Firewall Wizards mailing list archives

Re: What's in a security policy? (was Re: How do we do our job?)

From: Bennett Todd <bet () rahul net>
Date: Thu, 30 Apr 1998 06:56:59 -0700

1998-04-30-13:47:57 Darren:

1998-04-30-13:28:20 Bennett Todd:

But none of this comes near addressing the point you raised: how would
you go about ``verifying that a security policy is any good''?


Well, the first step might be to check that it actually exists.


Always a good start, yes:-). While you're at it you can also check to
make sure it takes the form of a good security policy, giving reasonable
justifications for the rules, and documenting its source of authority
and its revision procedures.

Sounds a lot like a constitution now that I think of it.

The next might be to evaluate it against what the business requires from
whatever it controls and what the security risks are.


Sounds like what I was proposing, re-do the thing from scratch and see
if you end up at about the same place. Big expensive job, that. Are
there people who sell this service? 'Cause anybody you'd trust to do
this would have to be at least as good as your best security analyst,
preferably better. Hard to find such people.

-Bennett

Current thread:

Re: How do we do our job? darrenr (May 01)
- What's in a security policy? (was Re: How do we do our job?) Bennett Todd (May 01)
  - Re: What's in a security policy? (was Re: How do we do our job?) darrenr (May 01)
    - Re: What's in a security policy? (was Re: How do we do our job?) Bennett Todd (May 01)
- Re: How do we do our job? Bennett Todd (May 01)
  - Re: How do we do our job? darrenr (May 01)
    - Re: How do we do our job? Bennett Todd (May 01)
    - Re: How do we do our job? darrenr (May 01)
    - Re: How do we do our job? Bruce K. Marshall (May 01)
  - Re: How do we do our job? Damir Rajnovic (May 01)