This month, the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) shone a national spotlight on the need for security policies by issuing a report called Cybersecurity Today and Tomorrow: Pay Now or Pay Later.
But in Internet news groups and chat rooms, many systems administrators say they are stumped by the policy preparation task. One administrator asks, "I'm preparing to write a security policy (from scratch) and I'm trying to gather as much information as possible. Where should I begin?"
Even if your company already has security policies in place, these policies need to stay up-to-date. In a report issued in 1991, the CSTB pointed to viruses as a then-emerging security threat that ought to be rolled into organizational policies.
In 2002, many experts are recommending the integration of physical security into policy statements. Organizations are pulling together information system (IS) security policies featuring rules for items physical access rights, smart-card readers, and CCTV digital cameras, for example.
In the health care arena, organizations are now updating their policies to comply with the 68 different security conditions mandated by the Health Insurance Portability and Accountability Act (HIPAA).
Ideally, you won't be called upon to set up security policies until your company has done a risk assessment. Typically involving top-ranking company personnel, the risk assessment process weighs various security threats, assigns a level of concern to each, and articulates policies about which threats are serious enough to be worth resisting.
If you are assigned to write the security policies for your company, where should you start? One popular book on the subject is Information Security Policies Made Easy, by Charles Cresson Wood.
There also are free resources on the Web that include backgrounders and white papers as well as sample security policies and modifiable software templates.To begin with, there's coverage of security issues on EarthWeb's Datamation and CrossNodes.