Firewall Wizards mailing list archives
Re: Where to find a example security policy?
From: "Andy W" <jawiggy () rcn com>
Date: Sat, 23 Sep 2000 09:37:42 -0400
Maddy, First things first. Do a walk thru of your company. Take a look around. What is the corporate culture? Are you a tie and shirt company, a sandals and shorts kind of company, or somewhere in-between? Polices won't be worth anything if you ram them down your employees throats. They need to match culture. For the most part I think that employees want to do the right thing, they just need to know what is right and what is wrong. Internet policies, as with any other type of polices, need to have buy-in from the top of a org. chart down. Meaning that in the development of internet, e-mail, and computer usage polices, that everyone is involved. You should make a steering committee, bring folks from different departments together, i.e. upper management, HR, legal, IT, Audit, and end users ( if all these departments of course exist within your company ). The reason for the committee is for everyone to be involved and understand the ramifications of the policies. I like to think of the process of policy development with 4 E's Evaluate....the corporate culture Establish.. the policies to match the culture Educate... the end users in regards to the polices Enforce... the polices with IT tools such as Firewalls, Anti-Virus, Content Scanning, URL Filtering, etc.... Where most companies fail in policy development is with the 3rd E, educating the end users in regards to the policies. Lets build a little scenario for you. Joe in accounting has been going to web sites that the company has decided to be inappropriate for Joe to go to. Joe has been warn ( talk to) to stop yet he has not. Joe is fired. Joe turns around and sues the company for wrongful termination. The reason, Joe says, is that he was unaware of the company polices in regard to this. What the courts are going to look for are the following: Were there polices in place to begin with....Yes there was Were there tools put in place to enforce the polices....Yes there was Were there any form of education for the end users in regards to the policies beside the company handbook that Joe was given when he was hired..No, there wasn't Find some way to educate the end users. Not just once, for that is not enough in most courts, but on a scheduled time....maybe quarterly, in regards to policy. I do know of a few programs that do just that if you would like to know about them. After all of this, the enforcement of the policies, from a corporate standpoint, becomes allot easier. All that is left is for IT to pick the best products to work with ( for they will have to manage these products and enforce the polices on the back end ). ----- Original Message ----- From: "Maddy" <mwlalex () magix com sg> To: "Crumrine, Gary L" <CrumrineGL () state gov> Cc: <firewall-wizards () nfr net> Sent: Thursday, September 21, 2000 11:40 AM Subject: Re: [fw-wiz] Where to find a example security policy?
I have not gone through the recommendations that you guys put up but I am just wondering if there should be a prior phase of security risk analysis and assessment before the sample security policy is even looked at.
_______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Where to find a example security policy? Aaron Turner (Sep 19)
- Re: Where to find a example security policy? Philip S Holt, INFOSec Research (Sep 20)
- Re: Where to find a example security policy? Patrick Darden (Sep 20)
- Re: Where to find a example security policy? Peter Dinauer (Sep 22)
- <Possible follow-ups>
- RE: Where to find a example security policy? Lemon, Henry L. (Sep 20)
- Re: Where to find a example security policy? Robert MacDonald (Sep 20)
- RE: Where to find a example security policy? Crumrine, Gary L (Sep 20)
- Re: Where to find a example security policy? Maddy (Sep 22)
- Re: Where to find a example security policy? Andy W (Sep 23)
- Re: Where to find a example security policy? Tommy Ward (Sep 23)
- Re: Where to find a example security policy? Maddy (Sep 22)
- Re: Where to find a example security policy? Peter J. Cherny (Sep 20)
- Re: Where to find a example security policy? Chad Schieken (Sep 20)
- RE: Where to find a example security policy? Behm, Jeffrey L. (Sep 20)
- Re: Where to find a example security policy? ark (Sep 22)
- RE: Where to find a example security policy? sean . kelly (Sep 25)