Writing Policies

Information Security involves many different disciplines. Some are technical, some are administrative, some are managerial. A good security professional will gain and retain skills in all of these areas as he/she moves through their career. I've spent most of my career on the technical side of things with some administrative and managerial thrown in. My new job has me focused primarily on working with policy at this time. I've been updating old policies, writing new policies and looking into just how PCI is going to affect us and what we have to do in terms of policy and technology to ensure that we are compliant. This is not an easy process, especially when you are new to a company. I still am learning how various parts of the network connect and interact with other parts. I'm still learning what it is that Management wants and what we have the technology and infrastructure to support. Then there is the decisions that were made just prior to my starting with the company. Some of them were done because it fits well with the direction that the company is heading and some of theme were made because it allowed us to put a check mark in a compliance box. If you have been reading my blog for very long you know how I feel about that.

Anyway, I digress. My point in this post is to talk about policy and how to write an effective one for your company. Of course I'm not the expert on this and I don't have all the answers and am still learning much. Much to my delight I ran across a site the other day that does a much better job than I can do. The site is The Trusted Toolkit Blog. They have declared July to be "Policy Month" and they are writing about how to create a security policy and even giving sample policies for you to download. I recommend that you keep you eye on this site this month because even if you never have to write a policy it will benefit you to have an understanding of how a policy is written and the steps involved in creating one. Not to mention that the focus on learning some "soft skills" will benefit you in the long run.