84 Managing Network Vulnerability Assessment
as those discussed in the NIST Special Publication 800-12, “An Introduction
to Computer Security.”
The Information Security Policy should be approved by management,
published, and communicated, as appropriate, to all employees. It should
state management commitment and set out the organization’s approach to
managing information security. As a minimum, the following material should
be included:
A definition of information security
A statement of management intent, supporting the goals and principles of
information security
A definition of general and specific responsibilities
References to documentation that may support the policy
The Asset Classification Policy is developed to maintain appropriate pro-
tection of organizational assets. All major information assets should be
accounted for and have Owners identified. Accountability for assets (which
include information records, transactions, applications, network segments, etc.)
is the responsibility for implementing controls is assigned to the Owner, with
a Custodian responsible for implementing those controls.
Business continuity planning (BCP) and technology disaster recovery plan-
ning (DRP) are the next policies that need to be reviewed. The NIST Special
Publication 800-34, “Contingency Planning Guide for Information Technology
Systems,” is available at the NIST Web site (crcs.nist/gov/publications/nistpubs/)
and can provide the policy reviewer with the basic requirements needed in
a general policy regarding BCP and technology DRP
For topic-specific policies, the areas listed in Exhibit 1 should be addressed
and critiqued.
Review Elements
The written policy should clear up confusion, not generate new problems.
When preparing a document for a specific audience, remember that the writer
will not have the luxury to sit down with each reader and explain what each
item means and how it impacts the user’s daily assignments. Know the
audience for whom the policies are being developed. Remember the reading
and comprehension level of the average employee. When writing the policy,
remember the “5 Ws of Journalism 101”:
1. What: what is to be protected (the topic)
2. Who: who is responsible (responsibilities)
3. Where: where within the organization does the policy reach (scope)
4. How: how compliance will be monitored (compliance)
5. When: when does the policy take effect
6. Why: why the policy was developed