Adaptive Best Practices Policy Samples:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Policies, Standards, and Guidelines==
==Policies, Standards, and Guidelines==
'''Policies''' are the broad rules for ensuring the protection of information assets, and for implementing a security strategy or program. Generally brief in length, policies are independent of particular technologies and specific solutions. This section provides sample security policies that an organization can clone and tailor to its unique requirements. Policies set mandates for the enterprise and have a reportable status to a companies Board of Directors.<br>
[[Image:HORSE-document-heirarchy-2007.jpg|thumb|left|360px]]
'''Policies''' are the broad rules for ensuring the protection of information assets, and for implementing a security strategy or program. Generally brief in length, policies are independent of particular technologies and specific solutions. This section provides sample security policies that an organization can clone and tailor to its unique requirements. Policies set mandates for the enterprise and have a reportable status to a companies Board of Directors. Policies are approved by a companies Board of Directors.<br>
<br>
<br>
'''Standards''', which are very similar to policies, are the broad rules for ensuring the protection of information assets, and for implementing a security strategy or program. Generally brief in length, standards are independent of particular technologies and specific solutions. This section provides sample security standards that an organization can clone and tailor to its unique requirements. Standards set suggestions for the enterprise but do not have a reportable status to a companies Board of Directors.<br>
'''Standards''', which are very similar to policies, are the broad rules for ensuring the protection of information assets, and for implementing a security strategy or program. Generally brief in length, standards are independent of particular technologies and specific solutions. This section provides sample security standards that an organization can clone and tailor to its unique requirements. Standards set suggestions for the enterprise but do not have a reportable status to a companies Board of Directors. Standards are approved by a companies technology review board.<br>
<br>
<br>
'''Guidelines''' are the general and generic overview suggestions for ensuring the protection of information assets, and for implementing a security strategy or program. Generally very detailed in nature, guidelines are very specific to technologies and specific solutions. This section provides sample security guidelines that an organization can clone and tailor to its unique requirements.  Guidelines set configuration or procedural recommendations for the enterprise. They do not have a reportable status to a companies Board of Directors.<br>
'''Guidelines''' are the general and generic overview suggestions for ensuring the protection of information assets, and for implementing a security strategy or program. Generally very detailed in nature, guidelines are very specific to technologies and specific solutions. This section provides sample security guidelines that an organization can clone and tailor to its unique requirements.  Guidelines set configuration or procedural recommendations for the enterprise. They do not have a reportable status to a companies Board of Directors. Guidelines are approved by a companies technology review board<br>
<br>
<br>
:[[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']]<br>
:[[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']]<br>
Line 12: Line 13:
:The Sample Information Systems and Technology Security Policy serves as the top level document setting the holistic tone for the subsequent levels of information security categories detailed in subordinate standards, guidelines, and procedural documents.<br>
:The Sample Information Systems and Technology Security Policy serves as the top level document setting the holistic tone for the subsequent levels of information security categories detailed in subordinate standards, guidelines, and procedural documents.<br>
<br>
<br>
:[[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']]<br>
:[[Sample Asset Identification and Classification Standard:|'''Sample Asset Identification and Classification Standard''']]<br>
:The Asset Identification and Classification Policy defines objectives for establishing specific standards to define, identify, classify, and label information assets.<br>
:The Asset Identification and Classification Standard defines objectives for establishing specific standards to define, identify, classify, and label information assets.<br>
<br>
<br>
:[[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']]<br>
:[[Sample Asset Protection Policy:|'''Sample Asset Protection Standard''']]<br>
:The Asset Protection Policy defines objectives for establishing specific standards for providing an appropriate degree of confidentiality, integrity, and availability for information assets.<br>
:The Asset Protection Standard defines objectives for establishing specific standards for providing an appropriate degree of confidentiality, integrity, and availability for information assets.<br>
<br>
<br>
:[[Sample Asset Management Policy:|'''Sample Asset Management Policy''']]<br>
:[[Sample Asset Management Policy:|'''Sample Asset Management Standard''']]<br>
:The Asset Management Policy defines objectives for properly managing Information Technology infrastructure, including networks, systems, and applications that store, process and transmit information assets throughout the entire life cycle.<br>
:The Asset Management Standard defines objectives for properly managing Information Technology infrastructure, including networks, systems, and applications that store, process and transmit information assets throughout the entire life cycle.<br>
<br>
<br>
:[[Sample Acceptable Use Policy:|'''Sample Acceptable Use Policy''']]<br>
:[[Sample Acceptable Use Policy:|'''Sample Acceptable Use Standard''']]<br>
:The Acceptable Use Policy defines objectives for ensuring the appropriate business use of information assets.<br>
:The Acceptable Use Standard defines objectives for ensuring the appropriate business use of information assets.<br>
<br>
<br>
:[[Sample Vulnerability Assessment and Management Policy:|'''Sample Vulnerability Assessment and Management Policy''']]<br>
:[[Sample Vulnerability Assessment and Management Policy:|'''Sample Vulnerability Assessment and Management Standard''']]<br>
:The Vulnerability Assessment and Management Policy defines objectives for vulnerability assessment activities and ongoing vulnerability management efforts.<br>
:The Vulnerability Assessment and Management Standard defines objectives for vulnerability assessment activities and ongoing vulnerability management efforts.<br>
<br>
<br>
:[[Sample Threat Assessment and Monitoring Policy:|'''Sample Threat Assessment and Monitoring Policy''']]<br>
:[[Sample Threat Assessment and Monitoring Policy:|'''Sample Threat Assessment and Monitoring Standard''']]<br>
:The Threat Assessment and Monitoring Policy defines objectives for threat assessment activities and ongoing threat monitoring efforts.<br>
:The Threat Assessment and Monitoring Standard defines objectives for threat assessment activities and ongoing threat monitoring efforts.<br>
<br>
<br>
:[[Sample Security Awareness Policy:|'''Sample Security Awareness Policy''']]<br>
:[[Sample Security Awareness Policy:|'''Sample Security Awareness Standard''']]<br>
:The Security Awareness Policy defines objectives for establishing a formal Security Awareness Program.<br>
:The Security Awareness Standard defines objectives for establishing a formal Security Awareness Program.<br>
<br>
<br>
--[[User:Mdpeters|Mdpeters]] 10:02, 14 July 2006 (EDT)
--[[User:Mdpeters|Mdpeters]] 10:02, 14 July 2006 (EDT)

