Firewall Wizards mailing list archives
Re: What's in a security policy? (was Re: How do we do our job?)
From: Bennett Todd <bet () rahul net>
Date: Thu, 30 Apr 1998 06:56:59 -0700
1998-04-30-13:47:57 Darren:
1998-04-30-13:28:20 Bennett Todd:But none of this comes near addressing the point you raised: how would you go about ``verifying that a security policy is any good''?Well, the first step might be to check that it actually exists.
Always a good start, yes:-). While you're at it you can also check to make sure it takes the form of a good security policy, giving reasonable justifications for the rules, and documenting its source of authority and its revision procedures. Sounds a lot like a constitution now that I think of it.
The next might be to evaluate it against what the business requires from whatever it controls and what the security risks are.
Sounds like what I was proposing, re-do the thing from scratch and see if you end up at about the same place. Big expensive job, that. Are there people who sell this service? 'Cause anybody you'd trust to do this would have to be at least as good as your best security analyst, preferably better. Hard to find such people. -Bennett
Current thread:
- Re: How do we do our job? darrenr (May 01)
- What's in a security policy? (was Re: How do we do our job?) Bennett Todd (May 01)
- Re: What's in a security policy? (was Re: How do we do our job?) darrenr (May 01)
- Re: What's in a security policy? (was Re: How do we do our job?) Bennett Todd (May 01)
- Re: What's in a security policy? (was Re: How do we do our job?) darrenr (May 01)
- Re: How do we do our job? Bennett Todd (May 01)
- Re: How do we do our job? darrenr (May 01)
- Re: How do we do our job? Bennett Todd (May 01)
- Re: How do we do our job? darrenr (May 01)
- Re: How do we do our job? Bruce K. Marshall (May 01)
- Re: How do we do our job? darrenr (May 01)
- Re: How do we do our job? Damir Rajnovic (May 01)
- What's in a security policy? (was Re: How do we do our job?) Bennett Todd (May 01)