Does your company have written security policies? If not, your firm might be exposed to certain security risks. If employees don't know company security policies, they'll formulate their own—and their policies probably won't match the company's ideas of how employees should use time and resources. Poor employee decisions cost employers a lot of grief and often a lot of money.

Reading the FOCUS-MS security-related mailing list this week, I came across an interesting discussion: A list reader asked whether any security policy templates are available online. Several list readers provided links to sites that offer security policies and loosely structured policy models. The sites listed include the SANS Research Institute, Carnegie Mellon Software Engineering Institute (SEI), and Murdoch University in Australia. I found the security policy models on these sites very useful, so I want to pass these resources on to you.

SANS is a cooperative research and education organization that, in addition to many other activities, provides security-related training courses. One class deals with security policies. SANS has a set of eight policy models available online for anyone who needs such help. Models include computer usage guidelines, acceptable use statement, special security policy, special access guidelines agreement, network connection policy, escalation procedures for security incidents, incident-handling procedures, and partner connection policy. The models are available individually in HTML or Word format or collectively in one Word document. You can find the templates here.

SEI, a federally funded research and development center established in 1984 by the US Department of Defense (DoD), has published a document called "The Operationally Critical Threat, Asset, and Vulnerability Evaluation" (OCTAVE), which outlines a framework for identifying and managing security risks. The document teaches the reader how to build enterprise-wide security requirements, identify infrastructure vulnerabilities, and determine security risk management strategy. The OCTAVE document is available in HTML and Adobe Portable Document Format (PDF) at the following URL.

http://www.sei.cmu.edu/publications/documents/99.reports/99tr017/99tr017abstract.html

Murdoch University's Office of Information Technology and Services published a set of documents that outline the school's security policies. According to the credits within the main document, the school used policies from Curtin University of Technology and Edith Cowan University to formulate its security policies. The main document contains links to several different policy types that can help you define your own policies, especially if your environment must cater to many users. Policies include standards and guidelines for all users, strategic systems, school-based systems, and desktop computers.

If your business doesn't have definite security policies in place, or if you want to weigh your policies against other companies' policies, be sure to review the information provided by the sites listed above; they offer valuable insight. Until next time, have a great week.