Security Basics mailing list archives

Re: Security Policy-Please help

From: Bennett Todd <bet () rahul net>
Date: Wed, 6 Aug 2003 13:19:07 -0400

2003-08-06T04:07:48 Kampanellis Ioannis:

Any advices? Where could I start?


Big, big question. I think you start several steps before the sort
of things you mentioned.

The very first thing is to determine the organization's commitment.
If you have a positive commitment from senior management, proceed.
Otherwise retire from the field:-).

Then you evaluate the organization's needs as they relate to
computer security. A reasonable first step would be to describe
the functionality they require --- what services they must be able
to use, especially focusing on places where security boundaries
exist.  Then describe the resources that must be protected. Often
computer security analysis organizes these resources into categories
of confidentiality (keeping certain information secret from some
people), integrity (preventing unauthorized modification of certain
data), and availability (preventing attackers from denying you the
use of your systems).

Once you've sketched this out, the fleshing out of a robust security
policy needs to follow a course of describing the overall goals
as determined by the above analysis, then enumerating required
practices in various areas, motivated by the above goals, and
where appropriate including cost/benefit analysis justifying the
requirements.

The final step loops back to the beginning. Once the policy has been
reviewed and refined by all the major participants who will be
required to honor it, you finish it with a statement describing the
approval process through which it holds authority, and the revision
process required to address any defects found.

As an example of the analysis process, some organizations have to
allow all their users to interact with internet email; that they
refuse to bear the perceived cost of using a secure platform from
which to do internet email; and they require that their systems be
available, and resistant to arbitrary browsing and modification by
random strangers. Therefore the bandaid of "virus scanning" must be
deployed somewhere in the email transit path before messages reach
the users' email clients. Most often the analysis can be structured
along these lines; identify a threat, identify any costs that cannot
be borne, and thereby motivate the requirement.

-Bennett

Attachment: _bin
Description:

Current thread:

Security Policy-Please help Kampanellis Ioannis (Aug 06)
- RE: Security Policy-Please help Kenneth W. Kubiak (Aug 06)
- Re: Security Policy-Please help Bennett Todd (Aug 06)
- Re: Security Policy-Please help J. Lambrecht (Aug 07)
- <Possible follow-ups>
- RE: Security Policy-Please help Jason Armstrong (Aug 06)
  - RE: Security Policy-Please help Jaymz Ringler (Aug 06)
    - RE: Security Policy-Please help kevin (Aug 12)
  - RE: Security Policy-Please help dmwidger (Aug 06)