I have never ceased to be amazed by the fact that you can’t take a class in information security without being told to do this or the other thing in accordance with “your security policy”. But nobody ever explains what policy is, or how to write or evaluate it. This is why we have begun this research and educational project into security policy. | 1 NiVIM GIAC Basic Security Policy Version February 27 2001 I keep six honest serving men They taught me all I knew Their names are What and Why and When And How and Where and Who. --Rudyard Kipling CONTRIBUTING AUTHORS Doug Austin Alexander Bryce Rob Dinehart Stephen Joyce Carol Kramer Randy Marchany Stephen Northcutt John Ritter Matt Scarborough Arrigo Triulzi Dyncorp Information Systems LLC Alexander Ltd. IBJ Whitelhall Financial Group bitLab LLC SANS Institute Virginia Tech Computing Center Global Incident Analysis Center Intecs International Inc. IC Albourne Parners Ltd. EDITED BY Carol Kramer Stephen Northcutt Fred Kerby If you have corrections or additions or would like to be involved in enhancing this project please send email to giactc@ 2 A note from the director of GIAC Training and Certification I have never ceased to be amazed by the fact that you can t take a class in information security without being told to do this or the other thing in accordance with your security policy . But nobody ever explains what policy is or how to write or evaluate it. This is why we have begun this research and educational project into security policy. We hope you find this booklet useful and even more that you will get involved and help. Consensus is a powerful tool and we need the ideas and criticisms of the information security community to make this the roadmap for usable effective policy. Thank you Stephen Northcutt CONTENTS 1. PREFACE 2. USING SECURITY POLICY TO MANAGE RISK 3. DEFINING SECURITY POLICY 4. IDENTIFYING SECURITY POLICY 5. SECURITY POLICY WORKSHEET 6. EVALUATING SECURITY POLICY 7. ISSUE-SPECIFIC SECURITY POLICY Anti-Virus Password Assessment Backups Incident Handling Proprietary Information 8. WRITING A PERSONAL SECURITY POLICY 9. EXERCISES APPENDIX A - Policy Templates APPENDIX B - Sample Non-Disclosure Agreement 3 1. PREFACE Security policy protects both people and information. Safeguarding information is challenging .
