I. Introduction
II. Instructions
A. What Are Information Systems Security Policies?
a. Distinct From Guidelines And Standards
b. Distinct From Procedures And Controls
B. Why Are Policies Important?
a. Assuring The Proper Implementation of Controls
b. Guiding The Product Selection/Development Process
c. Demonstrating Management Support
d. Avoiding Liability
e. Protecting Trade Secrets
f. Adapting To A Dynamic Communications Environment
g. Achieving Consistent And Complete Security
h. Coordinating Activities Of Internal And External Groups
C. How Should Policies Be Developed?
a. Gathering Key Reference Materials
b. Defining A Framework for Policies
c. Preparing A Coverage Matrix
d. Making Critical Systems Design Decisions
e. Structuring Effective Review, Approval, And EnforcementProcesses
f. Automating Policy Enforcement Via Policy Servers
D. When Should Policies Be Developed?
E. Length Of Policies Document
a. Determining An Appropriate Number of Policies
b. Determining How Long Each Policy Should Be
c. Iterative Development Process
d. Table Of Contents For Typical Policy Document
e. Which Topics To Address First
F. How Can These Policies Best Be Used?
a. Intended Target Audience
b. Policy Customization Specifics
c. Using Key Word Search Facilities
G. How Are These Policies Organized?
H. How Should One Select The Objectives And Scope of Policies?
a. Motivating Objectives
b. Operational Objectives
c. Scope
d. Handling Non-Compliance
I. Disclaimers
a. Need For Customization
b. Balancing Tradeoffs
c. References To Commercial Products
d. Need For Competent Advice
III. Specific Policies
1. Logical Security
1.1. Software Security
1.1.1. System Access Control
1.1.1.1. Password Management
1.1.1.1.1. Password And User-ID Construction
1.1.1.1.2. Design Of Password System User Interface
1.1.1.1.3. Password System Internals Design
1.1.1.1.4. Password Related User Responsibilities
1.1.1.1.5. Password Related Administrator Responsibilities
1.1.1.2. Log-In Process
1.1.2. Privilege Control
1.1.2.1. Use Of Systems
1.1.2.2. Information Driven Access Control
1.1.2.3. User Separation
1.1.2.4. Special Privileges
1.1.2.5. Other Privilege Restrictions
1.1.2.6. Administrative Activities
1.1.3. Logging
1.1.3.1. Information To Include In Logs
1.1.3.2. Handling Of Logs
1.2. Software Development And Change Control
1.2.1. Computer Viruses And Worms
1.2.2. Development Process
1.2.2.1. Development Tools And Techniques
1.2.2.2. Development Privileges And Relationships
1.2.3. Change Control Process
1.2.4. Third Party Involvement
1.2.5. Computer Operations
1.3. Data Security
1.3.1. Intellectual Property Rights
1.3.1.1. Assignment Of Intellectual Property Rights
1.3.1.2. Protection Of Intellectual Property Rights
1.3.2. Data Privacy
1.3.2.1. Restrictions Of Privacy Rights
1.3.2.2. Collection Of Specific Types Of Private Data
1.3.2.3. Disclosure Of Private Data
1.3.2.3.1. Disclosure Of Worker Private Data
1.3.2.3.2. Disclosure Of Third Party Private Data
1.3.2.4. Handling Private Data
1.3.3. Data Confidentiality
1.3.3.1. Overall Data Confidentiality Policies
1.3.3.2. Data Classification Categories
1.3.3.3. Data Classification Marking
1.3.3.4. Classification System Implementation
1.3.3.4.1. Copying And Printing
1.3.3.4.2. Shipping And Manual Handling
1.3.3.4.3. Transmission By Fax And Phone
1.3.3.4.4. Movement Of Confidential Information
1.3.3.4.5. Storage And Disposal
1.3.3.5. Granting Access To Confidential Data
1.3.3.6. Right To Know
