Perhaps this has happened to you…
I was just starting to feel like I have control over the number of tasks I need to complete, when I get the following request from our quality group – there are 9 expired IT policies that need to be reviewed, revised, and approved. A quick review shows that some require a total rewrite.
Rather than start from scratch, I turned to SANS security policy templates. I remember working on this years ago with SANS, and they later opened up this collection to allow the security community to contribute. The result is a nice website that provides a good starting point for sample policies covering many security topics.
When evaluating policy written by your predecessor, one of the first decisions to be made is whether the document describes an actual policy, or rather a guideline, standard, or procedure. The big difference is that a policy defines the rules that must be met. Procedures describe HOW to perform the actual work to meet the rules, and standards/guidelines are typically best practices and suggestions.
A good example is backup policy. The policy itself will describe the backup rules – how often backups must be made and how the data must be protected. The procedure lists the steps that must be performed to trigger a backup or perform a restore from backup. If written correctly, the procedure will probably change more frequently than the policy. For example, if you convert from tape backup to disk backup, the process (procedure) for performing the backup changes, but the policy may not.
After confirming that the policy is, in fact, a policy, the next step is to determine how out-of-date it is and what security threats have been added to the landscape since the policy was originally written. For example, a mobile device policy should probably include the threat introduced when employees use their own devices and the rules for operating in this environment.
Compare your policy against similar policies on the SANS templates page and other online resources, such as the dmoz open directory project . While most of the free template policies online are outdated, they can still provide a starting point, allowing the addition of new risks, as appropriate.
May the force be with you.