* Organizing security policies In this short series of articles, I am updating materials I wrote for Chapter 28 (“Security Policy Guidelines”) of _The Computer Security Handbook, 4th Edition_ . This second column continues with recommendations on how to organize security policies.Policies are distinct from the sequence in which they are presented. It is useful to have two distinct presentation sequences for policies: topical and organizational.Topical organizationSecurity involves a multitude of details; how one organizes these details depends on the purpose of the policy document. The most common format puts policies in a sequence that corresponds to some reasonable model of how people perceive security. For example, employees can look at security as a series of rings with a rough correspondence to the physical world. Under this model, one might have a policy document with a table of contents that looks like this: * Principles* Organizational Reporting Structure * Physical Security– Servers– Workstations– Portable computers* Hiring, Management, and Firing* Data Protection – Classifying information– Data access controls– Encryption– Countering industrial espionage * Communications Security– Perimeter controls– Web usage and content filtering– E-mail usage and privacy– Telephone and fax usage* Software– Authorized products only– Proprietary (purchased) software– Development standards– Quality assurance and testing* Operating Systems– Access controls– Logging* Technical Support– Service-level agreements– Help desk functionsOrganizationalA complete set of policies may be comprehensive, concise, and well written, but it will still likely be a daunting document, especially for non-technical staff. To avoid distressing employees with huge tomes of incomprehensible materials, it makes sense to create special-purpose documents aimed at particular groups. For example, one could have guides like these:* General Guide for Protecting Corporate Information Assets* Guide for Users of Portable Computers* A Manager’s Guide to Security Policies* Human Resources and Security* Network Administration Security Policies* Programmer’s Guide to Security and Quality Assurance* The Operator’s Security Responsibilities* Security and the Help DeskEach of these volumes or files can present just enough information to be useful and interesting to readers without overwhelming them with detail. Each can reference the full policy document. Related content news Cisco CCNA and AWS cloud networking rank among highest paying IT certifications Cloud expertise and security know-how remain critical in building today’s networks, and these skills pay top dollar, according to Skillsoft’s annual ranking of the most valuable IT certifications. Demand for talent continues to outweigh s By Denise Dubie Nov 30, 2023 7 mins Certifications Network Security Networking news Mainframe modernization gets a boost from Kyndryl, AWS collaboration Kyndryl and AWS have expanded their partnership to help enterprise customers simplify and accelerate their mainframe modernization initiatives. By Michael Cooney Nov 30, 2023 4 mins Mainframes Cloud Computing Data Center news AWS and Nvidia partner on Project Ceiba, a GPU-powered AI supercomputer The companies are extending their AI partnership, and one key initiative is a supercomputer that will be integrated with AWS services and used by Nvidia’s own R&D teams. By Andy Patrizio Nov 30, 2023 3 mins CPUs and Processors Generative AI Supercomputers news VMware stung by defections and layoffs after Broadcom close Layoffs and executive departures are expected after an acquisition, but there's also concern about VMware customer retention. By Andy Patrizio Nov 30, 2023 3 mins Virtualization Data Center Industry Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe