Information Security Policies & Procedures

Information Security Policies & Procedures

Now pay Easier and Secure using Paypal

Read more

A Practitioner's Reference, Second Edition

Thomas R.Peltier


A CRC Press Company
Boca Raton London New York Washington, D.C.

e-books shop
Information Security Policies & Procedures
A Practitioner's Reference
Second Edition

About the Author
Thomas R.Peltier (CISM, CISSP) is in his fifth decade of computer technology. During
this time he has shared his experiences with fellow professionals and, because of this
work, has been awarded the 1993 Computer Security Institute’s (CSI) Lifetime
Achievement Award. In 1999, the Information Systems Security Association (ISSA)
bestowed its Individual Contribution to the Profession Award; and in 2001, Tom was
inducted into the ISSA Hall of Fame. He was also awarded the CSI Lifetime Emeritus
Membership Award. Currently, he is the President of Peltier and Associates, an
information security training and consulting firm. Prior to this he was Director of Policies
and Administration for the Netigy Corporation’s Global Security Practice. Tom was the
National Director for Consulting Services for Cyber-Safe Corporation, and the Corporate
Information Protection Coordinator for Detroit Edison. The security program at Detroit
Edison was recognized for excellence in the field of computer and information security
by winning the Computer Security Institute’s Information Security Program of the Year
for 1996. Tom previously was the Information Security Specialist for the General Motors
Corporation, where he was responsible for implementing an information security
program for GM’s worldwide activities.
Over the past decade, Tom has averaged four published articles a year on various
computer and information security issues, including developing policies and procedures,
disaster recovery planning, copyright compliance, virus management, and security
controls. He has had four books published: Policies, Standards, Guidelines and
Procedures: Information Security Risk Analysis; Information System Security Policies
and Procedures: A Practitioners’ Reference; The Complete Manual of Policies and
Procedures for Data Security’, and How to Manage a Network Vulnerability Assessment,
and is the co-editor and contributing author for the ClSSP Prep for Success Handbook;
and a contributing author for the Computer Security Handbook, Third and Fifth Edition
and Data Security Management. Tom, along with his son Justin and partner John
Blackley, is currently co-authoring the book Information Security Fundamentals.
He has been the technical advisor on a number of security films from Commonwealth
Films. Tom is the past chairman of the Computer Security Institute (CSI) Advisory
Council, the chairman of the 18th Annual CSI Conference, founder and past-president of
the Southeast Michigan Computer Security Special Interest Group, and a former member
of the board of directors for (ISC)2, the security professional certification organization.
Tom conducts numerous seminars and workshops on various security topics and has led
seminars for CSI, Crisis Management, the American Institute of Banking, the American
Institute of Certified Public Accountants, the Institute of Internal Auditors, ISACA, and
Sungard Planning Solutions. He was also an instructor at the graduate level for Eastern
Michigan University.

As a child I knew that I wanted to make my life’s work one of writing policies and doing
risk analysis. Actually, I wanted to be a cowboy; but being a kid from Detroit, I had to
settle for other things. As I was completing my undergraduate work at the University of
Detroit, my boss Larry Degg came and asked me if I could help. Our organization was in
the midst of a massive audit and we had few polices and procedures. For the next nine
years, Larry helped me refine the skills needed to understand how policies and
procedures worked in the business environment.
My second number-one is my wife Lisa Bryson. We are both information security
professionals and it is her ability to take my big-picture ideas and help me flesh out the
concepts. We have worked as a team for the past nine years and have developed some
truly remarkable concepts.
Next on my list of acknowledgments is my mentor and friend, John O’Leary, the
Director of the Computer Security Institute’s Education Resource Center. John and his
wonderful wife Jane have sat with me through many a dinner, listened to my problems,
and then offered the wisdom that comes from people who care.
My working buddies must also be acknowledged. My son Justin is the greatest asset
any father—and more importantly, any information security team—could ever hope for.
Over the past two years, we have logged nearly 150,000 air miles together, and each day
we learn something new from each other.
The other working buddy is John Blackley. The strange Scotsman who makes our life
more fun and interesting.
Who can leave out their publisher? Certainly not me! Rich O’Hanley has taken the
time to discuss security issues with numerous organizations to understand what their
needs are and then presented these findings to use. A great deal of our work here is a
direct result of what Rich discovered that the industry wanted. Rich O’Hanley, not only
the world’s best editor and task master, but a good friend and source of knowledge.
Thanks, Rich!
And finally, I extend a thank you to our editors, Claire Miller and Andrea Demby.
They take the time to take the raw manuscript and put it into a logically flowing work.
Sometimes they have to ask me the same question more than once, but finally I get what
needs to be done.

Policies, standards, and procedures are a key element in the business process. The
implementation of these documents should never be undertaken to satisfy some perceived
audit or security requirement. These requirements do not exist. There are only business
objectives or mission requirements. This book is dedicated to the concept that policies,
standards, and procedures support the efficient running of an organization. We examine
how policies support management’s directions. Standards and procedures are the
elements that implement the management policies.
It is easy now to run out to the Internet and pull down some organizations’ policies
and the like. However, this book cautions against this approach. We examine how best to
use available examples of policies, standards, and procedures. We also put into
perspective the influx of national and international standards and how best to use them to
meet your organization’s needs.
Keeping the process simple is the objective of clear and concise writing. We approach
writing policies and such as a project with a clearly defined objective, deadlines, and a
communications plan.
Perhaps the most important element of this book is how information security is
integrated into all aspects of the business process. Every organization needs to address at
least 12 enterprisewide (Tier 1) policies. We examine each of these policies and then map
information security requirements into each one. We also discuss the need for topicspecific
(Tier 2) policies and application-specific (Tier 3) policies and how they map with
standards and procedures.
Although this text is identified as information security policies, standards, and
procedures, the skill set discussed can be used throughout the enterprise. We concentrate
on information security needs, but we always keep the organization objectives at the

Table of Contents
Acknowledgments x
About the Author xi
Introduction xii
Chapter 1 Introduction 2
Chapter 2 Why Manage This Process as a Project? 15
Chapter 3 Planning and Preparation 29
Chapter 4 Developing Policies 43
Chapter 5 Asset Classification Policy 74
Chapter 6 Developing Standards 105
Chapter 7 Developing Procedures 126
Chapter 8 Creating a Table of Contents 148
Chapter 9 Understanding How to Sell Policies, Standards, and Procedures 161
Appendix 1A Typical Tier 1 Policies 178
Appendix 1B Typical Tier 2 Policies 198
Appendix 1C Sample Standards Manual 219
Appendix 1D Sample Information Security Manual 241
Chapter 10 Introduction to Information Security 257
Chapter 11 Fundamentals of Information Security 261
Chapter 12 Employee Responsibilities 266
Chapter 13 Information Classification 269
Chapter 14 Information Handling 273
Chapter 15 Tools of Information Security 276
Chapter 16 Information Processing 279
Chapter 17 Information Security Program Administration 286
Chapter 18 Baseline Organization Information Security Program 289
Appendix 2A 317
Index 327


e-books shop

Purchase Now !
Just with Paypal

Product details
 371 p
 File Size
 2,075 KB
 File Type
 PDF format
 0-203-48873-3 Master e-book ISBN
 0-203-58914-9 (Adobe e-Reader Format) 
 2004 by CRC Press LLC 

═════ ═════