|
The ultimate goal of the project
is to offer everything you need for rapid development and implementation
of information security policies. You'll find a great set of resources
posted here already including policy templates for twenty-four important
security requirements.
|
SANS Security Policy Project by the
SANS community.
There is no cost for using these resources.
|
|
|
Is it a Policy, a Standard or a Guideline?
A policy is typically
a document that outlines specific requirements or rules that must be met.
In the information/network security realm, policies are usually
point-specific, covering a single area. For example, an "Acceptable
Use" policy would cover the rules and regulations for appropriate use
of the computing facilities. A standard is typically collections of system-specific or
procedural-specific requirements that must be met by everyone. For example,
you might have a standard that describes how to harden a Windows NT
workstation for placement on an external (DMZ) network. People must follow
this standard exactly if they wish to install a Windows NT workstation on
an external network segment. A guideline is typically a collection of system specific or
procedural specific "suggestions" for best practice. They are not
requirements to be met, but are strongly recommended. Effective security
policies make frequent references to standards and guidelines that exist
within an organization.
Need a Primer on
Security Policies?
|
Are you new to
developing security policies? Do you need a refresher course or something
to help you convince management of the need for policies? If so, check
out the 30-page policy primer from Michele Guel's full day course "Proven
Practices for Managing the Security Function." This course is one
day of SANS most popular new certification program, the foundation
program for Certified Information Security Officers.
|
Policy Primer
(PDF)
|
Need an Example Policy or Template?
SANS has received
permission to provide sanitized security policies from a large
organization. These policies were developed by a group of experienced
security professionals with more than 80 years of combined experience in
government and commercial organizations, and each policy went through a
vigorous approval process. They should form a good starting point if you
need one of these policies. Some tips about these policies. Anything that
is in <angle brackets> should be replaced with the appropriate name
from your organization. The term "InfoSec" is used through out
these documents to refer the team of people responsible for network and
information security. Replaced with the appropriate group name from your
organization. Any policy name that is in italics is a reference to a policy
that is also available on this site.
Acceptable Encryption Policy
Defines
requirements for encryption algorithms used within the organization.
Acceptable Use Policy
Defines
acceptable use of equipment and computing services, and the appropriate employee
security measures to protect the organization's corporate resources and
proprietary information.
Analog/ISDN Line Policy
Defines
standards for use of analog/ISDN lines for Fax sending and receiving, and for
connection to computers.
Anti-Virus Process
Defines
guidelines for effectively reducing the threat of computer viruses on the
organization's network.
Application Service Provider Policy
Defines
minimum security criteria that an ASP must execute in order to be
considered for use on a project by the organization.
Application Service Provider Standards
Outlines
the minimum security standards for the ASP. This policy is referenced in
the ASP Policy above.
Acquisition Assessment Policy
Defines
responsibilities regarding corporate acquisitions, and defines the minimum
requirements of an acquisition assessment to be completed by the
information security group.
Audit Vulnerability Scanning Policy
Defines
the requirements and provides the authority for the information security
team to conduct audits and risk assessments to ensure integrity of
information/resources, to investigate incidents, to ensure conformance to
security policies, or to monitor user/system activity where appropriate.
Automatically Forwarded Email Policy
Documents
the requirement that no email will be automatically forwarded to an external
destination without prior approval from the appropriate manager or
director.
Database
Credentials Coding Policy
Defines requirements
for securely storing and retrieving database usernames and passwords.
Dial-in
Access Policy
Defines
appropriate dial-in access and its use by authorized personnel.
DMZ
Lab Security Policy
Defines
standards for all networks and equipment deployed in labs located in the
"Demilitarized Zone" or external network segments.
E-mail
Policy
Defines
standards to prevent tarnishing the public image of the organization.
E-mail Retention
The Email Retention
Policy is intended to help employees determine what information sent or
received by email should be retained and for how long.
Ethics
Policy
Defines the
means to establish a culture of openness, trust and integrity in business
practices.
Extranet
Policy
Defines the
requirement that third party organizations requiring access to the
organization's networks must sign a third-party connection agreement.
Information
Sensitivity Policy
Defines the
requirements for classifying and securing the organization's information in
a manner appropriate to its sensitivity level.
Internal
Lab Security Policy
Defines
requirements for internal labs to ensure that confidential information and
technologies are not compromised, and that production services and
interests of the organization are protected from lab activities.
Internet
DMZ Equipment Policy
Defines the
standards to be met by all equipment owned and/or operated by the
organization that is located outside the organization's Internet firewalls
(the demilitarized zone or DMZ).
Lab
Anti-Virus Policy
Defines
requirements which must be met by all computers connected to the
organization's lab networks to ensure effective virus detection and
prevention.
Password
Protection Policy
Defines
standards for creating, protecting, and changing strong passwords.
Personal
Communication Device
Describes
Information Security's requirements for Personal Communication Devices and
Voicemail.
Remote
Access Policy
Defines
standards for connecting to the organization's network from any host or network
external to the organization.
Remote
Access - Mobile Computing and Storage Devices
To establish
an authorized method for controlling mobile computing and storage devices
that contain or access information resources.
Risk
Assessment Policy
Defines the
requirements and provides the authority for the information security team
to identify, assess, and remediate risks to the organization's information
infrastructure associated with conducting business.
Router
Security Policy
Defines
standards for minimal security configuration for routers and switches inside
a production network, or used in a production capacity.
Server
Security Policy
Defines
standards for minimal security configuration for servers inside the
organization's production network, or used in a production capacity.
Server
Malware Protection Policy
Outlines
which server systems are required to have anti-virus and/or anti-spyware
applications.
The
Third Party Network Connection Agreement
Defines the
standards and requirements, including legal requirements, needed in order
to interconnect a third party organization's network to the production
network. This agreement must be signed by both parties.
VPN
Security Policy
Defines the
requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN)
connections to the organization's network.
Wireless
Communication Policy
Defines
standards for wireless systems used to connect to the organization's
networks.
|