.07.07.30 "Critical Telephone Services Must Not Be Supported Via VOIP" 8.07.07.31 "Use Of Softphones That Support VOIP On Personal Computers" 9.01.01.07 "Role-Based Access Control Privileges" 9.01.01.10 "Every User ID Reflected In Centralized Access Database" 9.02.01.15 "Third Party Agreements And User ID Establishment" 9.02.01.18 "Project Manager Notification Regarding Third Party Access" 9.02.01.23 "Opening Accounts With Discrepancies In Customer Information" 9.02.01.24 "Special Procedures For Opening Accounts With A Fraud Alert" 9.02.01.25 "Thumbprints Required To Open A New Account" 9.02.01.26 "Reuse of authentication credentials on public web sites" 9.02.02.09 "Two Person Integrity Rule For Sensitive Information Access" 9.02.03.02 "Passwords Set To Expired After Intrusion" 9.02.03.12 "Password Changes Performed By Involved User" 9.03.01.16 "Password Disclosure Terminates Relationship" 9.03.01.23 "Script Files On Portable Computers, PDAs, And Smart Phones" 9.03.01.24 "Disclosure Of Sensitive Information Via Web Sites" 9.04.02.03 "Machines Connected Only To Internal LAN Or Intranet" 9.04.07.05 "Powering Down Network-Connected Workstations At Night" 9.05.04.05 "Null Passwords Always Prohibited" 9.05.04.19 "User Notification Of Changed Password" 9.07.02.15 "Honeypots And Intrusion Detection Systems" 9.07.02.24 "Unusual Transaction Activity Detects Identity Theft" 9.07.03.25 "Real-Time Monitoring Of Spam To Detect Phishing" 9.08.01.03 "Single Vendor Of Personal Digital Assistants" 9.08.01.07 "Poison Pills For Portable Computers With Secret Information" 9.08.01.15 "Boot And Utilities CD-ROM For Mobile Computers" 9.08.01.16 "Storage Of Remote Access Information In Portable Computers" 9.08.01.17 "Remote Client Machines Automatically Disabled If Lost/Stolen" 9.08.01.18 "Downloaded Software On PDAs & Smart Phones" 9.08.01.19 "Storage Of Company X Information On PDAs & Smart Phones" 9.08.01.20 "Portable Computers, PDAs, And Smart Phones Out Of Sight" 10.01.01.03 "Renewal Of Information Technology Project Funding" 10.02.02.04 "Announcing System Unavailability To Users" 10.03.02.03 "Encryption Usage Aside From That In Browsers" 10.03.02.07 "Vendor's Willingness To Reveal Source Code" 10.03.02.12 "Encryption Keys Not Resident In Main Memory" 10.03.05.12 "Systems Design Encryption Key Length" 10.03.05.15 "Two Of Four People With Access To Master Keys" 10.03.05.16 "At Least Two People With Access To Master Keys" 10.04.01.03 "Peer-To-Peer File-Sharing Software Prohibited" 10.04.01.04 "Conditions For Use Of Open Source Software" 10.04.01.05 "Security Testing Process For Open Source Software" 10.04.01.06 "Availability Of Consulting For Open Source Software" 10.04.01.07 "Derivative Versions Of Open Source Software" 10.05.01.02 "Use Of Automated Software Testing Routines" 10.05.01.03 "Web Code Review Tools" 10.05.01.15 "Change Log On Every Server" 10.05.01.21 "Systems Administrators Install/Update Server Software" 10.05.02.03 "Digital Signature And Source Approval For Patches" 10.05.02.04 "Frequency Of Installing Non-Emergency Patches, Fixes, And Upgrades" 10.05.02.05 "Documenting Reasons Why Patches And Fixes Were Not Installed" 10.05.02.06 "Development Testing For Software Patches, Fixes, And Updates" 11.01.01.03 "Vendors Providing Mission Critical Hardware & Software" 11.01.01.04 "Plan For Every Critical Application And Infrastructure Component" 11.01.01.05 "Mission Critical Systems And Refurbished/Reconfigured Equipment" 11.01.03.03 "Crisis Management Plan" 11.01.04.03 "Work At Home Requirements For Staff Performing Critical Tasks" 12.01.02.15 "Redistribution Of Information Posted On-Line" 12.01.03.07 "Vital Paper Records Captured In Electronic Imaging Form" 12.01.04.05 "Written Privacy Consent Needed For Provision Of Services" 12.01.04.06 "Retroactive Consent For Private Information Usage" 12.01.04.13 "Full And Accurate Description Of Private Data Collection" 12.01.04.14 "Routine Disclosure Of Full Private Record" 12.01.04.16 "Notice Of Privacy Practices Provided Before Consent Received" 12.01.04.18 "Place No Software Or Information On User's Machine" 12.01.04.19 "No Undisclosed Tracking Or Identification Software" 12.01.04.21 "Parental Access To Information Collected From Children" 12.01.04.24 "Centralization Or Synchronization Of Customer Databases" 12.01.04.27 "De-Identification Of Private Information" 12.01.04.48 "Private Information Shared When Recipient Has Comparable Policy" 12.01.04.55 "Only Privacy Policy Text Is Binding" 12.01.04.80 "Social Security Numbers Shown On Statements" 12.01.04.85 "Opt-In For Sensitive Data And Opt-Out For Other Types" 12.01.04.89 "Revoking Previously-Granted Consent To Disclose Private Data" 12.01.04.92 "Deleting Voluntarily Provided Personal Information" 12.01.04.95 "Private Data Movement To Third Party Custodians" 12.01.04.108 "Minimum Contents Of Posted Privacy Policy" 12.01.04.110 "Privacy Policy And Internet Personal Data Gathering Points" 12.01.04.111 "Opt Out From New Privacy Policy Provisions" 12.01.05.05 "Prohibition Against All Forms Of Adult Content" 12.01.05.08 "After Hours Web Shopping And Auction Business" 12.01.05.20 "Financial Transaction Accounts Reconciled Monthly" 12.02.01.07 "Privacy Policy And Practices Annual Audit" 12.02.02.04 "Scanning Network Exposed Systems Components" = = = = = = = = = = = === "This is the gold standard Policy reference for any serious security practitioner to have in their arsenal of tools, a must have! The instructions and examples for establishing security polices and implementation processes add real value to this edition" - John B. Kramer, CISSP, CISA, Information Security Manager - UPMCHS - - - - - - - - - - - "Wood has created a complete kit of proven best practices that any organization can use and customize to make policies meeting their exact needs." - Jay Heiser, Columnist, "Information Security" magazine - - - - - - - - - - - "In 1993, I was asked to develop my first information security policy. I began by cutting and pasting a serious of thoughts and calling that a policy. Usually these policies were rejected by management. To ensure that my organization had strong Information Security policies in place, I purchased a copy of Information Security Policies Made Easy. Quickly I learned that creating a policy was a process that included writing policies, editing policies, obtaining management approval, communicating policies, and implementing controls to meet the policy requirements. The book provides the reader with the tools necessary to develop policies, including an easy to use CD ( fully-linked and searchable)." - Diana-Lynn Contesti, CISSP, SSCP, Information Security Officer - Dofasco Inc. - - - - - - - - - - - "Charles Cresson Wood, who heads Baseline, is an expert's expert, and knows more about computer security policies than anyone I know." -- Michael Alexander, Editor, Datamation - - - - - - - - - - - "It gave us everything we needed to help us write standards and communicate [policies] in a clear, concise manner with no ambiguity or technical jargon ... the book paid for itself in two weeks." --Jonah Goldsmith, Data Security Consultant to Large Medical Insurance Company, LAN Times - - - - - - - - - - - "If I could have only six books in my professional library, this would be one of them.” - Dr. Harold Highland, Editor Emeritus of Computers & Security magazine - - - - - - - - - - - “The guidelines [ISPME] have saved three months of manual effort that would have been required to research and write policies." - Douglas Feil, EDP Audit Manager, City & County of San Francisco, Network Management Systems & Strategies - - - - - - - - - - - "Here is an idea whose time has really come! [ISPME] is well done and comprehensive ... the cost is reasonable considering the years of research needed to compile such a complete work.” - Donald E. Greenwood, Editor, Don Greenwood's Information Protection Advisor - - - - - - - - - - - "Considering the cost of hiring an external consultant to come up with similar suggestions, the price tag is a real bargain." - Jess Birtcher, EDP Auditor Journal - - - - - - - - - - - “It gave us everything we needed to help us write standards and communicate [policies] in a clear, concise manner with no ambiguity or technical jargon ... the book paid for itself in two weeks.” - Jonah Goldsmith, Data Security Consultant to Large Medical Insurance Company - - - - - - - - - - - “I wish I had written this book - the product of both erudite knowledge and rich experience ... offers powerful recommendations ... any security manager who wants an education in automated information systems security needs this book ... Buy the book.” - Peter Pitorri, Consultant, Security Management - - - - - - - - - - - "An outstanding piece of work ... should become the standard for people doing this type of work." - Officer Ed Dreslinski, Detroit Police Department - - - - - - - - - - - "This book is invaluable to those responsible for creating or maintaining an information security policy manual or similar documents.” - Belden Menkus, Editor, EDPACS - - - - - - - - - - - “An excellent book for companies which need a serious and comprehensive information security policy but which desire some suggestions on how to formulate the specifics of that policy.” - David L. Oppenheimer, Writer, ;login. - - - - - - - - - - - “Fortunately there are resources for LAN managers who lack either the time or the specialized training to sit down and develop a network security policy for their organization from scratch. The best single resource we know is “Information Security Policy Made Easy.” - Marc M. Groz, Editor, Managing LAN Costs. = = = = = = = = = = = === Take a look at who uses ISPME: - Ford Motor Company - Reuters - Amoco Corporation - Harvard University - RJR Tobacco - American Telephone and Telegraph (AT&T) - Hewlett Packard - Rykoff-Sexton - Swiss Bank Corp - Simon & Schuster - Hyundai Electronics - Sumitomo Bank - Automatic Data Processing (ADP) - Sun Microsystems - Blue Cross/Blue Shield - International Moscow Bank - ITT Aerospace - Johnson & Johnson - British Airways - Burroughs Wellcome - Exxon - Joint Chiefs of Staff - Pentagon - Timex - Center for Disease Control - Lever Bros. - US Department of Energy - Volkswagen of America - London Stock Exchange - US Secret Service - Chase Manhattan Bank - Citibank - MGM - NASA Research Center - Naval Surface Warfare Center - Pfizer - Weyerhauser - DHL Express International - Philip Morris - World Bank - Price Waterhouse - Ernst & Young - Proctor & Gamble - Prudential ... and many others. = = = = = = = = = = = === ONE STOP POLICY SHOPPING: - Web pages - Firewalls - Employee surveillance - Electronic commerce - Digital signatures - Computer viruses - Encryption - Contingency planning - Logging controls - Internet - Intranets - Privacy issues - Outsourcing security functions - Computer emergency response teams - Microcomputers - Local area networks - Password selection - Electronic mail - Data Classification - Telecommuting - Telephone systems - Portable computers - User training = = = = = = = = = = = === SAMPLE POLICY TITLES “Here's a sample of the many Internet policies... the list below presents a few of the Internet policy titles. These policies can be especially useful when setting up a web site, an electronic commerce arrangement and other Internet connections. The policies can also be used to bolster the security of an existing Internet connection, guide an audit effort, and the like. 56. Internet Use for Personal Purposes Prohibited 57. Personal Use of Company X Internet Facilities Only on Personal Time 58. Permissible Uses of Company X Information 121. Required Process for Checking Software Down-Loaded from Internet 476. Permissible Internet Access Without Firewalls 480. Direct Network Connections With Outside Organizations (Tunnels) 481. Inter-Processor Commands From Outside Locations Prohibited 482. Isolate Systems Containing Secret Information from Network 487. Prior Approval Required for System Interconnection 489. Approval Required for Internet Connection Establishment 493. Formation of Binding Contracts via Electronic Systems 494. Trading Partner Agreement Required Prior to Use of EDI 496. Criteria for Accepting and Acting on Computerized Transactions 497. Multiple Communication Channels for Electronic Offers & Acceptances 500. Secret Data Sent Over Networks Must Be Encrypted 502. Secret Information Must Be Encrypted When Not In Active Use 130. Virus Eradication Requires Support of Systems Administrator 310. Responsibility for Assigning Data Classification System Labels 437. Required Actions Following Suspected System Intrusion 658. Company X Blocks Certain Non-Business Internet Web Sites 674. Disabling Java Within Internet Web Browsers 678. All Content Posted to Intranet is Owned by Company X 690. Webmaster Review of Intranet Web Pages Prior to Posting 169. Disabling Unnecessary Software Features at Installation Time 742. Return of Information By Contractors. Consultants, and Temporaries 627. Prohibition Against Use of Scanned Hand-Rendered Signatures 215. Removal of Unauthorized Copyrighted Information and Software 620. Message Content Restrictions for Company X Information Systems” - - - - - - - - - - - A Sample Policy From INFORMATION SECURITY POLICIES MADE EASY: “Every policy is indexed in multiple places by both name and number. The table of contents additionally provides a structured way to think about all the important considerations related to information security policies. “Each policy comes with the actual words you can use in your own policy statement, in addition to commentary that describes a justification for the policy. The commentary provides alternative positions to take on the issue addressed by the policy as well as optional ways in which the policy could be implemented. Also included in the commentary are warnings about the circumstances that might cause trouble when the policy is implemented. The commentary furthermore includes references to related policies, an indication of the intended audiences, and an indication of the types of organizations to which the policy applies.” “325. REMOVAL OF SENSITIVE INFORMATION FROM COMPANY X PREMISES “Policy: Sensitive Company X information may not be removed from Company X premises unless there has been prior approval from the information's owner. This policy includes portable computers with hard disks, floppy disks, hard-copy output, paper memos, and the like. An exception is made for authorized off-site back-ups, “Commentary: The intention of this Policy is to prevent sensitive information from traveling around, and in the process being disclosed in unauthorized ways. The more information stays in one place, the easier it is to track and control. Note that this policy may restrict the activities of telecommuters and employees who wish to take work home with them. If such sensitive information routinely travels over computer networks, it may be difficult to identify its location at any particular point in time; in these cases, this policy will be difficult to implement and is most often inappropriate. On another note, this policy assumes the term "owner" has been previously defined. For more about owners, see the policy entitled "Information Ownership and Management's Responsibilities." Separately, this policy assumes that a data classification system has already been adopted. The word "sensitive" could be replaced by one or several data classification terms used by the organization in question, For a policy showing recommended definitions for terms like this, see the policy entitled “Four Category Data Classification Scheme." Also see the policies entitled "'Log for Sensitive Information Removed From Company X Premises," "Provision of Lockable Metal Furniture to Staff Working at Home," and "Recovery of Computer-Related Property Belonging to Company X" A: EMT; E: MH.” - - - - - - - - - - - A Sample Policy From INFORMATION SECURITY POLICIES MADE EASY: DATA DESTRUCTION In conversations with vendors in the field of computer equipment disposal, we hear continuous stories of potentially valuable data left on personal computers, laptops, routers and switches. The data range from simple IP addresses to userids and personal customer data. Even for conscientious employees who to try to destroy data, most companies are not aware of the recovery technology that is now possible to retrieve files that were thought to be deleted. Simple file deletion is generally not sufficient. The files must be expunged or repeatedly overwritten by a separate systems utility to be truly irretrievable. Do you have policies and procedures for proper data disposal? If you do, are the people responsible for disposing of your equipment familiar with the policies and procedures? If not, consider this sample policy: Policy: Department managers are responsible for the disposal of surplus property no longer needed for business activities in accordance with procedures established by the Information Systems Security department, including the irreversible removal of information and software. Commentary: This process can be complex, so separate procedures are often issued by the Information Security department. The way the policy is written, the procedures can be changed as the technology changes, without the need to change this policy. While the focus of this policy often is on equipment, the real concern is the information stored on the equipment. This policy also prevents inadvertent violation of the license terms for copyrighted software. (Sample policy from Information Security Policies Made Easy, version 9.0 by Charles Cresson Wood.) - - - - - - - - - - - A Sample Policy From INFORMATION SECURITY POLICIES MADE EASY: LIMITED DATA COLLECTION One of the largest regulatory trends concerns the privacy of personal information, including how it is collected, used, protected and destroyed. (Last month we looked at data destruction policies, and their importance for safeguarding information during equipment disposal.) Even if you don't fall under a traditional privacy-regulated industry such as Financial Services or healthcare, it is a good idea to establish some best-practices policies for handling customer information. For example, if you are collecting information from citizens of European Union member countries, you are subject to the provisions of the EU Data Protection Directive. If you collect information from children under the age of 13 (either on purpose or by accident) you are subject to COPPA. One of the first and most critical policies to implement would be limits on personal data collection. Basically, you are establishing rules that insure that you limit the collection of personal customer information to only the data necessary for providing the business function required. This requirement is clearly identified in many privacy- related regulations. It also limits the amount of information the organization must maintain