Latest revision as of 17:06, 30 December 2013

Policies, Standards, and Guidelines

Policies are the broad rules for ensuring the protection of information assets, and for implementing a security strategy or program. Generally brief in length, policies are independent of particular technologies and specific solutions. This section provides sample security policies that an organization can clone and tailor to its unique requirements. Policies set mandates for the enterprise and have a reportable status to a companies Board of Directors. Policies are approved by a companies Board of Directors.

Standards, which are very similar to policies, are the broad rules for ensuring the protection of information assets, and for implementing a security strategy or program. Generally brief in length, standards are independent of particular technologies and specific solutions. This section provides sample security standards that an organization can clone and tailor to its unique requirements. Standards set suggestions for the enterprise but do not have a reportable status to a companies Board of Directors. Standards are approved by a companies technology review board.

Guidelines are the general and generic overview suggestions for ensuring the protection of information assets, and for implementing a security strategy or program. Generally very detailed in nature, guidelines are very specific to technologies and specific solutions. This section provides sample security guidelines that an organization can clone and tailor to its unique requirements. Guidelines set configuration or procedural recommendations for the enterprise. They do not have a reportable status to a companies Board of Directors. Guidelines are approved by a companies technology review board

Sample Information Security Program Charter
The Information Security Program Charter serves as the capstone document for the Information Security Program and empowers the Information Security Program to manage Information Security-related business risks.


Sample Information Systems and Technology Security Policy
The Sample Information Systems and Technology Security Policy serves as the top level document setting the holistic tone for the subsequent levels of information security categories detailed in subordinate standards, guidelines, and procedural documents.


Sample Asset Identification and Classification Standard
The Asset Identification and Classification Standard defines objectives for establishing specific standards to define, identify, classify, and label information assets.


Sample Asset Protection Standard
The Asset Protection Standard defines objectives for establishing specific standards for providing an appropriate degree of confidentiality, integrity, and availability for information assets.


Sample Asset Management Standard
The Asset Management Standard defines objectives for properly managing Information Technology infrastructure, including networks, systems, and applications that store, process and transmit information assets throughout the entire life cycle.


Sample Acceptable Use Standard
The Acceptable Use Standard defines objectives for ensuring the appropriate business use of information assets.


Sample Vulnerability Assessment and Management Standard
The Vulnerability Assessment and Management Standard defines objectives for vulnerability assessment activities and ongoing vulnerability management efforts.


Sample Threat Assessment and Monitoring Standard
The Threat Assessment and Monitoring Standard defines objectives for threat assessment activities and ongoing threat monitoring efforts.


Sample Security Awareness Standard
The Security Awareness Standard defines objectives for establishing a formal Security Awareness Program.


--Mdpeters 10:02, 14 July 2006 (EDT)