Book Reviews: Creating Security Policies and Defining Security Roles

If you missed Mitch Tulloch’s other Security Books reviews please read:

Information Security Policies Made Easy, Version 10

Developing security policies has always been a drag for IT departments. That’s because developing policies is a management discipline, not a technical one, and IT pros would usually rather rebuild a server than write a page of policy material. That’s why Information Security Policies Made Easy (10th edition, Information Shield) can be a really useful addition to IT departments in large companies. While it doesn’t come cheap, the huge amount of useful information and accompanying CD-ROM makes this book a worthwhile investment. In addition to explaining what policies are and how they are developed, the book contains over a thousand policy templates you can mix and match to create your own corporate security policies with little effort. Each policy template includes a commentary explaining in detail the purpose of the policy, the target audience for the policy, and the kind of security environment to which the policy applies. These template policies cover organizational security, asset control, personnel issues, physical security, communications and operations, access control, systems development, business continuity, and compliance issues-in short, pretty much everything!

There are also sample policies presented for network security, electronic mail, external communications, Internet use, privacy, and more. Plus more than a dozen appendices with additional helpful information regarding policy use and misuse. Plus there’s the CD-ROM included that helps you quickly and easily create a customized policy for every aspect of your organization’s information security architecture. Well, perhaps not that quickly since policies need to grow out of your organization’s business goals and tolerance for risk, and the process of creating such policies usually involves committee work across multiple business units. Still, what this book does give you is a tool for quickly creating draft policies for further discussion and refinement, plus it provides great help in assuring that you’ve covered most of the important bases as far as these draft policies are concerned. Plus it helps verbally-challenged IT staff create professional-sounding policies that are expressed clearly and accurately. All in all, not a bad resource if your main spoke language is VBScript or Perl!

Information Security Roles & Responsibilities Made Easy, Version 2

But that’s not all. Information Shield also has a second title called Information Security Roles & Responsibilities Made Easy (2nd edition) that helps organizations deal with another important aspect of developing an effective information security program-namely defining the various roles and responsibilities involved in ensuring an organization’s business assets are secure. This also means help creating the documents that define these roles and responsibilities, which include mission statements for different departments, job descriptions ranging from CIO to Help Desk personnel, reporting relationships, organizational structures, handbooks, memos, action plans, and more. Plus there’s an excellent discussion of common mistakes organizations need to avoid such as failing to obtain executive sponsorship for information security initiatives, failing to match accountability with level of responsibility, initiating major projects before clearly defining roles and responsibilities, creating overly-detailed job descriptions, lack of compliance checking, undefined error reporting process, and so on. Plus, as with the previous title above, this book also includes a CD-ROM that helps you automate a lot of the actual task of creating documents to formally define infosec roles and responsibilities.

Conclusion

I would probably say the target audience for these books would be companies of around 500 or more employees, because that’s about the size where written policies become important and roles proliferate. Smaller companies with 100 or more employees may also find these books useful, but should be careful not to create policies that are overly detailed since the work culture in such companies is usually more informal than in larger ones. Overall, I recommend these books to any CIO or CSO who wants to help their department formulate effective security policies, but make sure you use these books not as a crutch (i.e. we need to whip up a few policies so management will get off our back) but as an integral part of a thoughtful exercise that has management buy-in and is supported across your organization. Otherwise any policy, no matter how comprehensive and well-written, will just not be effective.

If you missed Mitch Tulloch’s other Security Books reviews please read:


Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top