Incident Response Policy from Yale

Here’s the incident response policy used at Yale. Parts of the policy include: Identification of Incidents Establishment of an IT Security Incident Response Team Risk Assessment Classification Matrix Documentation and Communication of Incidents Subordinate Procedures Role of Yale Personnel, Training Incident Prevention This is an exerpt from the Risk Assessment section: The ISO will establish […]

Read the full article →

Best Practices for Security Incident Response

Here’s a helpful white paper by Kerry Thompson that describes best practices that you should follow when responding to a security incident. I like the part about the incident team. Here’s an exerpt: An incident team for a small to medium enterprise is almost always two people. One will be the technical lead who will […]

Read the full article →

Example Incident Report

Your Data Security Incident Response Policy should include a reference to your Incident Response Plan or Procedure which should require that an Incident Report be completed for each security incident. An incident report example can be found at the California Department of Finance page here. This is a very thorough report that requires you to […]

Read the full article →

Acceptable Use Policy

I found a good example of an Acceptable Use Policy at the Asian School of Cyber Laws site here. I like the section on Unacceptable Use. Here’s an excerpt: The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff […]

Read the full article →

Incident Response Policy

John Cristiansen is an information security compliance and risk management lawyer in Seattle, WA. He has an excellent example of a generic Security Incident Reponse Policy on his blog here. The policy is focused on complying on HIPAA requirements but it can be customized to meet the needs of any organization. Here’s an exerpt: 1. […]

Read the full article →

Data Classification Policy

There’s a useful example of a Data Classification Policy from George Washington University here. They only have three categories of information and responsibility for implementing the policy is delegated to the departments of the University. Here’s an exerpt: Data owned, used, created or maintained by the University is classified into the following three categories: Public […]

Read the full article →

Business Continuity Presentation

When you’re developing your Business Continuity Security Policy you may want to deliver a presentation to your company explaining what business continuity is all about. Here’s a Business Continuity Presentation I gave to educate a company about the need for business continuity. Feel free to use it as you like. Topics covered in the presentation […]

Read the full article →

Next Entries →