Security Policy:: Difference between revisions

Security Policy

ISO 17799 section 5.1 defines the information security policy objective "to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations". Section 5.1.1 requires management to approve and publish an information security policy document. Section 5.1.2 requires the policy to be reviewed periodically or when significant changes occur.

This section of the wiki provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Security Policy objectives.

1. Sample ISO Information Security Program Charter

The Information Security Program Charter is required to comply with ISO Security Policy objectives and serves as the capstone document for the Information Security Program that empowers the Program to manage Information Security-related business risks.

2. Sample ISO Asset Identification and Classification Policy

The Asset Identification and Classification Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to properly classify and label information assets.

3. Sample ISO Asset Protection Policy

The Asset Protection Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure the security, confidentiality, itegrity, and availability of information, as well as protect against threats or unauthorized access to such information.

4. Sample ISO Asset Management Policy

The Asset Management Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for managing the Information Technology infrastructure, including networks, systems, and applications that store, process and transmit sensitive information throughout the entire life cycle.

5. Sample ISO Acceptable Use Policy

The Acceptable Use Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring the appropriate business use of electronic communications resources.

6. Sample ISO Vulnerability Assessment and Management Policy

The Vulnerability Assessment and Management Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring vulnerabilty assessment activities are performed and vulnerabilities mitigation efforts are properly managed.

7. Sample ISO Threat Assessment and Monitoring Policy

The Threat Assessment and Monitoring Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure periodic threat assessment and ongoing threat monitoring and incident response activities are performed.

8. Sample ISO Security Awareness Policy

The Security Awareness Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring that a formal Security Awareness Program is established, as well ensuring that Information Security objectives and requirements are properly communicated and understood.