Firewall Wizards mailing list archives
Re: Security Policy
From: Adam Shostack <adam () homeport org>
Date: Wed, 22 Oct 1997 09:13:46 -0400 (EDT)
Maybe.:) Does your organization have sufficient management structure to have policies on writing policies? If so, I strongly suggest following them. If you don't, consider getting a half hour of your CEOs time up front. Give him 10 minutes of scare, 10 minutes of 'heres what I'm going to do' and 10 minutes to ask questions. Your goal here is to get his general buy in that the organization needs a security policy in place. This lets you badger everyone in the company to discover what they do, and if it involves the internet, or if they'd like to be using the internet. You now create a list of things people are doing, things they need to be doing, but don't know how, and things that they want to be doing. Then you bang your head against the wall because the people who are doing things have solutions that, well, just ain't secure, and whats more, have built business on them. Once you've calmed down and taken inventory, you need to weigh the risks of cutting of real and potential use of the internet against the benefits. Most businesses take a policy base of explicit permission, the question becomes who in the organization gets to grant that permission? Is there a CIO? VP of Security? You want someone with some management weight to make the call, so they are not instantly overridden. I strongly suggest putting in an appeals process, since that guides the politics that follow a no decision. Now that you've got a process on paper, take it to each of the people you think should be doing work, and try for their buy in. Once you have that, get the CEO to buy in, and you've got a policy, if you can keep it. Adam Wolfgang 'Robyn' Braun wrote: | Don't get me wrong, i know what should be allowed across the firewall | and i know how to implement it (actually i already did it on my | private subnet) - but i really don't know how to write a security | policy. Is there some sort of guideline on how to write a security | policy? -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Security Policy Wolfgang 'Robyn' Braun (Oct 21)
- Re: Security Policy Fred Donck (Oct 22)
- Re: Security Policy Damir Rajnovic (Oct 22)
- Re: Security Policy Paul Pomes (Oct 23)
- Re: Security Policy Adam Shostack (Oct 22)
- Re: Security Policy Bennett Todd (Oct 22)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- <Possible follow-ups>
- Re: Security Policy Bill_Royds (Oct 22)
- RE: Security Policy Januszewski, Joseph (Oct 23)
- Re: Security Policy H. Morrow Long (Oct 23)
- RE: Security Policy McKenna, Joe (Oct 23)
- Re: Security Policy Bennett Todd (Oct 24)