Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Client Security Policy, IT security Policy Samples

From: Mitch Pirtle <mitchell.pirtle () verizon net>
Date: 03 Jun 2003 10:02:05 -0400
Good morning/evening,

SANS has an excellent resource at:

        http://www.sans.org/resources/policies/  OR
        http://www.sans.org/rr/catindex.php?cat_id=50

There you can get all the answers you are looking for.  IMHO I think
you're working on these in reverse order, because the InfoSec policy
defines the WHAT that is specified to WHOM, and HOW.  This is the high
level strategy document.  Once you get this defined, the rest is much
more intuitive.


From previous experience, I'd say that your password policies are really

guidelines (one for "users" and the other for IT staff, regarding "group
accounts" like root/Administrator etc.), the client policy is really a
standard, and the InfoSec policy is the real policy.  But this is my own
system cobbled from repetitive policy treatment at several
organizations, definitely not the norm!

Something else to consider - depending on the size of your organization
- is defining security teams, including incident response and
forensics.  Last time I went through this exercise it was for a global
organization whose security efforts were completely matrixed (spanning
multiple departments).  Instead of politics, I got a great
cross-divisional team of people that supposedly hated each other.

As for the client security policy, I'd take a hard look at the
guidelines already prepared by SANS and NIST as well:

        http://csrc.nist.gov/

If you have more policy questions just ask.  I just relocated to NYC
from Europe, and am sitting on the bench with plenty of time...

-- Mitch

On Tue, 2003-06-03 at 02:47, Hilal Hussein wrote:

Dear Gentlemen,

My Boss asked me to write down :
1 - the Password Policy
2 - The Client 'winXP,win98,winNT Wordstation' Security Policy
3 - The Information Technology Security Policy in General in our company

1-For the Password Policy, i got lots of documents from the net, and i came 
out with two policies, one for "the creation of strong passwords, the 
protection of those passwords, and the frequency of change" and the other is 
for "how to write down passwords and seal them in an envelope, how to store 
them and retrieve them appropriately".
Q1: do I have to keep it two policies or it is perferable to merge both in 
one document?

2 - For the Client security policy
Q2: Is there any simple/clear and compelete document that is already 
available for free on the net?

3 - For the IT security policy in General,
Q3: I got lots of documents, but till now, i am not able to see a complete 
policy that will be a reference in my security dept, since we have firewall, 
servers "domain, exchange, webmail, Oracle web application, ...
Is there any Document that is covering all of hte above mentioned IT 
services, and more?

your comments and supports are really appreciated

with regards,

Hilal Hussein

_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: