Policies

Well its 30 days free trial actually, but still its a very useful software for those working with a lot of documentation, policy and procedures. For more information you can visit their main site or directly download (29MB) from download.com

The web-based Policy & Procedure Manager provides your staff with instant access to your organization's policies and procedures. It notifies those who are required to read specific documents and tracks who has read them. You can use the software to create, review, approve, and archive all of your documents, not just policies and procedures.

ISO27002 recommends that an organization’s user registration process should cover the following:
1. Unique user identifications (IDs) should be issued so that users can be linked to, and made responsible for, their actions.

2. The user’s access rights should be documented and describe what assets and systems the user is allowed to access.

3. System owners should authorize proposed users to use the system, and the access rights document should also be authorized by the individual’s line manager, to ensure that it is appropriate.

The web-based Policy & Procedure Manager provides your staff with instant access to your organization's policies and procedures. It notifies those who are required to read specific documents and tracks who has read them. You can use the software to create, review, approve, and archive all of your documents, not just policies and procedures. Email reminders and reports ensure that everything stays up to date. You can also organize documents according to any regulatory compliance standards - such as Sarbanes Oxley, ISO 9000, JCAHO, HIPAA, state guidelines.

Size: 29.57MB
License: Free to try
Requirements: Windows 95/98/Me/NT/2000/XP
Limitations: 30-day trial
Date Added: February 19, 2008

Download Page

• Military security policy (also called a governmental security policy) is a security policy developed primarily to provide confidentiality.
• Commercial security policy is a security policy developed primarily to provide integrity.
• Confidentiality policy is a security policy dealing only with confidentiality.
• Integrity policy is a security policy dealing only with integrity.

A military security policy (also called a governmental security policy) is a security policy developed primarily to provide confidentiality.

The name comes from the military's need to keep information, such as the date that a troop ship will sail, secret. Although integrity and availability are important, organizations using this class of policies can overcome the loss of eitherfor example, by using orders not sent through a computer network. But the compromise of confidentiality would be catastrophic, because an opponent would be able to plan countermeasures (and the organization may not know of the compromise).

Confidentiality is one of the factors of privacy, an issue recognized in the laws of many government entities (such as the Privacy Act of the United States and similar legislation in Sweden). Aside from constraining what information a government entity can legally obtain from individuals, such acts place constraints on the disclosure and use of that information. Unauthorized disclosure can result in penalties that include jail or fines; also, such disclosure undermines the authority and respect that individuals have for the government and inhibits them from disclosing that type of information to the agencies so compromised.

"…IT security policy for IT auditor day to day perspective.."

I've been working for the IT security policy and procedures making for the last four years. And my main responsibility for that period is doing consulting services for the company who need to comply with some kind of security standard such as Sarbanes Oxley, ISO 27001 or event just some guidelines from our government.

Security policy and procedures are my main deliverables. So if you see my client you will see that in their office, there are a lot of policy and procedures that created by many prestigious company, my company is also contributed there. They took international standard such as COBIT or ITIL to ensure that the company confidential data is keep secure

The written policy should clear up confusion, not generate new problems. When preparing a document for a specific audience, remember that the writer will not have the luxury to sit down with each reader and explain what each item means and how it impacts the user's daily assignments. Know the audience for whom the policies are being developed. Remember the reading and comprehension level of the average employee. When writing the policy, remember the "5 Ws of Journalism 101":

What: what is to be protected (the topic)
Who: who is responsible (responsibilities)
Where: where within the organization does the policy reach (scope)
How: how compliance will be monitored (compliance)
When: when does the policy take effect
Why: why the policy was developed

If you’re the first person responsible for performing information system audit in your company, then what is your first priority? Repairing the IT process in your company? Prepare risk control matrices or just recruit another experience IS auditor for brainstorming with you?

In my experience, all start from planning first. Yes IT planning plays the significant role at this stage. Remember that auditing mean a lot of interaction with a lot of departments and function across the company. So coordination is the first issue to be noted.

Have you ever be in this situation?

The cornerstones of effective information security programs are well-written policy statements. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents. As with any assessment process, it is important to ensure that policies establish the direction management wants to go with regard to security

When reviewing policies, Thomas R. Peltier in his book about Managing a Network Vulnerability Assessment said that it will be necessary to remember that there are three general types of policies:

General or global policies.
These are high-level policy statements that define the intent of a specific topic and its scope within the organization. It also assigns responsibilities for implementation and compliance with the policy. Typical information security general or global policies include:

Enabling audit log is an issue -as we discussed before. But leave it to management how to decide this feature, because whatever the decision we still need to making audit log policy to ensure the activities become effective.

Here is some topics that should be put clear in audit log policy

1. Event logging

What kind of activity that should be logged. All administrator activities or only sensitive activity for several users. Other approach such as based on hour log -the audit log will be enabled only in working hours. Auditor should clearly state which event that should be logged.

2. Log recording and archiving

Archiving log to write once disk, archiving to tape storage or just put in hard disk is also a must stated in log policy. How long any security breaches will be archived.

The latest update of Linkedin.com one of the most popular social networking site for professional, is proven evidence that the social network is become very important in our life. The function is shift, not only as communication media but its also become place to find new career, develop larger network to corporate research.

However the massive usage of social network website also becomes another challenge for industry to create good enterprise policy for this matter. Any other idea, how to develop social networking website policy?

Read also:
Social networking threats manageable with good enterprise policy.
LinkedIn's latest updates take a few hints from Facebook