RE: Security Policy-Please help

["kevin" <Kevin () ktstone com>]

I would have to agree, but would like to add a few pennies.
True, without management support and full backing you will find it
difficult to adequately develop a security policy that will fit your
company's needs and desires.  Remember a good security policy balances
these.  Ok, on with it....

1.  To identify critical assets you will need to understand the big
picture (e.g. How the company makes money.)  The big picture usually
hovers over the vast expanse of service and product.  You need to know
this because sometimes you are protecting a physical asset and at others
a "soft" asset like a process or data etc...  
2.  Once you have identified the assets you need to define the
probability and possibility of a threat against those assets.  The
threat should be as realistic as possible.  Let me straighten that
wrinkle a bit: A "probability" is the likelihood of an event, for
example is it possible that a typhoon would strike Arizona?  Not likely,
but "possible."  It is important to note the difference and adequately
prepare for what is probable--not possible (in most cases).  This saves
the company money and a great deal of time implementing the policy.
3.  The policy should not take a great deal of time to implement.  This
is critical because things will change with time and if the policy is
behind the power-curve it will never be implemented because it is never
up-to-date and therefore is not cost effective.  You should try to
balance the in-depth quality of the policy along with the need to
implement it and keep it up to date.
4.  Often a continuity plan is the first step towards a Risk assessment
and security policy, in my humble opinion.  It states what x will do if
y happens.  It should help guide you towards policy.
5. An official risk assessment, done by an outside agency is often very
helpful but costly.  An RA team is composed of highly qualified
personnel (Unix and Windows Gurus and Network demi-gods and other
almost-immortals) that can sift through the bowels of the most complex
network and business processes and see what needs tweaking, what is
missing and what you have to do to protect everything your company deems
valuable to their survival.  Also, because they do not know your systems
they will almost always find things you are often blinded to.  With
cooperation with internal personnel a well executed and documented RA
will include security penetration tests and much, much more.  I highly
suggest it.  

Hope this helps.  

Kevin Steiner
Capitol College



I've been writing custom security policies and have done lots of
research on the internet about it.   I'v also reviewed lots of company
policies which are currently in place.

In my mind, the first thing to do of course is convince management that
they need a policy.  This is the easiest step.  Every business
owner/exec will jump at the opportunity to gain control over their
company.  Especially if it's going to reduce risk, and save money due to
lost production time of employees and cut down on IT staff expenditures.

When beginning to write the policy, the first thing I start with is
defining the company's assets.  This kind of makes the rest fall into
place.  

Bandwidth, computers, servers, routers, software, user accounts, domain
name space, reputation (for email server relay and spam lists), customer
data/info, employee data/info, share holder info/data.  etc. etc.  

These things will all be defined and should have their own place within
the policy and what measures are going to be taken to protect them. 
They should also be given a rank of privacy.  from publicly obtained
information to top secret.  

Implemeting a written policy is a big nasty monster.  Writing one is
even worse.  Good Luck.

Almost forgot.   "The Art of Decption" by Kevin Mitnick has a very good
write up in the back of the book about building written security
policies...



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------