for accuracy and protection. Does your organization have data collection policies and procedures? If so, are your customer service personnel aware of these polices? As an example, consider this sample policy: Policy: Company X must collect, process, store, and disseminate only that information that is necessary for the proper functioning of its business. Commentary: This policy preserves the privacy rights of employees, customers, and others who may have some contact with the organization. This policy simplifies the information systems by keeping the amount of information retained by Company X to a minimum. The scope of this policy is broader than just privacy matters. It pertains to all information. The policy does not provide detailed guidance about determining whether certain information is necessary. This is a deliberate omission because both the decision process and the information to which it pertains may change dramatically over time. (Sample policy from Information Security Policies Made Easy, version 9.0 by Charles Cresson Wood.) - - - - - - - - - - - A Sample Policy From INFORMATION SECURITY POLICIES MADE EASY: PERSONAL INFORMATION COLLECTION NOTICE As illustrated by our discussion of the USA PATRIOT ACT, one of the largest regulatory trends concerns the privacy of personal information, including how it is collected, used, protected and destroyed. Last month we looked at a sample policy for limitations on the collection of personal information. This month we look at another best-practice for privacy policies: The Personal Information Collection Notice. For example, the USA PATRIOT ACT requires the establishment of Customer Identity Verification Procedures (CIP). These procedures require the collection of specific personal information to reasonably verify the identity of the person applying for a bank account or credit card. Within this procedure are specific requirements to notify the customer why this collection is taking place. Even if you don't fall under a traditional privacy-regulated industry such as Financial Services or healthcare, it is a good idea to establish some best-practices policies for handling customer information collection. As an example, consider the following sample policy: Information Collection Notice. [Organizations who are subject to the USA PATRIOT ACT should consider adopting this policy with specific wording as recommended by the Us Department of Treasury.] Policy: In every instance where personally- identifiable information is collected, an explicit and understandable notice must be provided at the time and place the information is collected. Commentary: This policy is intended to clarify when and where a notice about information collection should be provided. The policy places the greatest emphasis on collection of personally-identifiable information, such as an electronic mail address, and requires all web locations where such collection is being performed to be marked irrespective of user knowledge or participation in the collection process. If electronic mail addresses were collected automatically from user web browsers when users visited a web site, this fact would need to be disclosed. Of lesser concern is information that is not personally-identifiable. Because this latter type of information is not associated with any particular person, the potential for abuse is considerably less, and this fact is reflected in the lack of need for a notice. Some organizations may wish to mention an exception where private information may be collected secretly, such as investigation of a suspected crime or an allegedly abusive activity. (Sample policy from Information Security Policies Made Easy, version 9.0 by Charles Cresson Wood.) - - - - - - - - - - - A Sample Policy From INFORMATION SECURITY POLICIES MADE EASY: INFORMATION SECURITY TRAINING There is no better way to demonstrate to employees and auditors that you are serious about security awareness training then to formally include security awareness in your corporate security policies. This is provided, of course, that you follow through and do the training! Your corporate policies should be considered a contract of expectations between your organization and its employees. By including a formal statement of management's intent to train all users, you are committing to provide the funding, time and resources required to complete your training. Another important consideration is the organizations responsibility for security awareness training. Does the organization have an official training department that will perform this role, or will the information security department be responsible? Equally important to defining the policy is documenting the roles and responsibilities for enforcing