Writing Information Security Policies

Excellent book summarizing the details involved in writing security policies. Great starting point for anyone tasked with writing or reviewing security policies and procedures.

What makes this book an important addition to the IT security body of knowledge is that it makes a case for, and shows how to, create and implement IT security policies in small-to-medium enterprises. The book itself is a short, somewhat superficial, treatment of IT security policies. It has strengths and weaknesses:STRENGTHS: It makes a compelling business case for having IT security policies, then leads you through the creation of the more common ones. This material is augmented by the book's accompanying web site that provides all of the sample policies in Appendix C in HTML format (most modern word processing programs, such as MS Word can convert this to their native format without losing any of the embedded styles). Note that the URL given in the book has changed, but it is still active and automatically redirects you to the new URL. In addition, the book touches on important topics that you may not think of if you're attempting to develop policies on your own. For example, intellectual property rights, law enforcement issues and forensics. These are touched upon, but will raise your awareness of their importance.WEAKNESSES: The actual development and maintenance of policies is almost an afterthought. Moreover, I thought that a structured approach to threat and vulnerability assessments should have been covered (to be fair, the author discusses major threats on practically every page). I also felt that the policies should have been linked to processes, which is the hallmark of a well written policy, and the importance of clearly defining roles and responsibilities should have been highlighted. I recommend that readers also get a copy of Steve Pages " Achieving 100% Compliance of Policies and Procedures" (ISBN 1929065493) to supplement this book. Page's book is focused solely on policies and procedures development, and will fill in the gaps left in this book.Overall, this book deserves recognition for raising awareness of the importance of IT security policies to small companies. It also deserves credit for sticking to the fundamentals (cited weaknesses notwithstanding), without overwhelming small enterprise IT professionals who are probably wearing many hats besides IT security. For that audience this book shows the way, and earns my praise.

Network administration is only 10% of my job, which means the task of creating a security policy for our 40-user systems integration company needed to take a proportional amount of my time and energy. This book provides a lot of helpful examples, and really gives you what you need to get started. The length is appropriate, the language fits both technical and non-technical audiences, and the organization makes sense. It has definitely saved me considerable time and energy.

It is difficult to find a book on security or a security consultant which wouldn't tell you that an information security policy is a mandatory requirement for any security-conscious organization. However it is even more difficult to write a meaningful and working security policy document which makes sense or to find someone qualified to do that from both business and technical viewpoints. While Scott Barman's book doesn't help you with finding qualified staff or consultants, it can help you become one. In about 200 pages the author manages to explain the need for information security policies, tells you how to approach this animal and shows how to define and write policies. There is no much technical details in this book - and that's the best part of it. Technical details change very often; good business and security practices don't. With this book the author starts at the very beginning ("Why do I need a security policy?") and goes on to actually helping you write one for your organization, system, or network. With sample policies which you can use, and with a good index of resources in the appendix this book is a good choice if you need to understand and/or define information security policies.

I am a senior engineer for network security operations. I read Scott Barman's "Writing Information Security Policies" (WISP) to learn more about the first element of enterprise protection. (This refers to the planning process. Planning is followed by protection, detection, and response.) Although my network security monitoring duties focus on detection and assisting clients with response, security policies still play crucial roles. Thanks to Scott's book, I now have a practical and timely reference to recommend to clients developing security policies. WISP may occupy only 200 pages, but its strict focus on security policy development ensures plenty of useful information in a small form factor. The author demonstrates sound knowledge of the technical aspects of information security. This strong foundation helps me trust his policy recommendations. Several concepts made a positive impression, and made me rethink my own company's security posture. These included the idea that software licenses are an asset, subject to depreciation. Corporate information may be assigned to owners, thereby ensuring accountability. "Security communicators" help bridge the chasm between users and staff. Including security responsibilities in every employee's job description emphasizes the human element of enterprise protection. Statements made by users in Usenet archives reflect the organization, and should be handled carefully. A final novel topic involved "duress passwords," entered by employees suffering some form of physical coercion. I have few negative comments for WISP. I wish the author had included more complete sample policies in the appendices. Perhaps he will post others to his web site? Scott also defers certain aspects of security planning to "procedures" documents. I wonder if he may have a "Writing Information Security Procedures" book in the works? I highly recommend those tasked with writing information security policies read WISP. Thanks to its low page count and high value content, you will be glad to have it as a reference. (Disclaimer: I received a review copy from the publisher.)