Clearly, policies are a key part of information systems security. Thus, creating policies is an important task that must be executed in an effective manner. In addition to the previously mentioned COBIT, other tools aid in creating policies. The International Organization for Standardization (ISO) created the standard ISO 17799, which is titled “Information Technology—Security Techniques—Code of Practice for Information Security Management.” This standard establishes best practices of control objectives and controls, including security policies. This is an excellent starting point for guidance on creating information system policies.

Another source is National Institute of Standards and Technology (NIST) 800-12, titled “An Introduction to Information Security.” Chapter 5 of this standard is entirely about information security policy. It provides general guidelines for developing policies. Specific policy issues such as email privacy, bring your own device (BYOD), and social media are also covered. Reviewing NIST 800-12 in conjunction with ISO 17799 will provide you with a solid understanding of policy standards.

In addition to standards such as ISO 17799 and NIST 800-12, there are several other sources for policy information. For example, the SANS organization has a number of templates you can download; these are located at https://www.sans.org/security-resources/policies. If you are new to developing policies, reviewing templates and the policies of other organizations is helpful.