1.3.3.7. Handling Confidential Data In Meetings
1.3.3.8. Miscellaneous Confidentiality Policies
1.3.4. Data Criticality
1.3.4.1. Systems Design
1.3.4.2. Contingency Planning
1.3.4.3. Back-Up, Archival Storage, And Disposal Of Data
1.3.5. Data Integrity
1.3.5.1. Awareness Of Integrity Status
1.3.5.2. Integrity Of Information Sources
1.3.5.3. Modification Controls
1.3.5.4. Consistent Representation Of Data
1.3.5.5. Censorship Of Data
1.4. Communications Security
1.4.1. Establishment Of Access Paths And Systems
1.4.1.1. Flow Control Systems Including Firewalls
1.4.1.2. Making Network Connections
1.4.1.3. Forming Contracts Over Networks
1.4.2. Encryption
1.4.2.1. When To Use Encryption
1.4.2.2. Encryption Key Management
1.4.2.3. Miscellaneous Encryption Matters
1.4.3. Dial-Up Computer Communications
1.4.4. Down-Loaded Data
1.4.5. Telephone Systems
1.4.6. Electronic Mail Systems
1.4.7. Telecommuting Arrangements
1.4.8. Internet Connections
1.4.9. Intranet Connections
1.4.10. Electronic Payment Systems
2. Managerial Security
2.1. Administrative Security
2.1.1. Training And Awareness
2.1.2. Reporting Of Security Problems
2.1.3. Control Selection
2.1.3.1. Controls And Systems Design
2.1.3.2. Controls And Business Considerations
2.1.4. Outsourcing And Third Party Contracts
2.2. Human Resources Matters
2.2.1. Discipline And Termination
2.2.2. Reliance On People
2.2.3. Background Checks
2.2.4. Miscellaneous Personnel Matters
2.3. Organizational Structure
2.3.1. Responsibility For Information Security
2.3.1.1. Management Role
2.3.1.2. Information Security Department Role
2.3.1.3. Other Information Security Roles
2.3.1.4. Owner, Custodian And User Responsibilities
3. Physical Security
3.1. Physical Access Security
3.1.1. Building Access Control
3.1.1.1. Locks And Barriers
3.1.1.2. Building Access Records
3.1.1.3. Handling Visitors
3.1.2. Restricted Access To Computer Facilities
3.2. Computer Location And Facility Construction
IV. Sample High-Level Information Security Policy
V. Sample Detailed Information Security Policy
VI. Sample Telecommuting & Mobile Computer Security Policy
VII. Sample External Communications Security Policy
VIII. Sample Microcomputer Security Policy
IX. Sample Electronic Mail Security Policy
X. Sample Computer Network Security Policy
XI. Sample Internet Security Policy
XII. Sample Intranet Security Policy
XIII. Sample Privacy Policy (Stringent)
XIV. Sample Privacy Policy (Lenient)
XV. Sample Web Privacy Policy
XVI. Sample Data Classification System Policy
XVII. Sample Data Classification Quick Reference Matrix
XVIII. Sample External Party Information Disclosure Policy
XIX. Sample Information Ownership Policy
XX. Sample Firewall Policy
Appendices:
1. Abbreviated List Of Information Security Policy References
2. List Of Information Security Periodicals
3. List Of Information Security Professional Associations
4. List Of Suggested Awareness Raising Methods
5. Checklist Of Steps In Policy Development Process
6. Suggested Next Steps Now That Policies Are Written
7. Top Ten Impediments To Implementing Policies
8. Real World Problem Cases Caused By Missing Policies
9. Index To New Policies Since The Last Edition
10. Index To Policies By Policy Numbers
11. Index To Policies By Policy Names
12. Agreement To Comply With Information Security Policies
13. Identity Token Responsibility Statement
14. Management Risk Acceptance Memo
15. One Page Non-Disclosure Agreement
16. About The Author
oooooooooo| 
