RE: Security policy

["Murda Mcloud" <murdamcloud () bigpond com>]

Get legal(especially legal) and management on side. Depending on how big the
company is, I don't want to be the one who is enforcing the policy as well
as writing it up. I think that should be HR's call.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Francois Yang
Sent: Thursday, October 26, 2006 6:02 AM
To: security-basics () lists securityfocus com
Subject: Re: Security policy

thank you everyone for you inputs.
I did look at SANS's website but again I wasn't sure which was the
best way. to have a big policy or multiple small ones.  The main
concern with both ways is that if it is too long, then people won't
read the whole thing and if there are too many of them.  We won't keep
track of them.

So I think this is how I'm going to do things.

1. create specific policies, like e-mail, remote access, password, etc...
2. Create a generic security policy that reference to other policies.
3. Create procedures and standards to go with the more specific policies.

Any other thoughts?


On 10/25/06, Laundrup, Jens <Jens.Laundrup () metrokc gov> wrote:
> My suggestion would be to first look at the overall security policy in
> place.  Ensure that your IT policy reflects that same level and emphasis
> of security.  Then divide up separate security policies for the major
> areas (Firewall, acceptable use, access, etc.)
>
> Each policy should be between 2 and 3 pages long.  They should cover the
> overarching concepts but should be technology independent
>
> example:
> "The system shall be protected by a firewall" -technology dependent
>
> "The system shall be protected from outside the domain" -technology
> Independent
>
> Then under each policy, develop a standard that addresses the technology
> and the specific implementation of technology to accomplish the goal of
> the policy.  This way, the policies, which require high level (CISO, CSO
> or CEO) approval are not altered very often whereas the specific
> implementation can be controlled at the Security analyst/architect level
> and can change regularly while still fulfilling the objectives of the
> enterprise as stated in the policy.
>
> A good source for information for the documents is NIST.  There are also
> companies who specialize in developing policy, standard and instruction
> templates that you can purchase and create from there.  A great place to
> go for free stuff are the government agencies since none of their
> documents are copyrighted.  If you go to
> http://www.e-publishing.af.mil/pubs/majcom.asp?org=AF you can see all
> the Air Force policies and procedures (focus on areas 31 and 33 for what
> you seek).  And there are many other government agencies (federal, State
> and local) that have all their policies published  and available for
> public consumption on line.
>
> Good luck
>
>
> Jens
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Francois Yang
> Sent: Tuesday, October 24, 2006 2:39 PM
> To: security-basics () lists securityfocus com
> Subject: Security policy
>
> Can anyone please point me in the right direction.
> I need to write some security policies, but I'm not sure where to begin.
> I know there are alot of examples and templates out there, but what do
> I include in the policy.
> I see seperated policies for e-mail, password, remote access,
> acceptable use, etc...but I was also told that it is better to try to
> make all of those fit into one so that we don't have to keep track of
> 10 different policies.  The question is, which one do I include in one
> big security policy and which ones to I make them seperate?
>
> thank you.
>
> ------------------------------------------------------------------------
> ---
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic
> Excellence
> in Information Security. Our program offers unparalleled Infosec
> management
> education and the case study affords you unmatched consulting
> experience.
> Using interactive e-Learning technology, you can earn this esteemed
> degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ------------------------------------------------------------------------
> ---

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------