Other Organizations' Infosec Policies

Modified 6 November 2008

Government agencies and corporations generally consider their policies as sensitive information, and so they do not let outsiders see them. It makes sense at that least some of an organization's policy would be sensitive, and so if the only choices of disclosure are "all" and "none", choosing "none" errs on the side of caution. About the only policies you can see are guidance from various security organizations (both guidance and enforcement) and possibly partial policies from some universities:

Purdue's CERIAS archive has various documents, ranging from copies of policies now or previously in effect at various universities, to NIST security documents, to U.S. Federal Criterea for Information Technology Security, to some more narrative papers:
ftp://ftp.cerias.purdue.edu/pub/doc/policy/
NIST's document "Building Effective, Tailored Information Security Policy" http://csrc.nist.gov/nissc/1997/panels/isptg/pescatore/html/
NIST's document "Guidelines on Firewalls and Firewall Policy" http://csrc.nist.gov/publications/nistpubs/index.html
Generally Accepted System Security Principles (GASSP) — From the International Information Security Foundation: http://web.mit.edu/security/www/gassp1.html
SANS has The SANS Security Policy Project: http://www.sans.org/resources/policies/
BS 7799 — British code of practice for information security management. You'll have to search for standard 7799 at this site: http://bsonline.techindex.co.uk

Back to the main Security Page

Home

Unix/Linux

Networking

Infosec

Travel

Technical

Radio

Site Map

Contact