Security Basics mailing list archives
Re: Security policy
From: "Matt Lye" <lyematt () gmail com>
Date: Thu, 26 Oct 2006 11:10:50 +1000
The sans reading room is a good source to start with and many of the links are good but with all the information dont forget the primary point you should keep in your head while writing one is that if it is even the slightest bit complicated most users wont follow it without active enforcement. Keep things simple regardless what you do, a simple item from a security standpoint such as making passwords longer and changed more regularly also causes a larger security risk with an increase the likelyhood of someone writing it down. Many pentesters search for passwords on whiteboards, postit notes, and written under, or on the back of, your keyboard. The sad thing is that they find alot of them. Michael Santarcangilo(sp?) from the security roundtable has alot of good information about how to develop business security practices on his blog http://www.securitycatalyst.com/ and should be happy to respond to an email query on his project to improve the way people practice information security. Hope it helps On 10/25/06, Francois Yang <francois.y () gmail com> wrote:
Can anyone please point me in the right direction. I need to write some security policies, but I'm not sure where to begin. I know there are alot of examples and templates out there, but what do I include in the policy. I see seperated policies for e-mail, password, remote access, acceptable use, etc...but I was also told that it is better to try to make all of those fit into one so that we don't have to keep track of 10 different policies. The question is, which one do I include in one big security policy and which ones to I make them seperate? thank you. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
-- You can do anything you set your mind to when you have vision, determination, and and endless supply of expendable labor. <No tree's were harmed during this transmission. However, a great number of electrons were terribly inconvenienced> --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Security policy Francois Yang (Oct 25)
- RE: Security policy Roger A. Grimes (Oct 25)
- RE: Security policy Weir, Jason (Oct 25)
- Re: Security policy Russ Foster (Oct 25)
- Re: Security policy Tamarcus A Person (Oct 25)
- Re: Security policy Matt Lye (Oct 27)
- <Possible follow-ups>
- RE: Security policy Laundrup, Jens (Oct 25)
- Re: Security policy Francois Yang (Oct 25)
- RE: Security policy Murda Mcloud (Oct 27)
- Re: Security policy Tamarcus A Person (Oct 27)
- Re: Security policy Francois Yang (Oct 25)
- RE: Security policy Luis Lopez Sanchez (Oct 27)
- RE: Security policy Ramirez, Steven (Oct 27)