Firewall Wizards mailing list archives
Re: Policy ? (was RE: Penetration Tests)
From: Pauline van Winsen - Uniq Professional Services <Pauline.van.Winsen () uniq com au>
Date: Mon, 29 Sep 1997 09:28:35 +1000 (EST)
I think everyone agrees that having a solid security policy is needed before implementing any feasible security architecture. My question is what does this policy encompass? My question is not directed at the technical details of how to get things done, but more towards the high level that has to be sold to Joe and Jane user, the management, etc. Are you looking at writing a document that states such general things like "don't use the network for unofficial business"?
this sort of statement is generally covered by an acceptable use policy which may not be tied to the security policy.
Or do you get more specific like "all web traffic will be proxied and only alowed to the following sites..."
& this may be too technical for a high level security policy document. security policies are extremely hard to write & expect to review them often. unfortunately due to differences in legal requirements, organisational culture & any number of other factors, security policies will differ between organisations. so where to start? - do a risk analysis. figure out how much an asset is worth & how it is vulnerable. then you can take appropriate steps to secure the asset consistently across the organisation. & remember all that effort putting security measures in place is going to wasted unless you have an enforceable policy & someone to enforce it! 2 sources i find useful which are easy to read, short & inexpensive are: * A Guide to Developing Computing Policy Documents - edited by Barbara L. Dijker * System Security: A Management Perspective - Oppenhiemer, Wagner & Crabb see: http://www.usenix.org/sage/publications/short_topics.html for more details. & if you find security policies not as sexy as downloading the latest rootkit at the very least get an incident response plan together. most orgs. i've seen have a simple non-articulated IRP called "PANIC!!!" & they implement it most effectively @ 3 in the morning after they've been notified, often by an external party, that bad things have happened. 8-( hope this helps, pauline Pauline van Winsen pauline () uniq com au Uniq Professional Services Pty Ltd www.uniq.com.au PO Box 70, Paddington, NSW 2021, (Sydney) Australia Phone: +61-2-9380-6360 Fax: +61-2-9380-6416 Pager: 016 287 000 "Never try to flirt with your boss... he's your bread & butter and not your honey." The boss is not your honey - Book 3, Woman's World, circa 1964.
Current thread:
- Re: Policy ? (was RE: Penetration Tests) Pauline van Winsen - Uniq Professional Services (Sep 28)
- <Possible follow-ups>
- RE: Policy ? (was RE: Penetration Tests) Gary Crumrine (Sep 30)