BS7799-2 - the ISMS concept

An idealised structured for an ISMS is shown in opposite. It shows the traditional approach to risk management augmented by the addition of a new feedback loop. In scoping the problem, BS7799-2 implies an "information-centric" view of the world, to avoid the trap of failing to take account of less obvious vulnerabilities such as people, cell phones and laptops. It further implies information policies that clearly identify the business priorities concerning information, and why, and in addition, risk assessments that identify what networks really are, not what people think they are!

BS7799-2 requires management to identify vulnerabilities and select the safeguards with a priority that matches the business priorities specified in the security policy. Reiteration is encouraged, choosing alternate safeguards until management is satisfied with the residual risks and costs involved. Once the chosen safeguards have been implemented, the ideal ISMS monitors their effectiveness; it does not assume that they will work as intended. Management should regularly re-appraise the situation. Even if nothing is supposed to have changed, the risk assessment should be regularly repeated (this is the new feedback loop). Management should assume, for example, that their networks have changed - most networks do with time! In any case, doubtless someone will have identified new vulnerabilities. Of course, if the business requirements have changed, there will be a need to re-scope the problem and revise the security policy accordingly.

Source : http://www.gammassl.co.uk/inforisk/riskpart4.html

Sample Security Policies

	HSPD-12 Privacy Policy - http://www.whitehouse.gov/omb/memoranda/fy2006/m06-06_att.doc Sample privacy policy including Privacy Act systems of records notices, Privacy Act statements and a privacy impact assessment, designed to satisfy the requirements of HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors”
	Information Security Policies - http://www.upenn.edu/computing/policy/ Electronic resource usage and security policies from the University of Pennsylvania.
	Information Security Policies - http://www.sans.org/resources/policies/ SANS consensus research project offering around 30 editable information security policies.
	Information Security Policies - http://www.auckland.ac.nz/security/PoliciesandStatutes.htm Set of acceptable use and technical policies from the University of Auckland covering common information security issues.
	ISO 27001 Policies - http://www.27001-online.com/secpols.htm Typical headings for a security policy aligned broadly with the ISO/IEC standard for information security management systems.

	Network Security Policy - http://www.utoronto.ca/security/documentation/policies/policy_5.htm Example security policy for a data network from the University of Toronto.
	Information Security Policies - http://csrc.nist.gov/fasp/jump.html NIST's extensive collection of well over 100 security policies and related awareness materials, mostly from US Government bodies.
	Information Security Policy - http://www.obfs.uillinois.edu/manual/central_p/sec19-5.html An information security policy from the University of Illinois.
	Email Policy - http://www.cli.org/emailpolicy/top.html A menu of clauses suitable for email acceptable use policies.
	Security Policy Primer - http://www.sans.org/resources/policies/Policy_Primer.pdf General advice for those new to writing information security policies.

	IT Security Policy - http://www.murdoch.edu.au/admin/policies/itsecurity/policy.html Information technology security policy at Murdoch University, complete wth supporting standards and guidelines.
	Modem Policy - http://www.sandstorm.net/products/phonesweep/modempolicy.php Sample policy from Sandstorm, designed as an addition to an existing Remote Access Policy, if one exists, or simply to stand alone.
	Information Security Policies - http://www.epolicyinstitute.com Policies on information security and other topics from ePolicy Institute.
	K-20 Network Acceptable Use Policy - http://www.k12.wa.us/K-20/AUPSchBoardNetworkUse.aspx Policy on acceptable use of a school network, along with information for parents and an informed consent form. Developed in Washington State.
	Network Security Policy Guide - http://www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf Watchguard's guide to creating an overarching network information security policy, supported by subsidiary policies.

	Audit Policy - http://www.sans.org/newlook/resources/policies/Audit_Policy.pdf Defines requirements and provides authority for the information security team to conduct IT audits and risk assessments.
	IP Network Security Policy - http://www.securityfocus.com/infocus/1497 Example security policy to demonstrate policy writing techniques introduced in three earlier articles.
	Email Retention Policy - http://www.sans.org/resources/policies/email_retention.doc Sample policy to help employees determine which emails should be retained and for how long.
	Internet DMZ Equipment Policy - http://www.sans.org/newlook/resources/policies/Internet_DMZ_Equipment_Policy.pdf Sample policy defining the minimum requirement for all equipment located outside the corporate firewall.
	Information Sensitivity Policy - http://www.sans.org/newlook/resources/policies/Information_Sensitivity_Policy.pdf Sample policy defining the assignment of sensitivity levels to information.

