Information Security Policies Made Easy, Version 10 (Hardcover)

by Charles Cresson Wood (Author), Information Shield (Editor) "Information security policies are a special type of documented business rule..." (more)
Key Phrases: Four-Category Data Classification, Faxing Sensitive Information, Five-Category Application Criticality Classification Scheme (more...)

Editorial Reviews

Product Description
Information Security Policies Made Easy, Version 10 is the new and updated version of the best-selling policy resource by Charles Cresson Wood, CISSP, CISA, CISM. Based on the 20 year consulting and security experience of Mr. Wood, ISPME is the most complete policy resource available. ISPME Version 10 has everything you need to build a due-care security policy environment, including: 1. A complete policy library with over 1350 individual pre-written security policies including: Coverage of the latest technical, legal and regulatory issues. ISO 17799 outline format, allowing for easy gap-analysis against existing standards and security frameworks. Expert commentary discussing the risks mitigated by each policy. Target audience (management, technical, or user) and security environment (low, medium, high) for each policy. Policy coverage maps for Sarbanes-Oxley (COBIT) and HIPAA security 2. Eighteen complete pre-written security policy documents that every company should have, updated and ready to use as is or with easy customization, including: User-targeted policies such as: Electronic Mail Policy, Internet Security Policy for End Users and Web Privacy Policy. Organization-wide policies such as: High-Level Security Policy, Privacy policy, Information Ownership Policy. Technology-based policies such as: Firewall Policy, Data Classification Policy and Network Security Policy. Sample risk acceptance memo for the approval of out of compliance situations, a sample non-disclosure agreement, and a user policy acceptance agreement. 3. Expert advice on the policy development and review process, including: A step-by-step checklist of policy development tasks to quickly start a policy development project. Helpful tips and tricks for getting management buy-in for information security policies and education. Tips and techniques for raising security policy awareness. Real-world examples of problems caused by missing or poor security policies. Policy development resources such as Information Security Periodicals, professional associations and related security organizations. 4. All content available on an easy-to-use CD-ROM with an indexed and searchable HTML interface for easy location, featuring: Policies available in HTML, PDF, MS-Word format. Easy cut-and-paste into existing corporate documents. Extensive cross-references between policies that help the user quickly understand alternative solutions and complimentary controls. ISPME V10 policies cover these important security topics: Access Control, Data Classification and Control, Risk Assessments, Password and user ID management, Logging Controls, Encryption and Digital Signatures, Instant messaging, PDAs and smart,phones, Personnel Security including Security Awareness and Training, Data Privacy Management for employees and customers, Corporate governance, including Sarbanes-Oxley, Electronic mail, viruses, malicious code protection, and social engineering attacks, including phishing scams, Preventing and responding to identity theft, Network security including wireless and Voice Over Internet Protocol (VOIP), Security, configuration, and management firewalls, Communication Security including telephones and FAX machines, Web site and e-commerce security, Security in 3rd party contracts, including outsourcing and off-shoring of IT projects, Document destruction, as well as retention of documents that may be used in court cases, Incident Response and Contingency planning, Telecommuting and mobile computing, Honeypots and intrusion detection systems, Effective software patch management including Open Source software, And many others! Information Security Policies Made Easy, Version 10.0 policies are organized around the ISO/IEC 17799 Security Standard. An excellent resource purchase a copy and register your product to receive additional updates from Information Shield.

About the Author
Charles Cresson Wood, CISA, CISSP, is an author and independent information security consultant based in Sausalito California. In the information security field on a full-time basis since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute) as well as lead network security consultant at Bank of America. He has done information security work with over 120 organizations many of them Fortune 500 companies including a large number of financial institutions and high-tech companies. His consulting work has taken him to over twenty different countries around the world. He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in security architectures, system security requirements, risk assessments, project plans, policy statements, and other clear and action-oriented documents. He has published over 225 technical articles and five books in the information security field. In addition to TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented cutting-edge information security ideas at over 100 technical and professional conferences around the globe. Mr. Wood is Senior North American Editor for the journals "Computers & Security" and "Computer Fraud & Security Bulletin", as well as a monthly columnist for "Computer Security Alert". He holds an MBA in financial information systems, an MSE in computer science, and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He has passed the Certified Public Accountant (CPA) examination and is both a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP). In November 1996 he received the Lifetime Achievement Award from the Computer Security Institute for "sincere dedication to the computer security profession."

