Information Security Policy Manual (With CD-ROM) [CD-ROM]

Edmond D. Jones (Author)

Book Description

Publication Date: February 23, 2001

Protecting the information that resides on an organization's computer system is as important as protecting the assets within the facility and in some cases more important. The first step in protecting this information is the establishment of corporate policy to control access to the computers and the data. -

Comprehensive Information Security Policies -

Easily modified to fit your organization needs and objectives. -

Broad range of policies for all types of computer systems and databases. -

Cover a broad range of topics including: -

Encryption -

Data Ownership -

Physical Security -

Inventories -

Off-Site Storage -

And More...

Editorial Reviews

About the Author

EDMOND D. JONES is certified as a Master Business Continuity Planner (MBCP) by the Disaster Recovery Institute, International. His involvement with continuity planning began in 1964 and continued throughout his 20-year military career. This experience included planning for various types of organizations, including data processing organizations. Working in the commercial sector since 1985, he has assisted 100's of businesses in the United States and Canada in defining and establishing their business continuity programs and plans. Mr. Jones has been an instructor for the Disaster Recovery Institute, International; assisted in development of the Institute's Professional Practices; and, was responsible for designing the review course for candidates preparing for the MBCP examination. In addition, Mr. Jones was one of the first members of the Disaster Recovery Institute to be elected to serve on the Institute's Certification Board. Mr. Jones has had articles published in the Disaster Recovery Journal and been an expert source for articles in ComputerWorld and the Law Office Administrator.

Excerpt. © Reprinted by permission. All rights reserved.

(IP001001) Emergency Logon Identification

In order to maintain production schedules it is sometimes necessary for personnel to perform maintenance on data within the system to which they are not authorized access by the Application or Data Owner. To achieve this objective, [Information Security] will set up and maintain an emergency identification for all platforms. The passwords for these identifications will only be provided when an emergency situation has arisen and upon the specific request of an individual authorized to use the emergency logon identification. Once used, the password associated with the emergency identification will be changed by [Information Security] on the next business day.

To control access to the emergency identification and provide accountability, a list of personnel authorized to obtain the emergency identification and password will be maintained by the [Information Security]. The initial list and all changes to this list will be approved by the [Title: CIO or Direction Information Services].

The emergency logon identification is to be used in emergency situations only by those personnel designated on the list maintained for this purpose by [Information Security]. Use of the emergency logon identification is limited to the resolution of data and operating system problems that are having an adverse impact upon production and to accomplishing scheduled system updates.

All uses of the emergency logon identification will be reported to the [Title: CIO or Direction Information Services].

Policy Superceded:
Responsible Department:
Effective Date:
[Signature President/Chief Executive Officer]

- - - - - - - - - -

(IP003001) Virus Protection

One of the major threats to our computer systems is an assault by a virus program. The most common ways these programs can be introduced into our systems is by the downloading of files from the internet or other external computers, connections to the internet or other external computers and loading files to our systems from diskettes which we receive from other companies or bring from home.

To reduce this threat to our systems, Anti-Virus software is installed on all desktop computers and LAN file servers. Firewalls are also installed to protect these systems from outside connections. This software should become operational when the system is booted and should remain operational at all times while the system is operating in order to check files for the presence of virus programs before they are filed on the system.

To further reduce the threat, diskettes are not authorized for use in any [Your Company Name] computer unless they have been scanned prior to use by the Anti-Virus software. This includes diskettes that are brought into the office from home.

Keeping Anti-Virus Software Current

Periodically associates using personal computers will be notified that an update to the Anti-Virus software is available. This update should be downloaded and installed on the associate's personal computer when the message is received.

Checking External Diskettes and Other Portable Storage Media

[Information Systems] will establish procedures to scan all diskettes and other portable storage media received in the course of business by all [Your Company Name] departments. These procedures will be applicable at all company facilities.

Virus Discovered on a Computer

If a virus program is detected on a [Your Company Name] computer, the discovery shall be treated as a security violation and be reported to [Information Security] immediately. [Information Security] will take appropriate action to have the virus removed, determine what damage the virus may have caused, determine other systems that may have been infected, and attempt to determine how the virus was introduced to the system.

Policy Superceded:
Responsible Department:
Effective Date:
[Signature President/Chief Executive Officer]

Product Details

• CD-ROM: 63 pages
• Publisher: Rothstein Associates; 2001, Bd&Cd edition (February 23, 2001)
• Language: English
• ISBN-10: 1931332096
• ISBN-13: 978-1931332095
• Product Dimensions: 11.4 x 10.4 x 0.9 inches
• Shipping Weight: 1.1 pounds (View shipping rates and policies)
• Average Customer Review: 3.0 out of 5 stars  See all reviews (5 customer reviews)
• Amazon Best Sellers Rank: #3,235,247 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

17 of 19 people found the following review helpful:

5.0 out of 5 stars Valuable Resource - well thought out and clearly written, April 13, 2001

By 

Linda Zarate "IT Ops Consultant" (Azusa, CA United States) - See all my reviews

This review is from: Information Security Policy Manual (With CD-ROM) (CD-ROM)

This book is probably the most valuable resource in my professional library. My only regret is that I did not have it a year ago because it could have saved a substantial amount of money on two consulting assignments. The first assignment was developing policies, processes and procedures for managing a CLEC's (competitive local exchange carrier) data center facilities. Much of my research was focused on a number of topics in this book. I could have literally shaved 80 hours off of the research and policy development tasks had this book been available. The value? Based on my hourly billing rate to the client, which is a multiple of the price of this book, the savings would have been significant. The second assignment was developing recovery processes for a national wireless carrier. In this case I could have saved over 200 hours of research and writing had this book been handy.

Some of the policies in this book are somewhat out of date, such as system sign-on screens and printing and distribution of reports. While we still sign onto systems these days, the policy for that area seems more applicable to terminals. And while there is still a lot of printing done in this so-called paperless world, it is done on an ad hoc basis and not centrally managed. On the other hand, a simple rewrite aligns even the most archaic policy statements into ones that will meet modern needs.

Among the best policy statements in this book (and on accompanying CD ROM, which saves even more time) are: application ownership (this can also be linked to service level agreements), computer room access (too often overlooked by security staff trying to shore up their Internet exposures), off site storage (when was the last time you saw a formal policy on that?), data ownership, and record retention/disposal (this is one that will send you on a frantic search through legal databases). Each of these policy statements are well thought out and clearly written.

I personally think that, page for page, this book is one of the best values you will find if you need to develop an internal corporate security policy, or you are a consultant doing this for a living. The fact that it also comes with a CD ROM and documents in electronic format makes this an even better value. I strongly recommend it and will never be without it.

3 of 4 people found the following review helpful:

4.0 out of 5 stars A Major Time Savor, November 5, 2002

By 

S. Saad (royal oak, michigan United States) - See all my reviews

This review is from: Information Security Policy Manual (With CD-ROM) (CD-ROM)

Finally a book that delivers exactly what it promises. To put together the initial set of policies for management consideration, I was able to just modify the sample policies to fit our organization. Really a major time saver.

Would be better if they were updated to more accurately address server farms but these changes can be made quickly.

4.0 out of 5 stars IT Security Policies, June 20, 2008

By 

A. Avallone "Avda Bay, Ltd." (Delaware USA) - See all my reviews
(REAL NAME)   

This review is from: Information Security Policy Manual (With CD-ROM) (CD-ROM)

Great source for IT Security Policies! Walks you through the basic steps of developing specific policies. Perfect for small and medium size businesses and a good stepping stone and guide for larger businesses.