	Password Policy - http://www.sans.org/resources/policies/Password_Policy.doc Defines standards for creating, protecting and changing strong passwords. [MS Word]
	Internet Acceptable Use Policy - http://www.ruskwig.com/docs/internet_policy.pdf One page Acceptable Use Policy example.
	Acceptable Use Policy - http://www.sans.org/resources/policies/Acceptable_Use_Policy.doc Defines acceptable use of IT equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information. [MS Word]
	Information Security Policies - http://www.lazarusalliance.com/horsewiki/index.php/Documents Collection of policies relating to SOX, GLBA, HIPAA and the ISO/IEC 27000-series on the HORSE (Holistic Operational Readiness Security Evaluation) wiki.
	Information Security Policies - http://www.tess-llc.com/TESS-DOR-EXAMPLES.htm Templates for information security policies, guidelines, checklists and procedures by Walt Kobus.

	Risk Assessment Policy - http://www.sans.org/resources/policies/Risk_Assessment_Policy.doc Defines requirements and authorizes the information security team to identify, assess and remediate risks to the organization's information infrastructure. [MS Word]
	Information Security Policies - http://www.gcio.nsw.gov.au/documents/Information%20Security%20Guideline%20V1.1.pdf 111-page security policy manual from the Australian New South Wales Department of Commerce, based on ISO 27001.
	Personnel Security Policy - http://www.datasecuritypolicies.com/wp-content/uploads/2007/04/generic-personnel-security-policy.pdf Example policy covering pre-employment screening, security policy training etc.
	Information Security Policies - http://www.apwu.org/dept/ind-rel/USPS_hbks/AS-Series/AS-805%20Information%20Security%209-05%20(1.21%20MB).pdf US Postal Service's information security policy manual. 264 pages of security controls, broadly similar in structure to ISO 17799.
	Analog/ISDN Line Policy - http://www.sans.org/resources/policies/Analog_Line_Policy.doc Defines policy for analog/ISDN lines used for FAXing and data connections.

	Anti-Virus Policy - http://www.sans.org/resources/policies/Lab_Anti-Virus_Policy.doc Requirements for effective virus detection and prevention. Written for a laboratory environment but easy to adapt for other settings. [MS Word]
	Acquisition Assessment Policy - http://www.sans.org/resources/policies/Aquisition_Assessment_Policy.doc Defines responsibilities regarding corporate acquisitions and the minimum requirements of an acquisition assessment to be completed by the information security group. [MS Word]
	Dial-in Access Policy - http://www.sans.org/resources/policies/Dial-in_Access_Policy.doc Policy regarding the use of dial-in connections to corporate networks. [MS Word]
	Ethics Policy - http://www.sans.org/resources/policies/Ethics_Policy.doc Sample policy intended to 'establish a culture of openness, trust and integrity'.
	Extranet Policy - http://www.sans.org/resources/policies/Extranet_Policy.doc Defines the requirement that third party organizations requiring access to the organization's networks must sign a third-party connection agreement. [MS Word]

	Privacy Policy - http://www.cbe.uidaho.edu/wegman/404/PRIVACY%20POLICY%20IVI%20Generic.htm Generic policy for websites offering goods and services, with an important warning to seek qualified legal advice in this area.
	Cryptography Policy - http://www.tess-llc.com/Cryptography%20PolicyV4.pdf Cryptographic policy template by Walt Kobus.
	Communications Policy - http://www.tess-llc.com/Communications%20PolicyV4.pdf Datacommunications security policy template by Walt Kobus defines network security control requirements.
	Physical Security Policy - http://www.tess-llc.com/Physical%20Security%20PolicyV4.pdf Policy template by Walt Kobus defines requirements for physical access control to sensitive facilities and use of ID badges.
	Data Classification Policy - http://www.tess-llc.com/Data%20Classification%20PolicyV4.pdf Policy template by Walt Kobus describes the classification of information according to sensitivity (primarily confidentiality).