Product Details

• Hardcover: 739 pages
• Publisher: Information Shield (February 1, 2008)
• Language: English
• ISBN-10: 1881585131
• ISBN-13: 978-1881585138
• Product Dimensions: 11.1 x 8.5 x 1.8 inches
• Shipping Weight: 4.6 pounds (View shipping rates and policies)
• Average Customer Review: 4.8 out of 5 stars See all reviews (4 customer reviews)
• Amazon.com Sales Rank: #760,722 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

14 of 14 people found the following review helpful:

5.0 out of 5 stars New version of a vital information security reference, August 16, 2005

By	Ben Rothke "Author of 'Computer Security: 20 ... (USA) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

In technology, books are often obsolete shortly after publication. Given the dynamic nature of technology, very few technology books can stand the test of time and remain relevant for a few years, let alone a decade after their original printing. Some of those rare titles that seem timeless include Applied Cryptography by Bruce Schneier, Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson, and the book I'll review here, Information Security Policies Made Easy, Version 10. Information Security Policies Made Easy (ISPME) is one of the most important information security books available for those who are serious about creating a comprehensive set of information systems security policies.

The importance of effective information security policies cannot be overemphasized, as they are the foundation toward implementing information security and ensuring the security of the people, systems, and networks within an organization. If an organization lacks security policies, they cannot inform employees and users of their specific security responsibilities. Policies define acceptable system use and user behavior, and those policies must be in place before they can be enforced.

Version 10 of ISPME contains more than 1350 pre-written security policies that can be used as a framework for the creation of a comprehensive set of information security policies. The book comes with a CD-ROM that includes every policy. The beauty of ISPME is that it removes the huge burden and time required to create a global set of security policies. With ISPME, you can immediately begin exploring the myriad policies required for information security.

One of the biggest mistakes you could make, however, when using ISPME, is to implement a policy too quickly, without deciding specifically how those policies with be selected, developed, deployed, maintained, and enforced. With that, Chapter 2 provides an orientation to the information security policy writing and development process. The books states that while it may be tempting to immediately start cutting and pasting policies together, it is crucial to understand both what the policies do and what you want to accomplish with them before you begin. If that is done, the subsequent policy writing tasks will be much more efficient and focused.

At 501 pages, Chapter 3 comprises the bulk of the book and contains the all of the specific policies. These policies are divided into 10 separate domains that are mapped to the ISO-17799 standard. This organization scheme makes it makes it easy to create a gap-analysis of your current policies against the ISO-17799 standard. This is helpful since many organizations are now embracing ISO-17799.

Each of the policies contain the individual policy itself and a detailed commentary on why the policy is specifically needed. Each policy also has a cross-reference to related policies and an indication of the audience (management, technical, end-user) and the security environment (low, medium, high) for which it is written.

Chapters 4 - 20 contain various high-level policies in areas such as mobile computing, data classification, email, Web security, and more. These 18 chapters are complete security policy documents that can be implemented with little customization.

The book contains 15 appendixes, which include secondary information such as awareness-raising methods, checklists, memos, and next steps to take.

The CD-ROM that is included contains the entire set of polices in HTML, Word, and PDF formats. It also includes two documents that map the policies in the book against HIPAA and Sarbanes-Oxley.

Organizations that take information security seriously will likely have used ISPME in its previous versions. But for those that have not yet taken the plunge, ISPME is a valuable tool that can be utilized to create a comprehensive set of information security policies in a cost- and time-effective manner. For those building corporate or organizational security policies, ISPME is clearly the definitive reference.

15 of 16 people found the following review helpful:

4.0 out of 5 stars Notes on ISPME version 10, January 24, 2006

By	Lincoln Rhoads (USA) - See all my reviews (REAL NAME)

Book is a very good resource on information security policies; however, I was disappointed that this book did not match ISO 17799 version 2005 it only matched the 2000 version. I would wait for the next version of the book for updated material matches for ISO 17799 v2005. The authors should have provided updates via CD ROM or download to support this necessary update to this version they have not. You would seem to think at $795.00 a pop for the book and CDROM you would get better support on the material in the book. Also pay close attention to the license uses of the security policies..

10 of 10 people found the following review helpful:

5.0 out of 5 stars Even Better, August 9, 2006

By	Stephen Northcutt (Kauai, HI USA) - See all my reviews (REAL NAME)

I keep books in two places, a small shelf near my computer that I can reach and a large bookshelf across the room. This book deserves a place on the small shelf within arm's reach.

Version 10 builds on the previous work and includes ISO 17799 outline format, policy coverage maps for Sarbanes-Oxley and coverage of the latest issues (technical, legal and regulatory.) I particularly appreciate the section on policy awareness. This is one of the biggest problems you run into.


If you are a manager, before you ever make a decision, or approve a policy, look the topic up, there is a good chance you will see something you didn't think of.

Let me give you an example, our company used to have a fairly long Non-Diclosure Agreement (NDA) prepared by our attorney for a specific purpose. However, we decided to create a simpler, general purpose NDA for all 1099 contractors. The lawyer created it and before I approved it I checked it against the book. I found three items that really should have been in our NDA that we would have missed, thank you Mr. Wood!

If you are a techie, do you need this book? Sure, because everything we do as a techie or engineer has liability implications for the company. Each topic is very clear, concise, and well thought out. It takes a few seconds to look it up, about two minutes to read the section and that investment is well worth your time.

Yes, this is an expensive book; however, it is worth the investment, every organization should have at least one copy. S.