and complying with the policy and supporting standards and procedures. As an example, consider the following high-level sample policy: Information Security Training. Policy: All workers must be provided with sufficient training and supporting reference material to permit them to properly protect Company X information resources. Commentary: This policy requires that sufficient information security training and documentation be delivered to those workers who handle Company X information. The specific material to be delivered to workers will vary based on the nature of the jobs that these workers perform. For example, telephone order-takers should generally receive different training than computer programmers. In many organizations, nearly every worker accesses Company X information in order to do their job. Nonetheless, many workers need only rudimentary training. The policy communicates from top management to lower level management requirements for training and documentation, which could be online rather than in hardcopy form. This policy relies on local management to decide what constitutes sufficient information security training. Some organizations may prefer to say that the Information Security department determines what constitutes sufficient training. (Sample policy and commentary from Information Security Policies Made Easy, version 9.0 by Charles Cresson Wood, Copyright 2005, Information Shield.) - - - - - - - - - - - TABLE OF CONTENTS Chapter 1: Introduction Chapter 2: Instructions Instruction Information Security Policies Importance Of Policies Considerations In The Policy Development Process Policy Development Time Line Policy Document Length Policy Usage Policy Objectives And Scope Disclaimers Chapter 3: Specific Policies Security Policy Information Security Policies Organizational Security Information Security Infrastructure Security Of Third-Party Access Outsourcing Asset Classification And Control Accountability For Assets Information Classification Personnel Security In Job Definition And Resourcing User Training Responding To Security Incidents And Malfunctions Physical And Environmental Security Secure Areas Equipment Security General Controls Communications And Operations Management Operational Procedures And Responsibilities System Planning And Acceptance Protection Against Malicious Software Housekeeping Media Handling and Security Exchanges Of Information And Software Access Control Business Requirement For Access Control User Access Management User Responsibilities Network Access Control Operating System Access Control Application Access Control Monitoring System Access And Use Mobile Computing Systems Development And Maintenance Security Requirements Of Systems Security In Application Systems Cryptographic Controls Security Of System Files Security In Development And Support Processes Business Continuity Management Aspects Of Business Continuity Management Compliance Compliance With Legal Requirements Reviews Of Security Policy And Technical Compliance System Audit Considerations Chapter 4: Sample High-Level Information Security Policy Chapter 5: Sample Detailed Information Security Policy Chapter 6: Sample Telecommuting and Mobile Computer Security Policy Management Issues Access Control Backup And Media Storage Communications Links Communications Links System Management Travel Considerations Physical Security Chapter 7: Sample External Communications Security Policy Chapter 8: Sample Personal Computer Security Policy Chapter 9: Sample Electronic Mail Policy Chapter 10: Sample Computer Network Security Policy Purpose Scope General Policy Responsibilities System Access Control End-User Passwords Password System Set-Up Logon and Logoff Process System Privileges Establishment Of Access Paths Computer Viruses, Worms, And Trojan Horses Data And Program Backup Encryption Portable Computers Remote Printing Privacy Logs And Other Systems Security Tools Handling Network Security Information Physical Security Of Computer And Communications Gear Exceptions Violations Glossary Chapter 11: Sample Internet Security Policy For Users Introduction Information Integrity Information Confidentiality Public Representations Intellectual Property Rights Access Control Personal Use Privacy Expectations Reporting Security Problems Chapter 12: Sample Intranet Security Policy Chapter 13: Sample Privacy Policy - Stringent Overview And Applicability Definitions Specific Requirements Information To Be Given To The Individual Individual's Right Of Access To Data Individual's Right To Object Disclosure Of Personal Data To Third Parties Processing Confidentiality And Security Monitoring Of Internal Activities Chapter 14: Sample Privacy Policy - Lenient Company Intentions and Management