WELCOME

Capella has been designated a National Center of Academic Excellence in Information Assurance Education (CAEIAE) by the National Security Agency and the U.S. Department of Homeland Security. Capella’s information security curriculum meets the NSA Committee on National Security Systems standards 4011, 4013, 4014.

This center provides access to resources, tools, and the latest information regarding information assurance as a way to enhance understanding in this field of study.

CNSS Certification

The NSA’s Information Assurance Courseware Evaluation (IACE) Review Committee has validated that Capella’s information security curriculum meets the Committee on National Security Systems (CNSS) National Standards 4011, 4013, (and 4014 coming). Learn what this means to a Capella learner.

ARCHIVES

Current Topics

« Ear Noise as Authentication?
Web 2.0 Social Networking Security and Privacy »


Security Policy Development

From Steven Helwig | May 8th, 2009

Organizations, regardless of the type of business, are required to meet many regulations and laws .  This can be expensive and strenuous on an organization’s resources.  There are physical, technical and policy type controls that must be met in complying with  regulations and laws.  Having a solid security program with properly written policy can meet most requirements. 

Unless a policy is in a major document, such as the security plan, it should be a document that is between one and two pages long, is concise and enforceable. 

A policy should include:

Title of Policy
Control ID – A unique number following the organization’s numbering standards
Effective Date – Date policy takes place
Revision Date – Date of last review and or revision
Revision Number – Sequential numbering of revision made to policy
Approval – Who approved the policy for release?  Must be someone with approval powers
Policy Overview
Policy Purpose
Compliance – The regulations or laws this policy complies with
Recourse for Non-Compliance – What is the recourse for not complying with the policy
Scope – What areas does this policy cover
Policy Description – Details of the policy

Your organization may require additional sections, but these should be the minimum sections covered.  If you use prewritten policies such as those provided by SANS or those purchased, make sure they are revised to meet your organization’s business requirements and standards.

Thoughts or comments?

 

 

Tags: , ,

You can leave a response, or trackback from your own site.

3 Responses to “Security Policy Development”

  1. Charlie Kiriakou says:
    May 16th, 2009 at 5:02 pm

    Dr. Brown,

    Absolutely agree with your statements about security policies. All organizations must have well written, clear and concise informationa security policies. The Department of Defense (DoD) has several extensive policies, or DoD Directives, that specifically deal with Information Assurance (DODD 8500 series). This policy, and associated implementing DoD Instructions, are quite extensive and exhaustive, and are based on public law and other federal guidelines.

    However, organizations of any size, even small businesses, should have information security policies. Employees must know the rules and their responsibilities when it pertains to safeguarding information they process in their daily routines. There’s too much at risk in today’s cyber world to not put in place company policies to protect information and hold individuals accountable for mishandling information.

    Charlie

  2. Derrick Jackson says:
    May 17th, 2009 at 1:46 am

    This was a very good post and the outline of a security policy was very informative. As a current Capella Learner, I’m sure this information will come in handy and even more so as I move in the business sector.

  3. Michael Pisto says:
    May 17th, 2009 at 5:59 pm

    Hey Steve,

    Just wanted to let you know that I have read your post and appreciate the extra information on policy layouts.

    Thanks
    Mike

Leave a Reply

Let us know what you think. All comments will be reviewed prior to going live. Comments that are profane or obscene, or unrelated to the topic of the post will not be published.

Categories

RESOURCES

NEWS FEEDS

META

CAPELLA CONNECTION

Capella University offers several degree programs which specialize in the information assurance and security field. Visit one of the links below for more information.

To learn more about Capella, please visit http://www.capella.edu or call 1.888.CAPELLA, option 2, to speak to an enrollment counselor.

Capella University