cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer II

Information Security Policy Set

Can anyone on in this community direct me to a set of Information Security Policy templates?

7 Replies
Newcomer II

Re: Information Security Policy Set

You can google for them. This is a good starting point: https://www.sans.org/security-resources/policies

 

Newcomer III

Re: Information Security Policy Set

I agree with the SANS suggestion.  Other reading suggests that every policy should be a home brew that starts from policy, which begins with your org's business and security goals -- and wholly discourages template use.

 

I am beginning a policy process at our org, too.  I've downloaded some SANS docs, and will be carving them up for templates that can be reviewed by the security steering committee (that I hope to form!)... but I'll still require buy-in from everyone along the way when we reach topics that aren't covered by templates.

 

It'll be interesting to hear how things go.  Keep us informed.

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Contributor III

Re: Information Security Policy Set

A good practice is to first start with a standard like ISO/IEC 27001 to define the organizational Information Management System (ISMS) - you can do this informally in preparation for certification down the road if you so choose. I'm not going to go into all the details here of what the standard calls out for supporting processes, but I do want to mention that you'll need to identify your organizational context and the associated risks to your organization. Defining a risk treatment strategy is important. Once you know the risks you need to control then you can start layering in the technical controls. I use NIST SP 800-53, rev 4, but there are others like COBIT, and the Cloud Controls Matrix from the Cloud Security Alliance. Plus many other NIST and ISO standards.

Tags (3)
Newcomer III

Re: Information Security Policy Set

"organizational context and the associated risks to your organization"

 

I'm curious.  When you say "organizational context", do you mean top-down policy and GRC, all steered by corporate values?  And on the latter half of this quote ("associated risks"), I'm hearing that the risk assessments steer application of the controls, right?

---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Newcomer II

Re: Information Security Policy Set

I think @AppDefects means the business your organizations is working in. You have different risks when you're an bycicle repair shop, that if your in a financial business. The context will give you ideas about the risks you'll want to address...

Newcomer III

Re: Information Security Policy Set

*slaps own forehead*.  I see that now.  Thanks for the orientation!!


---
Eric Geater, CISSP
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Community Champion

Re: Information Security Policy Set

I'll second SANS recommendation for familiarization and to use as references.

If you are literally looking for the templates and can use some help with working through the process of turning them into written policies, I can recommend Advisera (https://advisera.com/) platform for working on ISO and NIST compliance projects.

They have quite a few free videos and courses to walk you through the process even if you are not going to use their product.