Responsibilities Disclosure Of Private Information Appropriate Handling of Private Information Private Information on Computer and Communication System Activity Monitoring Handling Personnel Information Private Information from Job Seekers Private Information About Customers Chapter 15: Sample Web Privacy Policy Chapter 16: Sample Data Classification Policy Chapter 17: Sample Data Classification Quick Reference Table Chapter 18: Sample External Party Information Disclosure Policy Chapter 19: Sample Information Ownership Policy Chapter 20: Sample Firewall Policy Appendix A: List Of Information Security Policy References Appendix B: List Of Information Security Periodicals Appendix C: List Of Professional Associations And Related Organizations Appendix D: List Of Suggested Awareness-Raising Methods In Person In Writing On Systems On Other Things Appendix E: External Network Interface Security Policy Harmonization Access Control Considerations Encryption And Public Key Infrastructure Considerations Change Control And Contingency Planning Considerations Network Management Considerations Appendix F: Checklist Of Steps In Policy Development Process Appendix G: Overview Of Policy Development Process Tasks Appendix H: Real World Problem Cases Caused By Missing Policies Government Agency Law Firms Oil Company Local Newspaper Midwest Manufacturing Company West Coast Manufacturing Company Major Online Service Company Appendix I: Suggested Next Steps Appendix J: Agreement To Comply With Information Security Policies Appendix K: Identify Token Responsibility Statement Appendix L: Management Risk Acceptance Memo Appendix M: Two-Page Simple Non-Disclosure Agreement Appendix N: Index Of New Policies Appendix O: Regulatory Requirements for Information Security Policies About the Author Index - - - - - - - - - - - ABOUT THE AUTHOR CHARLES CRESSON WOOD, CISA, CISSP is an author and independent information security consultant based in Sausalito California. In the information security field on a full-time basis since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute) as well as lead network security consultant at Bank of America. He has done information security work with over 120 organizations, many of them Fortune 500 companies, including a large number of financial institutions and high-tech companies. His consulting work has taken him to over twenty different countries around the world. He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in security architectures, system security requirements, risk assessments, project plans, policy statements, and other clear and action-oriented documents. He has published over 225 technical articles and five books in the information security field. In addition to TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented cutting-edge information security ideas at over 100 technical and professional conferences around the globe. Mr. Wood is Senior North American Editor for the journals "Computers & Security" and "Computer Fraud & Security Bulletin", as well as a monthly columnist for "Computer Security Alert". He holds an MBA in financial information systems, an MSE in computer science, and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He has passed the Certified Public Accountant (CPA) examination and is both a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP). In November 1996 he received the Lifetime Achievement Award from the Computer Security Institute for "sincere dedication to the computer security profession." - - - - - - - - - - - ALSO AVAILABLE: INFORMATION SECURITY ROLES & RESPONSIBILITIES MADE EASY See Order #DR571. - - - - - - - - - - - Save $95! Purchase INFORMATION SECURITY POLICIES MADE EASY together with INFORMATION SECURITY ROLES & RESPONSIBILITIES MADE EASY See Order #DR755 - - - - - - - - - - - ALSO AVAILABLE: Information Security Policies Made Easy, Version 9, SPANISH EDITION Hardcover - 730 pages. Includes CD-ROM and organization-wide license to republish the materials internally. Order DR-303-SP, $595.00 (Special Order), - - - - - - - - - - - (Version 10) 2005, 780 pages + CD-ROM and organization-wide license to republish the materials internally. Order #DR-303-PC or DR-303-MAC SPECIAL ORDER ITEM. *** specify PC or MAC format *** - PC format will be shipped unless otherwise specified. - MAC Format is not returnable. - - - - - - - - - - -
Rothstein Associates Inc.
4 Arapaho Rd.
Brookfield, CT 06804-3104
1-888-ROTHSTEin
Telephone: 203.740.7444; 888.768.4783
Fax: 203.740.7401
E-Mail:
info@rothstein.com
All bookstore enquiries should be sent to Rothstein Associates at the above address.
Looking for Practical Knowledge?
© Binomial International 2008
|
![[Item Image]](http://www.binomial.com/bookstore/it070007.jpg)