Information Security Policies Made Easy ^{8th Ed.}

In formation Security Policies Made Easy, Version 8 is the updated version of the best-selling policy resource by Charles Cresson Wood, CISSP, CISA, CISM. Based on the 20 year consulting and security experience of Mr. Wood, ISPME is the most complete policy resource available.

1. Introduction
2. Instructions
1. What Are Information System Security Policies?
1. Distinct From Guidelines And Standards
2. Distinct From Procedures And Controls
2. Why Are Policies Important?
1. Assuring The proper Implementation of Controls
2. Guiding The Product Selection/Development Process
3. Demonstrating Management Support
4. Avoiding Liability
5. Protecting Trade Secrets
6. Adapting To A Dynamic Communications Environment
7. Achieving Consistent And Complete Security
8. Coordinating Activities Of Internal And External Groups
3. How Should Policies Be Developed?
1. Gathering Key Reference Materials
2. Defining A Framework for Policies
3. Preparing A Coverage Matrix
4. Making Critical Systems Design Decisions
5. Structuring Review, Approval, And Enforcement Processes
6. Automating Policy Enforcement Via Policy Servers
4. When Should Policies Be Developed?
5. Length of Policies Documents
1. Determining An Appropriate Number of Policies
2. Determining How Long Each Policy Should Be
3. Iterative Development Process
4. Table of Contents for Typical Policy Document
5. Which Topics to Address First
6. How Can These Policies Best Be Used?
1. Intended Target Audience
2. Policy Customization Specifics
3. Using Key Word Search Facilities
7. How Are These Policies Organized?
8. How Should One Select The Objectives And Scope of Policies?
1. Motivating Objectives
2. Operational Objectives
3. Scope
4. Handling Non-Compliance
9. Disclaimers
1. Need For Customization
2. Balancing Tradeoffs
3. References To Commercial Products
4. Need For Competent Advice
3. Specific Policies
1. Logical Security
1. Software Security
1. System Access Control
1. Password Management
1. Password And User-ID Construction
2. Design Of Password System User Interface
3. Password System Internals Design
4. Password Related User Responsibilities
5. Password Related Administrator Responsibilities
2. Log-In Process
2. Privilege Control
1. Use of Systems
2. Information Driven Access Control
3. User Separation
4. Special Privileges
5. Other Privilege Restrictions
6. Administrative Activities
3. Logging
1. Information To Include In Logs
2. Handling Of Logs
2. Software Development And Change Control
1. Computer Viruses And Worms
2. Development Process
1. Development Tools And Techniques
2. Development Privileges And Relationships
3. Change Control Process
4. Third Party Involvement
5. Computer Operations
3. Data Security
1. Intellectual Property Rights
1. Assignment of Intellectual Property Rights
2. Protection of Intellectual Property Rights
2. Data Privacy
3. Data Confidentiality
1. Overall Data Confidentiality Policies
2. Data Classification Categories
3. Data Classification Marking
4. Classification System Implementation
1. Copying And Printing
2. Shipping and Manual Handling
3. Transmission By Fax And Phone
4. Movement of Confidential Information
5. Storage, Retention, And Declassification
6. Disposal And Destruction
5. Granting Access To Confidential Data
6. Right To Know
7. Handling Confidential Data In Meetings
8. Miscellaneous Confidentiality Policies
4. Data Critically
1. Systems Design
2. Contingency Planning
3. Backup And Archival Storage
4. Retention Periods And Disposal of Data
5. Data Integrity
1. Awareness of Integrity Status
2. Integrity Of Information Sources
3. Modification Controls
4. Consistent Representation Of Data
5. Censorship Of Data
4. Communications Security
1. Establishment Of Access Paths And System
1. Flow Control Systems Including Firewalls
2. Making Network Connections
3. Forming Contracts Over Networks
2. Encryption
1. When To Use Encryption
2. Encryption Key Management
3. Miscellaneous Encryption Matters
3. Dial-Up Computer Communications
4. Down-Loaded Data
5. Telephone Systems
6. Electronic Mail Systems
7. Telecommuting Arrangements
8. Internet Connections
1. Access Control For Internet Connections
2. Internet Representations And Identity Validation
3. Internet Content Management
4. Electronic Commerce And The Internet
5. Sending & Receiving Internet Information
6. Using Information From The Internet
7. Internet Web Page Management
9. Intranet Connections
10. Electronic Payment Systems
2. Managerial Security
1. Administrative Security
1. Training And Awareness
2. Reporting Of Security Problems
3. Control Selection
1. Controls And Systems Design
2. Controls And Business Considerations
4. Outsourcing And Third Party Contracts
2. Human Resource Matters
1. Discipline And Termination
2. Reliance On People
3. Background Checks
4. Miscellaneous Personnel Matters
3. Organizational Structure
1. Responsibility For Information Security
1. Management Role
2. Information Security Department Role
3. Other Information Security Roles
4. Owner, Custodian And User Responsibilities
3. Physical Security
1. Physical Access Security
1. Building Access Control
1. Locks And Barriers
2. Building Access Records
3. Handling Visitors
2. Restricted Access To Computer Facilities
2. Computer Location And Facility Construction
4. Sample High-Level Information Security Policy
5. Sample Detailed Information Security Policy
6. Sample Telecommuting & Mobile Computer Security Policy
7. Sample External Communications Security Policy
8. Sample Microcomputer Security Policy
9. Sample Electronic Mail Security Policy
10. Sample Computer Network Security Policy
11. Sample Internet Security Policy
12. Sample Intranet Security Policy
13. Sample Privacy Policy (Stringent)
14. Sample Privacy Policy (Lenient)
15. Sample Web Privacy Policy
16. Sample Data Classification System Policy
17. Sample Data Classification System Quick Reference Matrix
18. Sample External Party Information Disclosure Policy
19. Sample Information Ownership Policy
20. Sample Firewall Policy
21. External Network Interface Security Policy Harmonization

• Appendices
1. Abbreviated List of Information Security Policy References
2. List of Information Security Periodicals
3. List of Information Security Professional Associations
4. List of Suggested Awareness Raising Methods
5. Checklist of Steps In Policy Development Process
6. Overview of Policy Development Process Tasks (Diagram)
7. Suggested Next Steps Not That Policies Are Written
8. Top Ten Impediments To Implementing Policies
9. Real World Problems Since The Last Edition
10. Index To New Policies Since The Last Edition
11. Index To Policies By Policy Numbers
12. Index To Policies By Policy Names
13. Agreement To Comply With Information Security Policies
14. Identity Token Responsibility Statement
15. Management Risk Acceptance Memo
16. Two Page Simple Non-Disclosure Agreement
17. About The Author

You need a policy? There exists a 99.99% probability that you either can find it in here or you can modify something from here. I really love this book, even though it is horrible expensive.