Security Incidents mailing list archives

RE: Proxy server hit... Any ideas?

From: Åke Nordin <Ake.Nordin () ecsoft se>
Date: Fri, 22 Nov 2002 13:37:10 +0100


Maybe slightly off-topic, feel free to advise me of better foras...

At 09:07 2002-11-20 -0600, Mike Cain wrote:

I have just got back from meeting
with management to suggest some policies, now they want me to write an
IT policies handbook, guess I asked for that one huh? :)


Consider yourself lucky. This is about your only chance to introduce
some security awareness in your organisation. Just don't push too
hard...

So where should I start looking for de-facto policies, and such? Or


RFC 2196 aka Site Security Handbook is usable on a technical level.
It may or may not be pertinent to your requirements.

The general ideas behind ISO17799 are (mostly) fairly sound (bar
it's pushing of security by obscurity in one place), but far too 
heavyweight in it's wording. It is indeed a cousin to ISO 9001...

ISO17799 started out as BS7799 part 1, the corresponding BS7799 
part 2 is just the requirements clauses with all security 
recommendation stuff cut out. I've found it useful to turn those
clauses in the latter to questions: "do we address this?" "if so, 
how?". Your answers to this would be your policy. 

Be careful with wordings, you've got to cover your bases and be 
general enough that "a little tweaking" of a bad usage makes it 
compliant to the policy (if not to it's intention).

See also <<http://www.xisec.co.uk/>> for the BS7799 editor pages.

should I just use my best judgment? I'm thinking the latter is a bad
idea because if one doesn't pan out, then they say, "Well... YOU wrote
them..." :)


Use standards as a checklist. Try to keep your sanity by giving 
your own answers, not some boilerplate from the standards or 
handbooks. As always, the KISS principle applies to the real 
world, if not to the standards (they are after all designed by 
committees...)

And please note that the ISO/BS stuff addresses "Information security" 
from an "organisational" point of view, it's not just (nor even 
primarily) about network and computer security technology measures.
To be fair, it does emphasise well that "security is a process".

-- 
  .
 /Ake Nordin   ECsoft:        +46-8-506 11100  ake.nordin () ecsoft se
 Damian Conway: "The programmer is fighting against the two most
 destructive forces in the universe: entropy and human stupidity."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Proxy server hit... Any ideas?, (continued)
- - - Re: Proxy server hit... Any ideas? Valdis . Kletnieks (Nov 24)
    - Message not available
    - Re: Proxy server hit... Any ideas? Valdis . Kletnieks (Nov 25)
- RE: Proxy server hit... Any ideas? Othenin-Girard Pascal (Nov 21)
- RE: Proxy server hit... Any ideas? Mike Cain (Nov 22)
  - RE: Proxy server hit... Any ideas? Alvin Oga (Nov 25)
  - RE: Proxy server hit... Any ideas? Captain James T Kirk (Nov 25)
  - Re: Proxy server hit... Any ideas? Etaoin Shrdlu (Nov 25)
  - RE: Proxy server hit... Any ideas? Jonathan Bloomquist (Nov 25)
- Re: Proxy server hit... Any ideas? Valdis . Kletnieks (Nov 26)
- Re: Proxy server hit... Any ideas? Toby Felgenner (Nov 26)
- RE: Proxy server hit... Any ideas? Åke Nordin (Nov 27)