IT Policy template? Guide?

[wavewerx]

Is there any sort of standard guide or template for IT policies? or something one of y'all can pass along?

I'm having a bit of trouble setting up some guidelines for my company. There's about 40 users and new policies get setup as needed. I'm not looking for AD/GP but rather Employee Handbook policies to include.

Any suggestions?

 

[k1pp3r]

They are all different, consult a lawyer or a Payroll company and have them create you and employee handbook,

This is really not networking/ security related

 

[wavewerx]

Maybe an employee handbook wasn't the right choice of words.

I posted in here because I was looking for something like "No USB devices", new hardware and software requests, and similar... not really what I think to be lawyer-y things.

 

[Madnes5]

The definitive guide for quite a while has been Charles Cresson Wood's Information Security Policies Made Easy. It's expensive though and I wouldn't exactly call it fun reading.

If you have any sort of relationship with Gartner, they've got some decent papers on writing policies.

SANS also has a very good resource for policies which can be found here

 

[rocket733]

They are all different, consult a lawyer or a Payroll company and have them create you and employee handbook,

This is really not networking/ security related

On the contrary I would say this is completely security related. Governance (policies) is one of the major aspects of any corporate security function.

As for the OP. If you have a 40 person company I doubt you need to get an outside party involved unless you're in a regulated industry (banking, healthcare, etc) that would have specific requirements for security.

Depending on your industry, risk, and impact of information loss I would work on ensuring that your security policies address common risks but aren't so burdensome that people avoid them.

Besides the policies themselves you should carefully consider how to implement any significant changes from the current state. For example if you decide that eliminating USB drives is in the best interest of your company you need to ensure that people have an alternative like a secure network share or sftp that can be used to easily transfer file and that everyone is well informed of the change.

Other good resources in addition to Gartner would be to look at Cobit, ISO 27001, and SOX and pick the parts that are relevant for your company.

 

[k1pp3r]

On the contrary I would say this is completely security related. Governance (policies) is one of the major aspects of any corporate security function.
.

On the Contrary, the OP first asked for an EMPLOYEE HANDBOOK, not a fair use policy for computer equipment

 

[StarTrek4U]

If you're looking for Policies they are relatively easy to find with a google search a lot of universities have theirs public so you can take it, change the verbage to work with your company and go from there. Madnes5 had some good starting points as well.

One thing to keep in mind from a policy standpoint is that you need to be sure to have executive sign-off, that makes them enforceable as well as making sure management is on the same page as you are.

 

[robertp221]

SANS also has a very good resource for policies which can be found here

Excellent stuff there.

 

[Deleted member 12106]

I'd almost like to retool our electronic use policy.

 

[wavewerx]

If you're looking for Policies they are relatively easy to find with a google search a lot of universities have theirs public so you can take it, change the verbage to work with your company and go from there. Madnes5 had some good starting points as well.

One thing to keep in mind from a policy standpoint is that you need to be sure to have executive sign-off, that makes them enforceable as well as making sure management is on the same page as you are.

Thanks for the tip there. This'll definitely be done.

The definitive guide for quite a while has been Charles Cresson Wood's Information Security Policies Made Easy. It's expensive though and I wouldn't exactly call it fun reading.

If you have any sort of relationship with Gartner, they've got some decent papers on writing policies.

SANS also has a very good resource for policies which can be found here

Thanks! That's exactly what I'm looking for