Educause Security Discussion mailing list archives
Re: Institutional Security Policies
From: Jere Retzer <retzerj () OHSU EDU>
Date: Mon, 26 Aug 2002 08:47:43 -0700
To what extent should you publicize these policies?
spaf () CERIAS PURDUE EDU 08/26/02 08:41AM >>>
I just finished writing a high-level summary of this process for the 3rd edition of "Practical Unix & Internet Security." Policy should be a statement of values, goals, and institutional direction. It should specify what is important, and who has the authority and responsibility to ensure that the policies and goals are met. It should not mention specific machines, data items, or the like. In general, once written, policy stays the same for a long time.
From policy, you define standards. Standards are meant to achieve
the goals. They specify objectives that can be met and audited. They state levels of performance. These can be platform-specific, or data-centric, or both. In general, standards change slowly, and only after considerable thought and discussion. Guidelines are written around standards, and describe how to satisfy them. The provide site or situation-specific solutions and procedures. These may continually evolve. As an example, the policy may state that "The availability of current, correct data is crucial to the operation of our enterprise. It is the duty of the CIO to ensure that correct versions of all operational data are available and on-line within acceptable business limits, even in the presence of major site disasters." A corresponding standard, issued from the CIO's office (he was given the responsibility by the policy) might be "All computing systems with critical business data (as defined in some other standard) will have that data archived to backups. A daily backup will be performed outside of normal business hours for each system and kept on-site. A monthly backup will also be performed and stored off-site at a secured facility. Monthly backups will be kept for a period of not less than 12 months. Backup media will be alternated or new media used so as to avoid overwriting a current backup. Every monthly backup will be read completely to ensure it is usable, and once a month a daily backup will selected at random for similar testing. Once every twelve months each system will be reconstructed solely from a monthly backup to ensure the utility of the backups. A written report of these tests will be filed with the CIO's office every quarter." Note that these standards address the policy requirements, and provide auditable goals without specifying products or particular people/systems. The guidelines/practices would then be written for each system type (e.g., "How to do backups for Windows ," "How to do backups for Unix systems," and so on). These are adjusted for the individual systems and environment in which the standards apply. Standards need to be published so that people know how to meet them, although they may be kept proprietary. Policies should be published to the organization so everyone knows them. Guidelines are informal and generally don't need publishing, although sharing among groups helps keep from replicating work. That's the more formal framework for your answer. I hope that at least partially addresses your question! --spaf ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Institutional Security Policies Ced Bennett (Aug 26)
- <Possible follow-ups>
- Re: Institutional Security Policies Gene Spafford (Aug 26)
- Re: Institutional Security Policies Jere Retzer (Aug 26)
- Re: Institutional Security Policies Doug Dunwoody (Aug 26)
- Re: Institutional Security Policies Gene Spafford (Aug 26)
- Re: Institutional Security Policies Bruhn, Mark S. (Aug 26)
- Re: Institutional Security Policies Jere Retzer (Aug 26)
- Re: Institutional Security Policies Gene Spafford (Aug 26)
- Re: Institutional Security Policies Jere Retzer (Aug 26)
- Re: Institutional Security Policies Alex Campoe (Aug 26)
- Institutional Security Policies Ced Bennett (Aug 28)