|
Document: Access and Administration Policy
Document: BS7799 Questionnaire
Document: Business Impact Assessment Checklist
Document: Classifications and Handling Rules
Document: Corporate IT Security Policy
Document: Data Classification and Control Policy
Document: Data Protection Guideline Employee Monitoring
Document: Data Protection Guideline Privacy & CCTV
Document: Data Protection Guideline Website checklist
Document: Data Protection Policy
Document: Data Retention Policy
Document: eCommerce Policy
Document: Email Acceptable Use Policy
Document: Generic Account Policy
Document: Guideline on Confidentiality and Intellectual Property
Document: Incident Management Policy
Document: Information Security Forum Terms of Reference
Document: Information Security Department Terms of Reference
Document: Internet Acceptable Use Policy
Document: IT Security Guide
Document: IT Security Incident Report Form
Document: Job Specification for a Security Manager
Document: Mobile Computing & Teleworking Policy
Document: Outsourcing Policy
Document: Password Policy
Document: Penetration Testing Policy
Document: Personnel Security Policy
Document: Physical Security Policy
Document: Risk Assessment Policy
Document: Risk Register
Document: Software Copyright Policy
Document: Spam policy
Document: System backup policy
Document: System Usage Monitoring Policy
Document: Third Party Access Policy
Document: Threat and vulnerability questionnaires
Document: User re-Validation Procedure
Document: Virus Protection Policy
Title: IT Security Risks
Document: 1-ITSecRisk.doc
Synopsis: A summary of the typical IT Security risks faced by businesses with a description, supporting statistics and the impacts caused to the business. The matrix shows which are the main security controls, policies and procedures mitigate the risks and to what extent.
top of page
Title: Corporate IT Security Policy
Document name: 1-ITSecPol.doc
Synopsis: A 2 page template corporate security policy setting out the corporate direction on IT Security to be endorsed by a senior Director or Partner.
top of page
Title: Information Security Department Terms of Reference
Document name: 2-ITSecTOR.doc
Synopsis: A 2 page template Terms of Reference for a corporate Information Security Function.
top of page
Title: Information Security Forum Terms of Reference
Document name: 2-ITSecForumTOR.doc)
Synopsis: A 2 page template Terms of Reference for a corporate Information Security Forum or Committee including example forum meeting agenda.
top of page
Title: IT Security Management Policy
Documents: 2-ITSecMgmtPol.doc
Synopsis: A 4-page policy covering roles and responsibilities for managing security within the business.
top of page
Title: Third Party Access Policy
Document name: 2-ThirdPartyAcc.doc
Synopsis: A 2 page template policy defining the security related requirements for a third party such as for support purposes, that will be accessing corporate data, systems and networks.
top of page
Title: Outsourcing Policy
Document name: 2-Outsource.doc
Synopsis: A 4 page policy covering the approach to determining the security requirements for an outsourcing contract agreement.
top of page
Title: Data Classification and Control Policy
Document name: 3-DataControl.doc
Synopsis: A 3 page data classification and control policy is an essential measure to help protect information from disclosure, unavailability or corruption following an error by staff or compromise by an outsider.
top of page
Title: Classifications and Handling Rules
Document name: 3-DataControlGuide.doc
Synopsis: Example data classification and handling rules which should be customised according to the corporate environment.
top of page
Title: IT Security Guide
Document name: 4-ITSecGuide.doc
Synopsis: A 1 page summary of the key security principles suitable for inclusion within a staff handbook or contractual terms.
top of page
Title: Personnel Security Policy
Document name: 4-PersPolicy.doc
Synopsis: A-3 page policy on security for the staff lifecycle.
top of page
Title: Guideline on Confidentiality and Intellectual Property
Document name: 4-ConfAgree.doc
Synopsis: A 1-page summary of points to cover in a confidentiality and intellectual property agreement.
top of page
Title: Job Specification for a Security Manager
Document name: 4-JobSpec.doc
Synopsis: A 1-page job specification for the role of IT Security manager. The specification could be divided between more than one existing roles for a non-dedicated IT security function.
top of page
Title: Incident Management Policy
Document name: 4-IncidentMgmt.doc
Synopsis: All IT Security related incidents must be reported to management, escalated and logged so as to minimise the risk of further damage and to prevent re-occurrence. All staff must be aware of their responsibilities to reporting or dealing with an IT Security incident.
top of page
Title: IT Security Incident Report Form
Document name: 4-IncidentForm
Synopsis: A template form for recording information security related incidents.
top of page
Title: Physical Security Policy
Document: 5-Physical.doc
Synopsis: The 3-page policy outlines the controls for site, computer room, and equipment protection, maintenance and environmental support.
top of page
Title: Email Acceptable Use Policy
Documents: 6-EmailAUP.doc and 6-EmailQuiz.doc
Synopsis: This comprehensive 9-page policy covers the risks associated with email, examples of published breaches involving email and policy principles for each of management, technical support personnel and email users. The 2-page Quiz covers the policy and is intended to measure user awareness
top of page
Title: Internet Acceptable Use Policy
Documents: 6-InternetAUP.doc and 6-InternetQuiz.doc
Synopsis: This comprehensive 6-page policy covers the risks associated with browsing the Internet, cases of published breaches and policy principles for each of management, technical support personnel and internet users. The 2-page Quiz covers the policy and is intended to measure Internet user awareness
top of page
Title: Virus Protection Policy
Documents: 6-Virus.doc and 6-VirusProc.doc
Synopsis: This 6-page policy covers virus risks, a potted history of key virus attacks and policy principles for each of management, technical support personnel and internet users. The 2-page Procedure outlines an approach for business and technical recovery.
top of page
Title: Spam policy
Document: 6-Spampol.doc
Synopsis: This document addresses the risk to the business of Spam, the policies required to manage those risks to an acceptable level, criteria for evaluating technical Spam solutions and the responsibilities within the business to achieve this. Background to the Privacy Directive and actions being taken to help combat Spam are also discussed.
top of page
Title: System backup policy
Documents: 6-Backup.doc , 6-BackupGuide , 6-Recall.doc
Synopsis: The 4-page documented backup and recovery procedures will help ensure that staff are aware of their exact responsibilities when carrying out detailed tasks, critical actions are not left to memory, and operations are not unnecessarily hampered by staff absence. The 2-page guide addresses offsite backup and archive. The 1-page recall procedure outlines a procedures for the recall and management of backup tapes from offsite.
top of page
Title: eCommerce Policy
Documents: 6-eCommerce.doc and 6-eCommerceChk.doc
Synopsis: This comprehensive 17-page policy covers the risks associated with deploying eCommerce applications, cases of published breaches of eCommerce security and policy principles for each of application design and management. The checklist tool covers the policy and is intended to measure eCommerce compliance.
top of page
Title: Access and Administration Policy
Document: 7-AccessAdmin.pol
Synopsis: A 4-page policy covering the management and IT support requirements for granting access to systems.
top of page
Title: Password Policy
Document: 7-PasswordPol.doc
Synopsis: A 4-page policy describing the risks of not managing passwords adequately, with some examples of published cases. A comprehensive set of best practice password management principles is provided.
top of page
Title: System Usage Monitoring Policy
Document: 7-SysMonitor.doc
Synopsis: System monitoring Policy is an essential measure to help detect actual or attempted security breaches. The policy defines the management and IT support responsibilities for monitoring systems.
top of page
Title: Access Control Policy
Document: 7-AccessControl.doc
Synopsis: Policy provides the basic principle of least access.
top of page
Title: User re-Validation Procedure
Document: 7-UserValidProc.doc
Synopsis: Short list of principles to consider to help ensure system users are current.
top of page
Title: Generic Account Policy
Document: 7-GenericPol.doc & 7-GenericForm.doc
Synopsis: Generic accounts are sometimes necessary but the use of shared accounts can introduce weaknesses and lower accountability for individual user actions. The principles summarised in this short policy, supported by authorisation form will help put a suitable level of control in place.
top of page
Title: Mobile Computing & Teleworking Policy
Document: 7-MobilePol.doc & 7-MemDevice.doc
Synopsis: Laptop computers, PDA and palm devices are essential productivity tools but can introduce significant risks. These policies outlines the principles for best practice secure mobile computing and usage of external memory devices.
top of page
Title: Business Impact Assessment Checklist
Document: 8-BIAChecklst.doc
Synopsis: Checklist for assessing the business impacts during risk assessment.
top of page
Title: Threat and vulnerability questionnaires
Document: 8-ThreatVuln.doc
Synopsis: Checklist of threats and vulnerabilities used during risk assessment.
top of page
Title: Risk assessment report template
Document: 8-RiskReport.doc
Synopsis: A detailed and proven presentation 29-page specimen report of a risk assessment including graphical representations of the findings, business impacts, threats and vulnerabilities, and recommendations.
top of page
Title: Risk Register
Document: 8-RiskReg.doc
Synopsis: A 1 page template for recording risks in a register.
top of page
Title: Risk Assessment Policy
Document: 8-RiskPol.doc
Synopsis: A 4-page policy giving the background to risk assessment and a recommended approach.
Full set of BCP templates available as part of the full package
top of page
Title: Data Retention Policy
Document: 10-DataRetPol.doc
Synopsis: Permanent retention of data can result in legal risk. This outline policy of the need for controls to define how long data will be retained and secured and at what stage it should be purged.
top of page
Title: Data Protection Policy
Document: 10-DataProtectPol.doc
Synopsis: A 4-page policy outlining management responsibilities for compliance and summarising the eight Data Protection principles.
top of page
Title: Data Protection Guideline Employee Monitoring
Document: 10-DataProtEmp.doc
Synopsis: Employers may need to monitor employee activity as part of system operations, or in the event of an investigation. The guideline explains how this relates to the data protection requirements.
top of page
Title: Software Copyright Policy
Document: 10-SoftwarePol.doc
Synopsis: The 4-page policy addresses the risk of breaching software licensing requirements that could result in damaging impact to a business. It outlines the relevant controls and user, IT support and management responsibilities.
top of page
Title: Data Protection Guideline Website checklist
Document: 10-DataProtWeb.doc
Synopsis: Websites need to be designed to comply with data protection principles if they will be used to capture personal data. This 2-page checklist covers the points to address.
top of page
Title: Data Protection Guideline Privacy & CCTV
Document: 10-DataProtPriv.doc
Synopsis: The privacy directive has implications for users of direct marketing practices and cctv. This guidelines summarises the key principles.
top of page
Title: BS7799 Questionnaire
Document: 11-Audit.doc
Synopsis: A comprehensive checklist covering all aspects of BS7799 best practice and allowing results to be electronically captured and results displayed in graphical representation for easy interpretation by management.
top of page
Title: Penetration Testing Policy
Document: 11-PenTest.doc
Synopsis: Externally facing web services need to be subject to penetration testing but this procedure in itself needs to be regulated and controlled. This 1-page policy outlines the principles for using penetration testing services.
top of page
|
