Security Policy:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 20:22, 3 February 2007 by NoticeBored (talk | contribs) (Clarified the wording of ISO 17799 section 5.1)
Jump to navigation Jump to search

Security Policy


ISO 17799 section 5.1 defines the information security policy objective "to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations". Section 5.1.1 requires management to approve and publish an information security policy document. Section 5.1.2 requires the policy to be reviewed periodically or when significant changes occur.

This section of the wiki provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Security Policy objectives.

1. Sample ISO Information Security Program Charter
The Information Security Program Charter is required to comply with ISO Security Policy objectives and serves as the capstone document for the Information Security Program that empowers the Program to manage Information Security-related business risks.


2. Sample ISO Asset Identification and Classification Policy
The Asset Identification and Classification Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to properly classify and label information assets.


3. Sample ISO Asset Protection Policy
The Asset Protection Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure the security, confidentiality, itegrity, and availability of information, as well as protect against threats or unauthorized access to such information.


4. Sample ISO Asset Management Policy
The Asset Management Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for managing the Information Technology infrastructure, including networks, systems, and applications that store, process and transmit sensitive information throughout the entire life cycle.


5. Sample ISO Acceptable Use Policy
The Acceptable Use Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring the appropriate business use of electronic communications resources.


6. Sample ISO Vulnerability Assessment and Management Policy
The Vulnerability Assessment and Management Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring vulnerabilty assessment activities are performed and vulnerabilities mitigation efforts are properly managed.


7. Sample ISO Threat Assessment and Monitoring Policy
The Threat Assessment and Monitoring Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure periodic threat assessment and ongoing threat monitoring and incident response activities are performed.


8. Sample ISO Security Awareness Policy
The Security Awareness Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring that a formal Security Awareness Program is established, as well ensuring that Information Security objectives and requirements are properly communicated and understood.