	User Data Protection Policy - http://www.tess-llc.com/User%20Data%20Protection%20PolicyV4.pdf Policy template by Walt Kobus defines requirements for access controls, least privilege, integrity etc. to secure personal data.
	Information Data Ownership Policy - http://www.tess-llc.com/Information%20Data-Ownership%20PolicyV4.pdf Policy template by Walt Kobus defines the roles and responsibilities of owners, custodians and users of information systems.
	Resource Utilization Policy - http://www.tess-llc.com/Resource%20Utilization%20PolicyV4.pdf Poilicy template by Walt Kobus defines requirements for resilience, redundancy and fault tolerance in information systems.
	Security Audit Policy - http://www.tess-llc.com/Security%20Audit%20PolicyV4.pdf Audit policy template by Walt Kobus.
	Security Management Policy - http://www.tess-llc.com/Security%20Mngt%20PolicyV4.pdf General information security policy template by Walt Kobus.

	Router Security Policy - http://www.sans.org/resources/policies/Router_Security_Policy.doc Sample policy establishing the minimum security requirements for all routers and switches connecting to production networks. [MS Word]
	Remote Access Policy - http://www.sans.org/resources/policies/Remote_Access_Policy.doc Defines standards for connecting to a corporate network from any host. [MS Word]
	IT Security Policy - http://www.enterprise-ireland.com/ebusinesssite/guides/internal_security/internal_security_index.asp IT security policy example/how-to guide from Enterprise Ireland.
	Database Password Policy - http://www.sans.org/resources/policies/DB_Credentials_Policy.doc Defines requirements for securely storing and retrieving database usernames and passwords. [MS Word]
	DMZ Security Policy - http://www.sans.org/resources/policies/DMZ_Lab_Security_Policy.doc Sample policy establishing security requirements of equipment to be deployed in the corporate De-Militarized Zone. [MS Word]

	Government Security Policy - http://www.security.govt.nz/sigs/sigs.zip The New Zealand Government's information security policy, based on the 2000 version of ISO/IEC 17799. [ZIP file containing PDF and MS Word versions]
	Identification and Authentication Policy - http://www.tess-llc.com/Identification%20&%20Authentication%20PolicyV4.pdf I&A policy template by Walt Kobus defines requirements for access control.
	Certification and Accreditation Policy - http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf Policy template by Walt Kobus defines requirements and responsibilities for security assurance throughout the system development process.
	Laboratory Security Policy - http://www.sans.org/resources/policies/Internal_Lab_Security_Policy.doc Policy to secure confidential information and technologies in the labs and protect production services and the rest of the organization from lab activities. [MS Word]
	Encryption Policy - http://www.sans.org/resources/policies/Acceptable_Encryption_Policy.doc Defines encryption algorithms that are suitable for use within the organization. [MS Word]

	Password Policy - http://ww2.umflint.edu/its/helpdesk/security/passwords/passwords.pdf A password policy presented in the form of a security awareness poster. "Passwords are like underwear ..."
	Telecommuting/Teleworking Policy - http://www.womans-work.com/teleworking_policy.htm Sample policy on teleworking covering employment as well as information security issues.
	Information Security Policies - http://www.attackprevention.com/Policies_and_Procedures/Sample_Policies Collection of information security policy samples covering PKI, antivirus, ethics, email and several other topics, from AttackPrevention.
	Email Policy - http://www.cusys.edu/~policies/General/email.html Policy from the University of Colorado on the use of, access to, and disclosure of electronic mail.
	Server Security Policy - http://www.sans.org/newlook/resources/policies/Server_Security_Policy.pdf Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.

	Application Service Provider Policy - http://www.sans.org/newlook/resources/policies/Application_Service_Providers.pdf Security criteria for an ASP.
	Virtual Private Network Policy - http://www.sans.org/newlook/resources/policies/Virtual_Private_Network.pdf Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization's network.
	Email Forwarding Policy - http://www.sans.org/newlook/resources/policies/Automatically_Forwarded_Email_Policy.pdf Email must not be forwarded automatically to an external destination without prior approval from the appropriate manager.
	Third Party Connection Agreement - http://www.sans.org/newlook/resources/policies/Third_Party_Agreement.pdf Sample agreement for establishing a connection to an external party.
	Wireless Communication Policy - http://www.sans.org/newlook/resources/policies/Wireless_Communication_Policy.pdf Sample policy concerning the use of unsecured wireless communications technology.

Source : directory.google.com