Saturday, August 09, 2014

Is this your Sample Information Security Policy?

If you or your organization is the original creator of the following Sample Information Security Policy then I would like to hear from you: 
Every organization needs an Information Security Policy (although they may call it something different). When used appropriately the organization's whole approach to security will be guided by the policy document, a copy of which may well be requested during discussions around mergers, partnerships, and bids for new business. I have discussed the role and importance of security policy in several webinars, including this one directed at small and medium sized businesses.


Many information security policy documents share the same format and language. Terms of art and standard definitions are commonly used. That raises some interesting copyright questions, especially when it comes to 'sample' policies. The origins of the sample policy shown above are not clear but it has been freely available as a Word document for download on the Internet for several years, notably here on this site (Word DOC).

A sample policy like this can be a very helpful starting point for smaller organizations that have limited resources for security matters. However, some serious caveats are in order, notably this: do not expect a sample security policy to solve your policy or security needs. Indeed, some security experts are disinclined to share sample policies for this every reason; they don't want an organization to simply search-and-replace ORGANIZATION XYZ with their own name and declare the information security policy challenge met.

Clearly, any policy upon which your organization is going to stake its reputation -- for that is what you do when you adopt and publish an Information Security Policy -- needs to be tailored the specific circumstances of your organization. On balance, I think it is better to share a solid sample policy in the hopes of setting more organizations on the right road to an suitable policy, than it is to withhold a sample due to the risks of inappropriate use.

Therefore, I am working on an shareable information security policy which takes the above referenced sample as its starting point. I would like to credit the authors of the above sample, although what I eventually publish as a freely shareable public domain document will be somewhat different from the above doc. According to the document properties, the document itself was created by someone at the North Carolina Health Care Information and Communications Alliance or NCHICA. However, they have informed me that it was provided to them 'as is' by parties unknown. Please contact me via scobb at scobb dot net if you can shed any further light.

I will let you know when an edited, free, annotated, sample security policy is available.

No comments: