Implement Security Policies

Implementing a security policy is cheap (actually free) and every organization needs one.

The first element in any information security process is creating policies. Security policies are the overriding document—sounds boring, but true—that dictate the rules your organization follows with regard to securing information. These policies can range in length from one page to hundreds.

The good news: There are lots of free templates for security policies. And it's always better to have something than nothing.  Especially when users come up to you and ask: “Where is the policy that says I can’t use LimeWire on my personal laptop connected to the Corporate LAN?”

The first step in obtaining security policies: Research. The size and industry of your organization will also dictate the nature of the policies. 

Here are some good leads:

• See here for examples of policies from the SANS institute of security professionals:
• Most government and educational institutions publicly post their policies; you can do a search and limit your scope within Google to those organizations.

Here are a couple of examples Google searches:

mobile device security policy site:gov

guest internet access policy site:edu

Having a policy template is good start. The next challenge is tailoring, adopting and implementing your policies in your particular organization. One way to approach this is to find someone who really knows what they're doing (e.g. runs a tight shop) and ask them to lunch. The local ISA Information System Security Association (ISSA) chapter is also a good place to start.

It is also preferable to have a consultant review your first attempt at security policies. But if you can't find one who will donate a couple of hours to your cause, even just having a second set of eyes go over them can really make a big difference for your first endeavor.