RE: Security Policy-Please help

["dmwidger" <dwidger () houston rr com>]

How about this point of view?

Consider that a security policy is a component of a continuous improvement
process.

Security Policy is a pro-active pre-defined baseline.  An example:  We will
allow this, we won't allow that, we want that system configured in such and
such way.

An audit is to compare the reality of a given system against the what the
baseline is.  If there is no baseline, then you can't audit against it.

Consider the difference of an audit against a risk assessment.  A risk
assessment is comparing what are the relative strengths and weaknesses
against a broad external framework or benchmark.  As a security program
matures, the focus moves from risk assessments towards routine and periodic
audits (which compares against a known established baseline).

The risk assessments identifies that there needs to be policies, standards
and procedures.  Once these are defined, then audits cand executed  on a
regular basis to measure how reality differs from the defined baseline (set
by policies, standards and procedures).  The followup to an audit is an
implicit risk assessment where an auditor identifies the areas where systems
aren't in compliance, but identifies that areas that bring the highest risk
to the company.  The auditor's "risk assessment" identifies where deviations
exist from policies, standards, and procedures, ranking them, and this feeds
back into the organizations "risk posture", for correction.

In essence, higher risk equates to higher loss which detracts from a
corporations efficiency and profitability.

Security equates to risk management.  Security policy is a high level
benchmarking tool.

danw


> -----Original Message-----
> From: Jason Armstrong [mailto:jarmstrong () technicacorp com]
> Sent: Wednesday, August 06, 2003 1:18 PM
> To: security-basics () securityfocus com
> Subject: RE: Security Policy-Please help
>
>
> From http://www.sans.org :
>
>
> What is a security policy?
>
> All security and technical training classes talk about the necessity of
> basing procedures on a good security policy. We need to understand what is
> meant by policy.
>
> For an expansive repository of sample security policies view: "The SANS
> Security Policy Project" at:
> http://www.sans.org/resources/policies/
>
> Safeguarding information is challenging when records are created
> and stored
> on a computer. Research projects are often excellent resources
> for security
> policies. A good sample of one is "Global Incident Analysis Center" at:
> www.sans.org/y2k/sec_policy.htm
>
> To learn how to define a sample security policy see the document "GIAC ISO
> Practical Assignment, VPN/Extranet Service Provider Security Policy and
> Procedure" by Jonathan Espenschied at:
> http://www.giac.org/practical/Jonathan_Espenschied_GISO.pdf
>
> For a more advanced point of view check out "Track 10: Sans Security
> Essentials for Auditors" which is designed for individuals entering the
> information security industry who are tasked with auditing organizational
> policy, procedure, risk or policy conformance.
> http://www.sans.org/onsite/track10.php
>
>
>
>
>
> -----Original Message-----
> From: Kampanellis Ioannis [mailto:kampanellisI () antenna gr]
> Sent: Wednesday, August 06, 2003 4:08 AM
> To: security-basics () securityfocus com
> Subject: Security Policy-Please help
>
>
> Hi!
>
> I pursue an MSc in System and Network Security and I am currently doing my
> internship in a
> media group (ieTV, Radio, WebSites etc).My "mission" is to write down a
> security policy for
> their network.
>
> Basically I know where to start,meaning things such as Anti-Virus etc. The
> problem is that their network is not totally new. They have PIX, Packet
> Shapers, Anti Virus installed etc. That means that my "job" is
> getting even
> more difficult cause I have to dig and find the details, which is not so
> easy for a newbie in security :-( Another problem is that their
> systems are
> based on Windows :-(
>
> Any advices? Where could I start?
>
> Having several thoughts, test the password cracking of the users
> could be a
> good step(I assume). Is there any such tool?or does anyone know
> where Win2k
> stores the password and how it is hashed?
>
> Finally, I am trying to find a tool (freeware) to help me do the auditing
> (eg run penetration tests etc) If anyone knows such tool, it woud
> be great?
>
>
> Thnx in advance
> John
>
> ------------------------------------------------------------------
> ---------
> ------------------------------------------------------------------
> ----------
>
> ------------------------------------------------------------------
> ---------
> ------------------------------------------------------------------
> ----------



---------------------------------------------------------------------------
----------------------------------------------------------------------------