Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Security Policies SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Security Policies
I am up to my ears in multiple security policies and trying to find which policy has the information that I am looking for.

So my question: Is it better to have one large policy that breaks everything out in sections, or is better to multiple policies, one for each control?

How are you handling your policies?

The common wisdom is to have distinct policies for specific issues. Of course, they should all be stored in one spot, but in part, having different policies should allow you to name them to make it easier to find the right one ("password policy", "BYOD policy", "vulnerability mitigation policy" ... ). Having distinct policies makes it easier to maintain them. It should also be easier to find the right policy that way.

Also, see the SANS security policy project for samples:

ISC Handler

Sign Up for Free or Log In to start participating in the conversation!