BKISPME.RVW 940503 Baseline Software P.O. Box 1219 Sausalito, CA 94966-1219 415/332-7763 Fax: 415/332-8032 3143490@mcimail.com "Information Security Policies Made Easy", Wood, 1994, 1-881585-01-8, U$495.00 Data security texts and talks often promote numerous concepts that should be added to, or included in, security policies. There are numerous presentations in even general computer conferences on designing such policy documents. Few policies, however, actually get written. Those that do are often full of holes and gaps. Writing a security policy is an enormous undertaking, and most companies will not allow for the resources necessary to do it well. This uniquely valuable tool can save a great deal of time in the process. It is a set of over 600 sample paragraphs for a policy document, provided in both hard copy and soft copy, for ease of use. The book starts with an overview of what policies are, as distinct from guidelines, standards, procedures, and controls; the needs for, and uses of, policies; and, strategies for formation of policies. I stress, again, the word "tool." The book could be confused with a single data security policy document, albeit an overly large one. The items should, however, be tailored to your organization and vetted with care. For example, of the nine items related to computer viral programs, six contain flaws such as misleading information (ironically irrelevant to the policy under discussion), over detail (a procedure, rather than a policy), draconian measures (likely to be ignored and, therefore, weaken the whole), or policies which are admirable in themselves, but unworkable with existing technologies. Of the three remaining policies, one would be primarily useful only in a software development shop, while another would be useless in the same environment. This leaves but one policy out of the nine which is acceptable without modification regardless of business type. My choice of viral program policies in this example may be seen as unfair: after all, I am an expert in a fairly esoteric field. However, it does point out the need to thoroughly examine each policy both in terms of general usefulness and the specifics of your particular business and work environment. The book also contains references to publications, groups and standards that will be of assistance in the policy formation process. Although the price is steep, the resources contained herein are undoubtedly worth it and more for any IT shop facing the policy issue. copyright Robert M. Slade, 1994 BKISPME.RVW 940503 ============== Vancouver ROBERTS@decus.ca | "Do you get guns with your Institute for Robert_Slade@sfu.ca | gun magazines? No. Research into rslade@cue.bc.ca | Do you get viruses with your User p1@CyberStore.ca | virus magazines? Yes." Security Canada V7K 2G6 | - Kevin Marcus