Re: Writing a comprehensive Network Policy

[Alcides <alcides.hercules () gmail com>]

Hi CH,

Sorry, but your question itself seems a bit obscure to me.
As you say:
  >
  > 2.) Keep the standard 3-5 page policy length
  >
I couldn't figure out what exactly do you want to express.

In my opinion,
In some cases your network policy outline templates itselt may run as
long as 3-5 (or even longer...depends on your needs for restrictions)
pages(here,assuming standard of font size 10/Arial), which later on
you have to materialize into policy statements defining the controls
to be implemented.
Again as you stated earlier:
      > 1.) Should be a policy and not a procedure
You must spend some time on making decisions regarding how restrictive
the controls should be, particularly in all the " routers,switches,
hubs, firewalls, and Workstations etc". This whole process of WRITING
the policy for network security may be looked at as a 3 stepped:

1.Making decisions regarding what you want to allow and what to block
2.Discussing with the team mates involved, so that you can include
whtever is missed out.
3.Writing the policy

This whole process can be most feasibly taken from TOP to BOTTOM in
your networks security architecure layers. ie from POP/Outermost
entity towards workstations in private zone. The whole thing may take
time of a few weeks depending size and complexity of network.

For just a rough idea about time you need for this I'd like to share
my previous experience.
Once it took 4+ weeks for our team of 3, to do similar
exercise+implementation for a network of 3 legged PIX firewall, 2
routers, 2 LBs, 6 switches , 15 servers, 2DCs, 50+workstations running
Windows 2000.

May be this helps a little bit just to start off in right direction.

cheers,



On 8/23/06, Chris Hammer <CHammer () fcbnm com> wrote:
>   Hello,
>
>  I am currently writing a network policy for our business. I am having
> trouble figuring out exactly what I should put into it while meeting
> these requirements:
>
> 1.) Should be a policy and not a procedure
>
> 2.) Keep the standard 3-5 page policy length
>
> 3.) Policy should cover network architecture including: routers,
> switches, hubs, firewalls, etc....
>
> Any examples or a general idea of where to start would be appreciated!
>
> Cheers,
> CH
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence
> in Information Security. Our program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Using interactive e-Learning technology, you can earn this esteemed degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------