Security on a Shoestring: Creating Internet policies on the cheap

Mathew Schwartz of SearchSecurity.com writes:

When did the SANS Institute write its first in-house security policies? Like many organizations, the Bethesda, Md.-based small business only did it after there was a problem.

A former consultant with the organization used his existing SANS e-mail address to send spam. Technically speaking, the former consultant hadn’t done anything wrong, as the SANS Institute, best known for its computer security training and research, didn’t have policies for acceptable e-mail use. Nor did it monitor or retain e-mail as a business record.

The first thing the SANS Institute did was write for acceptable use, covering such things as Internet access, e-mail, and passwords, said Stephen Northcutt, the director of training and certification at the SANS Institute. “We went from ad hoc to organized in 24 hours.”…

Writing such a policy can be as easy as downloading it for free from the SANS Security Policy Project and filling in brackets with your company’s name and relevant job titles. The project has about 30 pre-made policies…