cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lwhite
Newcomer III

Information Security Policy Set

Can anyone on in this community direct me to a set of Information Security Policy templates?

8 Replies
RobertM
Newcomer II

You can google for them. This is a good starting point: https://www.sans.org/security-resources/policies

 

ericgeater
Community Champion

I agree with the SANS suggestion.  Other reading suggests that every policy should be a home brew that starts from policy, which begins with your org's business and security goals -- and wholly discourages template use.

 

I am beginning a policy process at our org, too.  I've downloaded some SANS docs, and will be carving them up for templates that can be reviewed by the security steering committee (that I hope to form!)... but I'll still require buy-in from everyone along the way when we reach topics that aren't covered by templates.

 

It'll be interesting to hear how things go.  Keep us informed.

-----------
A claim is as good as its veracity.
AppDefects
Community Champion

A good practice is to first start with a standard like ISO/IEC 27001 to define the organizational Information Management System (ISMS) - you can do this informally in preparation for certification down the road if you so choose. I'm not going to go into all the details here of what the standard calls out for supporting processes, but I do want to mention that you'll need to identify your organizational context and the associated risks to your organization. Defining a risk treatment strategy is important. Once you know the risks you need to control then you can start layering in the technical controls. I use NIST SP 800-53, rev 4, but there are others like COBIT, and the Cloud Controls Matrix from the Cloud Security Alliance. Plus many other NIST and ISO standards.

ericgeater
Community Champion

"organizational context and the associated risks to your organization"

 

I'm curious.  When you say "organizational context", do you mean top-down policy and GRC, all steered by corporate values?  And on the latter half of this quote ("associated risks"), I'm hearing that the risk assessments steer application of the controls, right?

-----------
A claim is as good as its veracity.
RobertM
Newcomer II

I think @AppDefects means the business your organizations is working in. You have different risks when you're an bycicle repair shop, that if your in a financial business. The context will give you ideas about the risks you'll want to address...

ericgeater
Community Champion

*slaps own forehead*.  I see that now.  Thanks for the orientation!!


-----------
A claim is as good as its veracity.
vt100
Community Champion

I'll second SANS recommendation for familiarization and to use as references.

If you are literally looking for the templates and can use some help with working through the process of turning them into written policies, I can recommend Advisera (https://advisera.com/) platform for working on ISO and NIST compliance projects.

They have quite a few free videos and courses to walk you through the process even if you are not going to use their product.

CJM
Newcomer I

Great starting point thanks and good for comparison!