Results 1 to 8 of 8

Thread: Policies

  1. #1
    Join Date
    Nov 2003


    Hey everyone,
    I was wondering if there are some good examples or templates for creating security policies. Such as.
    Download Policy and Restrictions, Employee Acknowledgement, Information Sensitivity Policy, Password Policy, Remote Access Policy and so forth

    Im finding some good stuff on google but thought i would ask if there are some good resources.


  2. #2
    Senior Member
    Join Date
    May 2003
    The policies you put in place rest 100 percent on the sensitivity of the data you hold. The key to a good policy is to have it locked down enough to protect you but to still allow everyone one to do their jobs with as little trouble as possible. this is hard.

    General Rules I like to use a s a guide are:

    Passwords: atleast 8 characters including atleast 3 of the 4 characteristics
    - capital letters
    - lower case letters
    - Numbers
    - Special Symbols (ie @, #, !, %)

    Passwords changed every 3 months (more often for more sensitive data), company passwords are given on a need to know basis, not for convienence.

    Remote access: if they dont need it, they dont get it. Most work places have a strong policy that work stays at work for probably 90 percent of their employees. This protects data as well as leaves less available flaws in the system

    Download restrictions. If you have a tech department, EVERYTHING must be aproved by them, if you have the recorces, make them install the programs too. NO music downloads, NO P2P programs, NO Chat programs (except for work related activity, like MS Live comunication server provides, and formerly exchange messenger)

    A good confidentiality notice should be signed by every single employee. Customer data must be protected above everything else. without the customers confidence you will go out of business. In the IT world news of breakins spread like brush fires, customers will find out, and they will be mad.

    acknowledge good security proactices and punch those who fail to follow the rules. Set up proxies to keep out non-work related websites. (be careful with this, your employees will be working hard, give them a little leway. Most of my clients allow news sites, email, and try to just block out things like porn and other potentialy dangerous sites) DO NOT let things slide when they are blatant breaches in policy.

    Make the Policy well know and make them sign off on it. Update the policy as needed and make them sign for every revision. let them know they are responsible for following the policy and if caught in violation, there will be punishments handed out.

    Keep your employees happy as best as possible. Happy employees who feel they are appriciated are far less likley to try and hurt the company. Hold company get togethers on occassion, buy them lunch (if possible) I swear buying employee's lunch is probably one of the easiest ways to keep them just a little happier. I konw that when we have our company BBQs it keeps moral up and in past places I have worked sales rose noticably for the day and week following. Simple things go a long way. acknowledge good work, punish poor work. be fair.


    except the writter
    Everyone is going to die, I am just as good of a reason as any.


  3. #3
    Join Date
    Nov 2003
    Hey XTC46,
    Thank you so much for the input its going to be very very helpful. I was wondering if you or anyone has templates of such policies. I know its relative to each company or orgnization but it would really help to have templates or examples.

    There are some good ones on google for example search: password policy filetypedf

    Input would be appreciated

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    Have a look here:


    SANS has templates on the above site for everything you can think of.

    Again, policy will be specific to your organization. The examples on the site are not meant to be a "hit the ground running" kind of thing.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Hi there
    Having gone through some policy development exercises myself recently, here are some points that might be useful (fairly obvious ones, but important to remember nonetheless):
    - When developing any policy that is likely to have punitive ramifications to employees who break it, ensure you get your legal people to go over it in great detail. The real test of that part of the policy is in the practice, and you will find if there is a loophole the offender will find it!
    - Finding policy templates on the web is a great way to start, but things you need to bear in mind:
    * Are the guidelines in the policy appropriate for my country (particularly relevant for me
    seeing as most of this stuff is usually US in origin)
    * Is the policy the appropriate level of strictness for your system. In other words, look at
    what you are protecting and set policy accordingly
    - With password policy you need to strike a balance between complexity and usability. If they are too complex you will have users writing them on sticky notes (often the subject of another policy altogether), not complex enough and they are too easily cracked. Which lead to another point, ensure that the complexity and the time between password changes make it unfeasible to use any password cracking against your system. In otherwords, ensure that the passwords are complex enough to ensure that anyone using a password cracking program doesn't have enough time to crack the password before it is changes. This element may need to be reviewed regularly with the speed of these programs increasing.

    In terms of places to find passwords, I would agree with a previous post, SANS is probably your best resource.

    Hope this helps

  6. #6
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Remember to have your policies signed off by the senior management.

    Also remember to to go too in depth with a policy. A policy is a high level document and should not be highly detailed.

    i.e employees will not download any programs or files which may pose a risk to the organisations network.

    Rather than a detailed outline of every filetype they are not allow to touch. They're all covered by the general statement above.
    For more detail you'd then write a standards document and for high detail you'd write a procedure.

    Here is our infosec policy as an example:

    The objective of information security is to ensure business continuity and minimise business damage by preventing and minimising the impact of security incidents.

    The purpose of this policy is to ensure the confidentiality, integrity and availability of all the ********* information assets and to ensure that they are appropriately protected from all threats, whether internal or external, deliberate or accidental.

    It is the ********* policy that

    • All employees and ********* are aware of this policy and the associated legal requirements, and their rights and responsibilities in relation to information security.
    • All ********* information assets, including equipment and data, are adequately protected.
    • All employees and ********* have access to appropriate information security training.
    • A high level of awareness of the need for information security is maintained.
    • Monitoring arrangements exist to ensure compliance with policy objectives and supporting standards.
    • All security incidents, actual or suspected, will be reported and investigated.
    • This policy and supporting standards are reviewed regularly.

    Standards will be produced to support this policy. Together they will form an Information Security Management System.

    The Depute Director of ********* has been designated the Information Security Officer for the *********. It is the Information Security Officer’s responsibility to maintain this policy, provide advice and guidance on its implementation, and to administer the Information Security Management System.
    Direct responsibility for information security rests with all employees and ********* of the *********. Typical responsibilities can be summarised as: -

    • duty to comply with this information security policy
    • duty to comply with the associated information security standards
    • duty to report all security incidents
    • duty to comply with all legislation (Data Protection Act 1998, Copyright Designs & Patents Act 1988, Computer Misuse Act 1990, etc.)
    • security of personal passwords
    • using information assets, including equipment and data, only for authorised purposes

    This policy will apply to

    • All employees of *********.
    • All third parties working with, or on behalf, of *********

    The Information Security Policy will be reviewed every three years to ensure the continuing relevance and effectiveness of the policy. If, at any time, there is a need to amend the policy to take account of changing circumstances, technologies, or requirements this will be done within the review period.
    All of our infosec policies etc are based on BS7799 though we're not certified and are not seeking certification.

  7. #7
    Join Date
    Nov 2003
    Thank alot everyone exteremly helpful as usual.


  8. #8
    Join Date
    Apr 2005
    A policy is just that: a general guidance.

    When you need to detail it out into specific rules and regulations, dos and donts, then you need to implement a Standard Operating Procedure (SOP) that falls within the policy terms.

    A policy, by itself, is a template. There are unique environments that requires a greater degree of policy flexibility or a more rigid list of limitations. In corporate ICT security policies, for example, there are strict limitations on what files can be shared by and between users within the company's environment and there are limitations on what can be accessed by an employee in the Internet (particularly if there are potential exploits anticipated by the interchange of communications that would be detrimental to corporate security itself.

    In military environments, the readily accessible documents or data are classified as "Approved for Public Release" and all others classified as Restricted, Confidential and higher are accessible only to organic (i.e., military members with appropriate clearances) personnel.

    A policy defines the parameters or the outer limits that can be applied to any ICT security process. When you codify rules that institute punitive and precautionary procedures and processes, then you're talking of rules and regulations or SOP or manuals of procedures.
    Si vis pacem, para bellum!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts