Re: Re Where to find a example security policy?

[Brian Ford <brford () cisco com>]

Andy,

Ahh.  We should have joined forces Sunday.  I had my one kid running around with 7 cousins of various ages and genders. 
 I just gave up on doing anything electronic and watched some Olympics and football (J E T S, Jets, Jets, Jets!).

I totally agree with your call for the legal assessment.  It's a requirement and not a nice to have.  I've seen a 
couple of dismissals turned around here in the New York area over the past 12-18 months due to inadequate legal advice. 

If you already have a (technically) well educated work force in place, your advice would work well.  Education, 
continuing and otherwise is vital to making this work.

Was the Overly book published recently?  I saw a reference to a book with a similar title recently (at FatBrain.com) 
but it had not actually been published yet.

And again, you've made an excellent point (i.e. "keep plugging away").  One of the toughest parts of developing a 
security policy seems to be getting started.

Regards,

Brian


  At 06:41 PM 9/24/2000 -0400, you wrote:
> Brian and Aaron
>
> ** Before I start this....  If I seem to ramble in this it is because it is
> Sunday, my day off, and I have 2 little kids running around & screaming.
> Please bare with me. This should only take about...mmmmmmmm...3-4 hours to
> do....   ;c )
>
> The "4 E's" I suggest are basically for 3 types of polices...computer usage,
> e-mail usage and Internet usage. All of which I believe are the foundation
> polices to work from for more in depth policy development. But as you
> suggest Brian, keeping the policies in plain English is key as well. They
> can not be filled with allot of legal or IT talk that no one will ever
> understand.
>
> Brian, your example company seemed to have done things fairly well. The only
> thing I didn't notice was some sort of legal involvement.  The idea of
> having the IT department draft the polices will work from a tech side but
> they care and or know very little about the implications involved with the
> legal issues. Make no mistake about it...this is a legal and binding
> document. Developing and implementing these polices can be a complicated
> process, involving substantive issues of law, employee relations, and
> security. Keep in mind why we are writing these polices. We are protecting
> the company from legal problems,( i.e.: claims from employees past and
> present as well as 3rd party claims) and we are protecting company resources
> and information.
>
> I agree that the average end user knows little of how the network works.
> Most are lucky if they can type in a web site correctly. They have no
> knowledge of bandwidth or computer resources and to tell you the truth I
> don't think they have to.What they do have to know is what they can and
> cannot do with the resources provided for them to do their job. As I've said
> before, education is the most important piece to the policy puzzle. You can
> develop and implement policy 'till your blue in the face but if you do not
> educate your employees about them you have gone thru all that work for not.
> Showing your employee the policy once, having them sign it, and then
> expecting them to remember it 1-2 years down the road does not carry any
> weight at all in a court of law. Continuing policy education is the key.
>
> Aaron, the places you have been pointed to for example policies are all good
> starting places. Use them all, but don't not place all your faith in them.
> As I said before this is not something you can throw a quick fix at. It is a
> very complicated process. You are moving in the right direction and are far
> ahead of allot of other companies that have not even thought about this at
> all.  Don't get discouraged and keep plugging away. There is less expensive
> book about all of this that I know of.  It is called "e-Policy  How to
> develop Computer, E-Mail, and Internet Guidelines to Protect Your Company
> and Its Assets" written by Michael Overly. A very long title but at the
> price of $19.95 US another resource to draw from with a less of a hit to the
> wallet.
>
> Best,
>
> Andy

Brian Ford
brford () cisco com


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards