Are your end users, managers, customers, business partners, and information systems professionals all aware of your company’s official policies regarding the security of your information systems? If your answer is, “Our company doesn’t have any official policies regarding information security issues,” then the latest book by Charles Cresson Wood, CISA, CISSP, can help.

In 1996, Wood received the Lifetime Achievement Award from the Computer Security Institute, so you can feel confident about his IT security recommendations. His most recent book, Information Security Policies Made Easy, 8th Edition (ISBN 1-881585-0707, Pentasafe Securities Technology, May 2001, 740 pages plus CD-ROM), provides over 1,100 ready-to-use information security policies you can customize for your organization. Here’s a preview of what’s inside.

Don’t miss an issue

Subscribe to the Jeff Davis’ Help Desk TechMail and get Jeff’s picks for the best of the Web delivered to your inbox every Tuesday.

Get your policies in writing
When you purchase this book, you obtain the rights to copy, paste, and edit any of the policies for use in your organization. However, Information Security Policies Made Easy is much more than a collection of template documents. The author also suggests courses of action for writing, reviewing, approving, and enforcing your information security policies.

Suppose your company has no formal policies regarding the creation and use of passwords. Wood offers 71 distinct password policies from which to choose. Each policy contains a title, a short description, a detailed commentary about the policy, and codes indicating the target audience and the group responsible for enforcing the policy.

Write for the appropriate audience
Many IT shops make the mistake of trying to write one-size-fits-all policies. Wood recommends writing separate policy documents for specific audiences, such as end users, management, IS department staff, customers, and business partners. Because it takes more time to develop and maintain separate audience-specific documents, the author recommends creating a coverage matrix to organize your company’s information security documents.

This matrix is basically a two-dimensional table, with the audiences listed down the left and policy types listed across the right. Those policy types include categories such as computers, data communication, management, and physical security.

The policy writer—the technical writer or project manager overseeing the creation of the policies—populates the matrix by entering the number of each policy aimed at each user type. Wood offers a number of specific suggestions for managing the write-and-review process for each family of policies.

The power of the appendices
In addition to the ready-to-customize policy templates, the book features a very useful set of appendices, including the “Top Ten Impediments to Implementing Policies,” five pages of tips for raising awareness about policies, sample policies listed by number and by name, and sample nondisclosure agreements.

Information Security Policies Made Easy, 8th Edition isn’t cheap; the suggested retail price is $995. (Check out and Barnes and Noble for ordering information.) However, that’s a small investment when you consider the time it would take your internal IS professionals to create over 1,100 information security policies from scratch.

What’s your policy?

Has your company put in place all the security policies it needs? To share your comments or experiences, post your comments below or write to Jeff.