Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Policy ? (was RE: Penetration Tests)

From: Pauline van Winsen - Uniq Professional Services <Pauline.van.Winsen () uniq com au>
Date: Mon, 29 Sep 1997 09:28:35 +1000 (EST)


I think everyone agrees that having a solid security policy is needed before
implementing any feasible security architecture.  My question is what does
this policy encompass?  My question is not directed at the technical details
of how to get things done, but more towards the high level that has to be 
sold to Joe and Jane user, the management, etc.  Are you looking at writing
a document that states such general things like "don't use the network for
unofficial business"? 


this sort of statement is generally covered by an acceptable use
policy which may not be tied to the security policy.


Or do you get more specific like "all web traffic
will be proxied and only alowed to the following sites..."


& this may be too technical for a high level security policy document.

security policies are extremely hard to write & expect to review
them often. unfortunately due to differences in legal requirements,
organisational culture & any number of other factors, security policies
will differ between organisations. 
so where to start? - do a risk analysis. figure out how much an asset
is worth & how it is vulnerable. then you can take appropriate steps
to secure the asset consistently across the organisation. & remember 
all that effort putting security measures in place is going to wasted 
unless you have an enforceable policy & someone to enforce it! 

2 sources i find useful which are easy to read, short 
& inexpensive are:
* A Guide to Developing Computing Policy Documents - 
        edited by Barbara L. Dijker
* System Security: A Management Perspective - 
        Oppenhiemer, Wagner & Crabb

see: http://www.usenix.org/sage/publications/short_topics.html
for more details.

& if you find security policies not as sexy as downloading the
latest rootkit at the very least get an incident response plan 
together. most orgs. i've seen have a simple non-articulated
IRP called "PANIC!!!" & they implement it most effectively @
3 in the morning after they've been notified, often by an
external party, that bad things have happened. 8-(

hope this helps,
pauline

Pauline van Winsen                                   pauline () uniq com au
Uniq Professional Services Pty Ltd                       www.uniq.com.au
PO Box 70, Paddington, NSW 2021,                      (Sydney) Australia
Phone: +61-2-9380-6360      Fax: +61-2-9380-6416      Pager: 016 287 000
"Never try to flirt with your boss... he's your bread & butter and
not your honey."
        The boss is not your honey - Book 3, Woman's World, circa 1964.
Previous By Date Next
Previous By Thread Next

Current thread: