Policies And Standards Blog

New Project Leader for Policies and Standards Focus Area

2007-06-08T12:41:01Z

Ciske van Oosten has agreed to take over the Policies and Standards project at the ISM Community. Ciske runs a great blog focused on policies and standards at http://infosec-risk.blogspot.com/.

The idea behind the Policies and Standards project is to build and maintain a comprehensive and well written free set of policies and standards. These things are rarely competitive advantages to any company and so collaboration can benefit everyone. There are some documents now floating around as donations from various companies which is also great.

Ciske has written a great guide to policies and standards and has some great ideas and passion to make this project happen.

The discussion forum is here http://www.ism-community.org/forums/68.aspx and I am sure Ciske will be sending some updates and have a project plan via the ISM blog for the project here http://www.ism-community.org/focusareas/21/PoliciesAndStandardsBlog/focusarea.aspx

If you have any policies and standards you would donated as baseline documents please contact Ciske via the forums.

Cheers,

Mark

ISM Community Top Ten - Draft

2007-06-04T14:43:48Z

I have just uploaded the ISM Community Top Ten Draft here. The intention of the T10 is to provide a short and concise awareness document. In the same genre as the SANS Top 20 and OWASP Top Ten it can be used by business managers as well as information security professionals to provoke thought about their current information security programs.

We plan to release the final document next week. There have been several volunteers who have kindly offered to translate it into other languages. The current draft requires some final touches and if anyone has some time today or tomorrow please download it, edit it with tracking turned on (important) and email it to me (mark at curphey dot com).

What is required is;

1. Proof reading (grammar, accuracy and completeness)

2. Tips and Tricks from the field added to sections 8, 9 and 10

Any major changes we can consider for an updated version later this year.

Cheers.

Policies and Standards -Week Deux

2007-05-10T14:33:14Z

The summer is finally here in the South of France. Its 86 today and from this point until the end of Sept it should be sunny and hot.

We had a few offers for some policy documents but sadly most had strings attached that meant they would not be suitable for everyone to consume so it looks like well just need to start from the ground up.

My plan is as follows.

This week: review a stack of links I have to whitepapers, blogs etc about policies and standards and summarize them along with some notes. From this we can then create a plan that solves the problems and develop a list of tasks.

Anyone volunteer to help me write some content?

Jason made some interesting points about writing policies and cited his blog.

http://infosecalways.com/2007/05/08/roles-responsibilities-in-policy/

From the comments in his blog it seems there is some interest in defining roles and responsibilities in Information Security.

I have so much going on I forgot to post this and ask for a volunteer to get this idea off the ground. How about if we created an org chart of a few typical security departs (reporting up through the CIO, through legal and compliance, via another route etc) and defined a set of roles and responsibilities for the actors. I think this would be a valuable resource for many reasons. Any volunteers? I have a user persona template form which to start and I'll buy you as much beer as you can drink in a 24 hour sitting!

Welcome to the Policies and Standards Focus Area

2007-04-27T18:20:59Z

Welcome to the Policies and Standards Focus Area. I plan to blog post here weekly with news of progress for those that don't want to delve into the forums / mailing lists. You can subscribe to these updates via RSS at the side bar.

The first project I want to start as part of this Focus Area is to build and release a complete set of policies and standards. Whilst we are doing it I want to analyze what is out there today; what works and what doesn't, and then compile those findings into a Guide to writing Better Policies and Standards for anyone who finds themselves writing there own.

Everyone needs Policies and Standards yet I believe in general there is significant room for improvement to make them more engaging and more effective.

The first few tasks to get this project off the ground are;

1. Analyze the current issues with P's & S's (I just posted to the forums a second ago so please add your 2 cents worth ASAP)

2. Develop a template for a policy and standard. We will be able to use the glossary that Paul Zedeck is creating for standard definitions and ensure consistency.

3. Develop and maintain an "org chart like" Visio diagram of a reference hierarchy of policies and standards.

This "reference hierarchy" can then also serve as a task list and people can volunteer to write specific policies or standards and submit them for review.

The forums should start functioning like traditional mailing lists very soon and we have file storage areas in which to easily store our Word documents.

Of course it goes without saying that if any company would like to donate their policies and standards or anyone has anything which would make a solid base then please contact me. We can make sure there is nothing sensitive and or 100% anonymize them before they are placed online.

If you would like to volunteer to help please post to the forum.

http://www.ism-community.org/forums/68.aspx