Firewall Wizards mailing list archives
Re: Security Policy
From: Damir Rajnovic <Damir.Rajnovic () eurocert net>
Date: Wed, 22 Oct 1997 09:23:42 +0100
At 15:20 +0200 20/10/97, Wolfgang 'Robyn' Braun wrote:
Don't get me wrong, i know what should be allowed across the firewall and i know how to implement it (actually i already did it on my private subnet) - but i really don't know how to write a security policy. Is there some sort of guideline on how to write a security policy?
I am not sure that there is some guideline how to write it, general rule goes that you have to have something like this: a) top-level document, produced by management, which state that company will devote resources to computer security and they (management) are backing that 100% b) global security policy without particular technical details, statements like: - all user can use e-mail - e-mail must be checked by e-mail-officer which will approve sending and delivery - all users will freely use WWW - only top managers will have access to playboy.com and so on (this is rubbish but you can get idea) c) several documents which describes technical details how thing will be done Example (how that can look like): a) ....all measures to ensure security of communication will be made.... b) .... Communication between HQ and branches offices will be encrypted. .... c) For communication between HQ and branch offices blah-blah device will be used using algorithm xx. Master key will be changed every month, it will be used for encrypting 'session' key. Distribution of master key will be done by couriers. .....(and so on) There is one book with many security policies but I can't recall title, sorry. Cheers, Gaus ------------------------------------------------------------------ EuroCERT tel: (+44 1235) 822 382 c/o UKERNA, Atlas Centre fax: (+44 1235) 822 398 Chilton, Didcot Oxon OX11 0QS http://www.eurocert.net UK mailto:Damir.Rajnovic () eurocert net ------------------------------------------------------------------
Current thread:
- Security Policy Wolfgang 'Robyn' Braun (Oct 21)
- Re: Security Policy Fred Donck (Oct 22)
- Re: Security Policy Damir Rajnovic (Oct 22)
- Re: Security Policy Paul Pomes (Oct 23)
- Re: Security Policy Adam Shostack (Oct 22)
- Re: Security Policy Bennett Todd (Oct 22)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- <Possible follow-ups>
- Re: Security Policy Bill_Royds (Oct 22)
- RE: Security Policy Januszewski, Joseph (Oct 23)
- Re: Security Policy H. Morrow Long (Oct 23)
- RE: Security Policy McKenna, Joe (Oct 23)
- Re: Security Policy Bennett Todd (Oct 24)