Policy

A clear policy must be set at highest management levels and communicated in writing throughout the organization.

Information Security:

What kinds of information are to be revealed and to whom ? Conversely, What kinds of information are to be hidden and from whom ? What kinds of information are modifiable and by whom ? Are these compatible goals ? Are these achievable goals ?

Such a policy would include guidelines for

Control of Internal Information
• Information about the organization? physical location? employee names? organization chart? phone numbers ?
• system information: user databases? advertiser databases? digital fingerprint/timestamp methods? network topologies?

  Communication Policies

• voice communication:voice phone policies? voice authorizations?voice mail?
• electronic communication: email policies,spam,chatsessions,dialin/out/back?
• encryption:appropriate usage,legal and international issues

  Monitoring

• monitoring policies: how much do we track?
• malware checks: viruses,trojans,worms,logic bombs,Java,ActiveX

  Penetration Tests

• authorizations for crack attempts
• results: disseminate or not ?
• in house or out of house

  Backup

• data backup: paper and electronic,onsite and off, retention policies

Physical Security:

• entry and access
• power: integrity and filtering of powerlines, backup power
• telecom: integrity of phonelines, SLAs, backup services, multiple providers
• onsite and offsite online hot backup services

Frequent review must determine if the policy is workable/working The next step is an inventory of assets,access and risk.