Firewall Wizards mailing list archives

Re: Security Policy

From: Adam Shostack <adam () homeport org>
Date: Wed, 22 Oct 1997 09:13:46 -0400 (EDT)

Maybe.:)

Does your organization have sufficient management structure to have
policies on writing policies?  If so, I strongly suggest following
them.  If you don't, consider getting a half hour of your CEOs time up
front.  Give him 10 minutes of scare, 10 minutes of 'heres what I'm
going to do' and 10 minutes to ask questions.  Your goal here is to
get his general buy in that the organization needs a security policy
in place.  This lets you badger everyone in the company to discover
what they do, and if it involves the internet, or if they'd like to be
using the internet.  You now create a list of things people are doing,
things they need to be doing, but don't know how, and things that they
want to be doing.

        Then you bang your head against the wall because the people
who are doing things have solutions that, well, just ain't secure, and
whats more, have built business on them.

        Once you've calmed down and taken inventory, you need to weigh
the risks of cutting of real and potential use of the internet against
the benefits.  Most businesses take a policy base of explicit
permission, the question becomes who in the organization gets to grant
that permission?  Is there a CIO? VP of Security?  You want someone
with some management weight to make the call, so they are not
instantly overridden.  I strongly suggest putting in an appeals
process, since that guides the politics that follow a no decision.

        Now that you've got a process on paper, take it to each of the
people you think should be doing work, and try for their buy in.  Once
you have that, get the CEO to buy in, and you've got a policy, if you
can keep it.

Adam


Wolfgang 'Robyn' Braun wrote:

| Don't get me wrong, i know what should be allowed across the firewall
| and i know how to implement it (actually i already did it on my 
| private subnet) - but i really don't know how to write a security 
| policy. Is there some sort of guideline on how to write a security 
| policy?

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume

Current thread:

Security Policy Wolfgang 'Robyn' Braun (Oct 21)
- Re: Security Policy Fred Donck (Oct 22)
- Re: Security Policy Damir Rajnovic (Oct 22)
  - Re: Security Policy Paul Pomes (Oct 23)
- Re: Security Policy Adam Shostack (Oct 22)
- Re: Security Policy Bennett Todd (Oct 22)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- <Possible follow-ups>
- Re: Security Policy Bill_Royds (Oct 22)
- RE: Security Policy Januszewski, Joseph (Oct 23)
- Re: Security Policy H. Morrow Long (Oct 23)
- RE: Security Policy McKenna, Joe (Oct 23)
  - Re: Security Policy Bennett Todd (Oct 24)