Solid security starts with a written document. A valid and sufficient
security ploicy exists only when it is documented and implemented. A written
security policy is the foundation upon which a viable real-world security
infrastructure is based.


alt="Security Manual - Sarbanes-Oxley" vspace=3
src="http://www.it-toolkits.com/images/Security.gif" width=85
longDesc="Security Manual Template - Sarbanes-Oxley" height=110>


border=0 alt=Order src="http://www.it-toolkits.com/images/buttons/Order.gif"
width=94 height=22> border=0 alt=Download
src="http://www.it-toolkits.com/images/buttons/DownloadTableofContents.gif"
width=209 height=22>


The areas that should be included are:



  • Acceptable Use Policy defines what are and are not an allowed activities
    on company premises, with company equipment, and when using company resources.
    It often defines actions that are specifically prohibited, such as accessing
    pornography, pirated content, or running a side-business. These prohibitions
    are enforced with consequences in the event an employee is found in
    violation.

  • Privacy Policy clearly defines what is and is not private when
    working on company equipment or when on company property. There are a variety
    of laws and regulations that address privacy. When privacy protection is
    legally mandated, a company must enforce and protect privacy in compliance
    with the regulations. Some organizations choose to grant additional privacy
    beyond that mandated by law.

  • Password Policy defines the minimum length of a password, the types of
    characters allowed or required in the password, minimum and maximum age of the
    password, and the prevention of password re-use. The password policy might
    also include account lockout parameters which define the number of
    unsuccessful logon attempts granted before an account is temporarily or
    permanently disabled.

  • Disposal and Destruction policy defines when and how to get rid of stuff.
    There is always waste to be disposed of in every organization. Whether coffee
    grounds, sensitive printed documentation, or old storage devices, there needs
    to be a plan other than just tossing it in the bin.

  • Storage and Retention Policy defines ata such as customer
    information, financial history, auditing data, etc., must often be retained
    for years or indefinitely. It is important to thoroughly plan out the
    technology, storage location, and security of the process of backing up and
    storing this information.

  • Incident Response Policy addresses: preparation, detection,
    containment, eradication, recovery, and post-mortem review. The goal or
    purpose of this policy is to minimize downtime, reduce loss, and improve
    availability.

  • Change Management Policy includes installation of new software, updating
    device drivers, application of patches, modifying configuration, and even
    physical reorganizations.
    When change is not controlled and monitored, then
    security is at risk. A change management policy imposes a procedure to
    evaluate, test, and approve changes before they are allowed into the
    production environment.

  • Firewall Policy dictates and defines how firewalls are to be implemented
    throughout the infrastructure.

Resources
Post Your Resume to 65+ Job Sites
Resume Service

Post to Twitter Tweet This Post