Hi gbgc-ga,
Thank you for your question. The topic of information security is a
very broad one, and a good information security plan will address many
different areas in order to provide a comprehensive, coordinated
structure to protect the information resources of an organization.
I have found several resources that will help you in this area : plans
of other organizations, information security product/service
providers, and reports. Here they are :
+----------------------------------------------------------------------+
The following is an excellent example of an information security plan.
It is well-written and comprehensive, and I believe you will be able
to use it as a template for your own plan :
Model for Information Security Plan
http://www.peacefulpackers.com/it_solutions/xis00_1.htm
[begin excerpt]
This model is based on a set of four consolidated policies from
Murdoch University of Perth, Australia in year 2001. The information
is published on a public directory of the Murdoch University Web Page
... my reference at that time was: wwwits.murdoch.edu.au/policies/
Overview
The corporation acknowledges its obligation to ensure appropriate
security for all information technology: data, software, hardware,
networks, telecommunications and information processing operations
within the corporation's domain of ownership and control. The
corporation's employees share this obligation. All other users of the
corporation's information technology infrastructure share this
obligation.
Information Security Management
1. Defines elements which constitute appropriate IT security for the
corporation
2. Identifies Preventive, Detective and Corrective Controls to
maintain IT security
3. Specifies the IT data, hardware and software subject to the policy
4. Document IT security responsibility/accountability for various
roles
5. Provide scaled levels of security for based on value, risk and
vulnerability
Scope of IT Security
The goal of Information Security Management is to eliminate
unacceptable risk for information:
1. confidentiality
2. integrity
3. assets
4. efficient and appropriate use
5. system availability
Confidentiality refers to the privacy of personal or corporate
information.
Integrity refers to the accuracy of data.
Assets that must be protected include:
- computer and peripheral equipment.
- communications equipment
- computing and communications premises
- power, environmental control, and communications utilities
- supplies and data storage media
- system computer programs and documentation
- application computer programs and documentation
- Information
Efficient and appropriate use ensures IT resources are used for
purposes for which they were intended, in a manner that does not
interfere with the rights of others
Availability is the full functionality of a system and its components.
Domains of Security
The corporation's Information Security Management includes security
domains:
1. Computer system security: CPU, peripherals, OS, data security
2. Physical security: premises occupied by IT, personnel and equipment
3. Operational security: environment control, power equipment,
operation activities
4. Procedural security: vendor, management, personnel
5. Communications security: communications equipment, personnel,
transmission paths
Reasons for IT Security
Different classes of information warrant different degrees of
confidentiality.
The hardware and software components that constitute IT assets
represent a sizable monetary investment that must be protected. The
same is true for the information stored in IT systems, some of which
may have taken huge resources to generate, and some of which can never
be reproduced.
The use of IT assets in other than in a manner and for the purpose for
which they were intended represents a misallocation of valuable
resources, and possibly a danger to the reputation or a violation of
the law.
Finally, proper functionality of IT systems is required for the
efficient operation of the university. Some systems, such as the HRS,
Finance, Student Administration, CWIS, and Library systems are of
paramount importance to the mission of the university. Other systems
(e.g. somebody's PC) are of less importance.
[end excerpt]
Please refer to the full article as there are further links that
expand into more specific areas of the plan.
+----------------------------------------------------------------------+
Information Security Policies & Computer Security Policy Directory
http://www.information-security-policies-and-standards.com/
Download Page
http://www.information-security-policies-and-standards.com/download.htm
"A COMPREHENSIVE SET OF INFORMATION SECURITY POLICIES
The trial version is a full 'watermarked' policy set in PDF format. It
can be viewed, but not edited without the license key provided on
purchase. It is provided to organizations for 15 days solely for
evaluation purposes."
I have downloaded their "Information Security Policies" package and
evaluated it. It is an excellent 522-page document covering the
following topics :
Chapter 01 : Securing Hardware, Peripherals and Other Equipment
Chapter 02 : Controlling Access to Information and Systems
Chapter 03 : Processing Information and Documents
Chapter 04 : Purchasing and Maintaining Commercial Software
Chapter 05 : Developing and Maintaining In-House Software
Chapter 06 : Combating Cybercrime
Chapter 07 : Complying with Legal and Policy Requirements
Chapter 08 : Planning for Business Continuity
Chapter 09 : Addressing Personnel Issues Relating to Security
Chapter 10 : Controlling E-Commerce Information Security
Chapter 11 : Delivering Training and Staff Awareness
Chapter 12 : Dealing with Premises-Related Considerations
Chapter 13 : Detecting and Responding to IS Incidents
Chapter 14 : Classifying Information and Data
+----------------------------------------------------------------------+
The SANS Security Policy Project
http://www.sans.org/newlook/resources/policies/policies.htm
"Welcome to the SANS Security Policy Resource page, a consensus
research project of the SANS community. The ultimate goal of the
project is to offer everything you need for rapid development and
implementation of information security policies. You'll find a great
set of resources posted here already including policy templates for
twenty-four important security requirements."
+----------------------------------------------------------------------+
PentaSafe Security Technologies, Inc_ The safest way to grow your
business
http://www.pentasafe.com/publications/
"PentaSafe's Library of Information Security Publications provides you
with everything you need to create a successful information security
program for your organization. Including 1250+ security policies,
templates, sample mission statements, and job descriptions, this is
the most comprehensive compilation of information security resources
and expert advice available. All policies and templates are provided
on CD so they can be easily customized to meet your company's specific
needs."
+----------------------------------------------------------------------+
InformationWeek : U.S. Information Security 2002 Research Report
($175.00 USD)
http://www.informationweek.com/reports/IWK20020705S0007
[begin excerpt]
Your company's reputation, your customer's loyalty, and employee
productivity all take a big hit when your company is victimized by an
information security attack. Investment in security tools and services
might offer a certain level of protection against security breaches
and espionage. But it's market intelligence that helps you shape the
best security policies and practices. Security threats are constantly
shifting and companies must change to ensure their architecture and
strategy are on the cutting edge.
InformationWeek's U.S. Information Security 2002 report examines the
security experiences of 3,480 U.S. companies. In additional to
spotlighting security incidents and current strategies aimed at
curtailing security break-ins, the report also documents best
practices and near-term investment plans. Use the finding to
understand how U.S. companies are gearing up to rebuff the next round
of security attacks and compare your company's security strategies
against its industry peers.
This report, based upon an InformationWeek Research study fielded by
PricewaterhouseCoopers, spotlights the responses of 8,100 security
professionals spanning 42 countries, and will help your organization
to devise a security plan to guard against costly intrusions and
downtime. The study, now in its fifth year, is believed to be the
largest of its kind.
[end excerpt]
+----------------------------------------------------------------------+
Google Search Terms :
information security plan
://www.google.com/search?q=information+security+plan&hl=en&lr=&ie=UTF-8&safe=off&start=0&sa=N
information OR computer OR computing security plan OR plans OR policy
OR policies
://www.google.com/search?sourceid=navclient&q=information+OR+computer+OR+computing+security+plan+OR+plans+OR+policy+OR+policies
I hope this answered your question, and provided you with the
resources you need to construct the Information Security Plan for your
company. If you should need further assistance on this topic, please
do not hesitate to ask for a Request For Clarification and I would be
more than happy to help you. Thank you for using Google Answers.
Regards,
kyrie26-ga |
