Security Basics mailing list archives
RE: Security Policy-Please help
From: "kevin" <Kevin () ktstone com>
Date: Tue, 12 Aug 2003 10:32:17 -0500
I would have to agree, but would like to add a few pennies. True, without management support and full backing you will find it difficult to adequately develop a security policy that will fit your company's needs and desires. Remember a good security policy balances these. Ok, on with it.... 1. To identify critical assets you will need to understand the big picture (e.g. How the company makes money.) The big picture usually hovers over the vast expanse of service and product. You need to know this because sometimes you are protecting a physical asset and at others a "soft" asset like a process or data etc... 2. Once you have identified the assets you need to define the probability and possibility of a threat against those assets. The threat should be as realistic as possible. Let me straighten that wrinkle a bit: A "probability" is the likelihood of an event, for example is it possible that a typhoon would strike Arizona? Not likely, but "possible." It is important to note the difference and adequately prepare for what is probable--not possible (in most cases). This saves the company money and a great deal of time implementing the policy. 3. The policy should not take a great deal of time to implement. This is critical because things will change with time and if the policy is behind the power-curve it will never be implemented because it is never up-to-date and therefore is not cost effective. You should try to balance the in-depth quality of the policy along with the need to implement it and keep it up to date. 4. Often a continuity plan is the first step towards a Risk assessment and security policy, in my humble opinion. It states what x will do if y happens. It should help guide you towards policy. 5. An official risk assessment, done by an outside agency is often very helpful but costly. An RA team is composed of highly qualified personnel (Unix and Windows Gurus and Network demi-gods and other almost-immortals) that can sift through the bowels of the most complex network and business processes and see what needs tweaking, what is missing and what you have to do to protect everything your company deems valuable to their survival. Also, because they do not know your systems they will almost always find things you are often blinded to. With cooperation with internal personnel a well executed and documented RA will include security penetration tests and much, much more. I highly suggest it. Hope this helps. Kevin Steiner Capitol College I've been writing custom security policies and have done lots of research on the internet about it. I'v also reviewed lots of company policies which are currently in place. In my mind, the first thing to do of course is convince management that they need a policy. This is the easiest step. Every business owner/exec will jump at the opportunity to gain control over their company. Especially if it's going to reduce risk, and save money due to lost production time of employees and cut down on IT staff expenditures. When beginning to write the policy, the first thing I start with is defining the company's assets. This kind of makes the rest fall into place. Bandwidth, computers, servers, routers, software, user accounts, domain name space, reputation (for email server relay and spam lists), customer data/info, employee data/info, share holder info/data. etc. etc. These things will all be defined and should have their own place within the policy and what measures are going to be taken to protect them. They should also be given a rank of privacy. from publicly obtained information to top secret. Implemeting a written policy is a big nasty monster. Writing one is even worse. Good Luck. Almost forgot. "The Art of Decption" by Kevin Mitnick has a very good write up in the back of the book about building written security policies... ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Security Policy-Please help Kampanellis Ioannis (Aug 06)
- RE: Security Policy-Please help Kenneth W. Kubiak (Aug 06)
- Re: Security Policy-Please help Bennett Todd (Aug 06)
- Re: Security Policy-Please help J. Lambrecht (Aug 07)
- <Possible follow-ups>
- RE: Security Policy-Please help Jason Armstrong (Aug 06)
- RE: Security Policy-Please help Jaymz Ringler (Aug 06)
- RE: Security Policy-Please help kevin (Aug 12)
- RE: Security Policy-Please help dmwidger (Aug 06)
- RE: Security Policy-Please help Jaymz Ringler (Aug 06)