Security Policies
I am up to my ears in multiple security policies and trying to find which policy has the information that I am looking for.

So my question: Is it better to have one large policy that breaks everything out in sections, or is better to multiple policies, one for each control?

How are you handling your policies?

The common wisdom is to have distinct policies for specific issues. Of course, they should all be stored in one spot, but in part, having different policies should allow you to name them to make it easier to find the right one ("password policy", "BYOD policy", "vulnerability mitigation policy" ... ). Having distinct policies makes it easier to maintain them. It should also be easier to find the right policy that way.

Also, see the SANS security policy project for samples:

ISC Handler

Sign Up for Free or Log In to start participating in the conversation!