Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security policy

From: Tamarcus A Person <tperson () csc com>
Date: Thu, 26 Oct 2006 10:43:23 -0400




You can also considering doing your policy in appendices. For instance, the
main body of your policy will be the high level overview of what the
company expects and rules of behavior and so forth. then for the
appendices, break them down in three major categories (technical,
management, administrative) or just make each area of focus its own
separate appendix. that way when it comes time to update the policy, it
would be alot easier to manage. and also those that want to refer to the
policy can find their particular area of interest quicker and be more
incline to read the material. so i suggest keeping the policy in an
all-in-one format. it will save alot of time with trying to update it and
managing version control.

Thanks in advance!

Tamarcus A. Person, CSC
e-services TIPSS
IT Security & Privacy Engineer

(301) 731-3520


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




                                                                           
             "Francois Yang"                                               
             <francois.y@gmail                                             
             .com>                                                      To 
             Sent by:                  security-basics@lists.securityfocus 
             listbounce@securi         .com                                
             tyfocus.com                                                cc 
                                                                           
                                                                   Subject 
             10/25/2006 04:02          Re: Security policy                 
             PM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




thank you everyone for you inputs.
I did look at SANS's website but again I wasn't sure which was the
best way. to have a big policy or multiple small ones.  The main
concern with both ways is that if it is too long, then people won't
read the whole thing and if there are too many of them.  We won't keep
track of them.

So I think this is how I'm going to do things.

1. create specific policies, like e-mail, remote access, password, etc...
2. Create a generic security policy that reference to other policies.
3. Create procedures and standards to go with the more specific policies.

Any other thoughts?


On 10/25/06, Laundrup, Jens <Jens.Laundrup () metrokc gov> wrote:

My suggestion would be to first look at the overall security policy in
place.  Ensure that your IT policy reflects that same level and emphasis
of security.  Then divide up separate security policies for the major
areas (Firewall, acceptable use, access, etc.)

Each policy should be between 2 and 3 pages long.  They should cover the
overarching concepts but should be technology independent

example:
"The system shall be protected by a firewall" -technology dependent

"The system shall be protected from outside the domain" -technology
Independent

Then under each policy, develop a standard that addresses the technology
and the specific implementation of technology to accomplish the goal of
the policy.  This way, the policies, which require high level (CISO, CSO
or CEO) approval are not altered very often whereas the specific
implementation can be controlled at the Security analyst/architect level
and can change regularly while still fulfilling the objectives of the
enterprise as stated in the policy.

A good source for information for the documents is NIST.  There are also
companies who specialize in developing policy, standard and instruction
templates that you can purchase and create from there.  A great place to
go for free stuff are the government agencies since none of their
documents are copyrighted.  If you go to
http://www.e-publishing.af.mil/pubs/majcom.asp?org=AF you can see all
the Air Force policies and procedures (focus on areas 31 and 33 for what
you seek).  And there are many other government agencies (federal, State
and local) that have all their policies published  and available for
public consumption on line.

Good luck


Jens

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Francois Yang
Sent: Tuesday, October 24, 2006 2:39 PM
To: security-basics () lists securityfocus com
Subject: Security policy

Can anyone please point me in the right direction.
I need to write some security policies, but I'm not sure where to begin.
I know there are alot of examples and templates out there, but what do
I include in the policy.
I see seperated policies for e-mail, password, remote access,
acceptable use, etc...but I was also told that it is better to try to
make all of those fit into one so that we don't have to keep track of
10 different policies.  The question is, which one do I include in one
big security policy and which ones to I make them seperate?

thank you.

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---





---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management

education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,

without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: