Policies

Download Free Policy & Procedure Manager 4.5 for Regulatory Compliance Standards

root — Fri, 11 Jul 2008 05:32:45 -0500

The web-based Policy & Procedure Manager provides your staff with instant access to your organization's policies and procedures. It notifies those who are required to read specific documents and tracks who has read them. You can use the software to create, review, approve, and archive all of your documents, not just policies and procedures. Email reminders and reports ensure that everything stays up to date. You can also organize documents according to any regulatory compliance standards - such as Sarbanes Oxley, ISO 9000, JCAHO, HIPAA, state guidelines.

Size: 29.57MB
License: Free to try
Requirements: Windows 95/98/Me/NT/2000/XP
Limitations: 30-day trial
Date Added: February 19, 2008

Download Page

Four Types of Security Policies

root — Thu, 10 Jul 2008 02:42:24 -0500

Military security policy (also called a governmental security policy) is a security policy developed primarily to provide confidentiality.
Commercial security policy is a security policy developed primarily to provide integrity.
Confidentiality policy is a security policy dealing only with confidentiality.
Integrity policy is a security policy dealing only with integrity.

A military security policy (also called a governmental security policy) is a security policy developed primarily to provide confidentiality.

The name comes from the military's need to keep information, such as the date that a troop ship will sail, secret. Although integrity and availability are important, organizations using this class of policies can overcome the loss of eitherfor example, by using orders not sent through a computer network. But the compromise of confidentiality would be catastrophic, because an opponent would be able to plan countermeasures (and the organization may not know of the compromise).

Confidentiality is one of the factors of privacy, an issue recognized in the laws of many government entities (such as the Privacy Act of the United States and similar legislation in Sweden). Aside from constraining what information a government entity can legally obtain from individuals, such acts place constraints on the disclosure and use of that information. Unauthorized disclosure can result in penalties that include jail or fines; also, such disclosure undermines the authority and respect that individuals have for the government and inhibits them from disclosing that type of information to the agencies so compromised.

The truth about IT security policy

root — Thu, 26 Jun 2008 02:58:48 -0500

"…IT security policy for IT auditor day to day perspective.."

I've been working for the IT security policy and procedures making for the last four years. And my main responsibility for that period is doing consulting services for the company who need to comply with some kind of security standard such as Sarbanes Oxley, ISO 27001 or event just some guidelines from our government.

Security policy and procedures are my main deliverables. So if you see my client you will see that in their office, there are a lot of policy and procedures that created by many prestigious company, my company is also contributed there. They took international standard such as COBIT or ITIL to ensure that the company confidential data is keep secure

Well writen policy using 5Ws of Journalism

root — Thu, 22 May 2008 14:15:00 -0500

The written policy should clear up confusion, not generate new problems. When preparing a document for a specific audience, remember that the writer will not have the luxury to sit down with each reader and explain what each item means and how it impacts the user's daily assignments. Know the audience for whom the policies are being developed. Remember the reading and comprehension level of the average employee. When writing the policy, remember the "5 Ws of Journalism 101":

What: what is to be protected (the topic)
Who: who is responsible (responsibilities)
Where: where within the organization does the policy reach (scope)
How: how compliance will be monitored (compliance)
When: when does the policy take effect
Why: why the policy was developed

What is the first priority in IT audit?

root — Mon, 19 May 2008 16:33:45 -0500

If you’re the first person responsible for performing information system audit in your company, then what is your first priority? Repairing the IT process in your company? Prepare risk control matrices or just recruit another experience IS auditor for brainstorming with you?

In my experience, all start from planning first. Yes IT planning plays the significant role at this stage. Remember that auditing mean a lot of interaction with a lot of departments and function across the company. So coordination is the first issue to be noted.

Have you ever be in this situation?

Effective information security programs are well-written policy statements

root — Thu, 17 Apr 2008 19:59:53 -0500

The cornerstones of effective information security programs are well-written policy statements. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents. As with any assessment process, it is important to ensure that policies establish the direction management wants to go with regard to security

When reviewing policies, Thomas R. Peltier in his book about Managing a Network Vulnerability Assessment said that it will be necessary to remember that there are three general types of policies:

General or global policies.
These are high-level policy statements that define the intent of a specific topic and its scope within the organization. It also assigns responsibilities for implementation and compliance with the policy. Typical information security general or global policies include:

How to design audit log policy

root — Sun, 09 Mar 2008 01:07:42 -0600

Enabling audit log is an issue -as we discussed before. But leave it to management how to decide this feature, because whatever the decision we still need to making audit log policy to ensure the activities become effective.

Here is some topics that should be put clear in audit log policy

1. Event logging

What kind of activity that should be logged. All administrator activities or only sensitive activity for several users. Other approach such as based on hour log -the audit log will be enabled only in working hours. Auditor should clearly state which event that should be logged.

2. Log recording and archiving

Archiving log to write once disk, archiving to tape storage or just put in hard disk is also a must stated in log policy. How long any security breaches will be archived.

How to design social networking website policy

root — Sun, 02 Mar 2008 22:22:44 -0600

The latest update of Linkedin.com one of the most popular social networking site for professional, is proven evidence that the social network is become very important in our life. The function is shift, not only as communication media but its also become place to find new career, develop larger network to corporate research.

However the massive usage of social network website also becomes another challenge for industry to create good enterprise policy for this matter. Any other idea, how to develop social networking website policy?

Do you agree with this corporate blogging policy?

root — Sun, 02 Mar 2008 21:48:28 -0600

This policy provides guidance to ensure that company use of blogging and online dialogue appropriately considers the responsible engagement in this new, rapidly growing space of relationship, learning and collaboration.

1. Knowing and following Company Code of Conduct
2. Blogs are not corporate communications but are individual interactions. Identify yourself but ensure to protect your privacy,
3. Use a disclaimer when posting a blog that has something to do with work or subjects associated with Company.
4. Respect copyright, fair use and financial disclosure laws.
5. Don't provide confidential or other proprietary information.
6. Don't cite or reference clients, partners or suppliers without their approval.
7. Respect your audience and show proper consideration for others' privacy on topics that can be inflammatory such as politics and religion.
8. Find out who else is blogging on the topic and cite them.