Security Basics mailing list archives
Re: Security Policy-Please help
From: Bennett Todd <bet () rahul net>
Date: Wed, 6 Aug 2003 13:19:07 -0400
2003-08-06T04:07:48 Kampanellis Ioannis:
Any advices? Where could I start?
Big, big question. I think you start several steps before the sort of things you mentioned. The very first thing is to determine the organization's commitment. If you have a positive commitment from senior management, proceed. Otherwise retire from the field:-). Then you evaluate the organization's needs as they relate to computer security. A reasonable first step would be to describe the functionality they require --- what services they must be able to use, especially focusing on places where security boundaries exist. Then describe the resources that must be protected. Often computer security analysis organizes these resources into categories of confidentiality (keeping certain information secret from some people), integrity (preventing unauthorized modification of certain data), and availability (preventing attackers from denying you the use of your systems). Once you've sketched this out, the fleshing out of a robust security policy needs to follow a course of describing the overall goals as determined by the above analysis, then enumerating required practices in various areas, motivated by the above goals, and where appropriate including cost/benefit analysis justifying the requirements. The final step loops back to the beginning. Once the policy has been reviewed and refined by all the major participants who will be required to honor it, you finish it with a statement describing the approval process through which it holds authority, and the revision process required to address any defects found. As an example of the analysis process, some organizations have to allow all their users to interact with internet email; that they refuse to bear the perceived cost of using a secure platform from which to do internet email; and they require that their systems be available, and resistant to arbitrary browsing and modification by random strangers. Therefore the bandaid of "virus scanning" must be deployed somewhere in the email transit path before messages reach the users' email clients. Most often the analysis can be structured along these lines; identify a threat, identify any costs that cannot be borne, and thereby motivate the requirement. -Bennett
Attachment:
_bin
Description:
Current thread:
- Security Policy-Please help Kampanellis Ioannis (Aug 06)
- RE: Security Policy-Please help Kenneth W. Kubiak (Aug 06)
- Re: Security Policy-Please help Bennett Todd (Aug 06)
- Re: Security Policy-Please help J. Lambrecht (Aug 07)
- <Possible follow-ups>
- RE: Security Policy-Please help Jason Armstrong (Aug 06)
- RE: Security Policy-Please help Jaymz Ringler (Aug 06)
- RE: Security Policy-Please help kevin (Aug 12)
- RE: Security Policy-Please help dmwidger (Aug 06)
- RE: Security Policy-Please help Jaymz Ringler (Aug 06)