Firewall Wizards mailing list archives

Re: Security Policy

From: Damir Rajnovic <Damir.Rajnovic () eurocert net>
Date: Wed, 22 Oct 1997 09:23:42 +0100

At 15:20 +0200 20/10/97, Wolfgang 'Robyn' Braun wrote:

Don't get me wrong, i know what should be allowed across the firewall
and i know how to implement it (actually i already did it on my 
private subnet) - but i really don't know how to write a security 
policy. Is there some sort of guideline on how to write a security 
policy?


I am not sure that there is some guideline how to write it, general
rule goes that you have to have something like this:

a) top-level document, produced by management, which state that company
   will devote resources to computer security and they (management) are
   backing that 100%

b) global security policy without particular technical details, statements
   like:
        - all user can use e-mail
        - e-mail must be checked by e-mail-officer which will approve
          sending and delivery
        - all users will freely use WWW
        - only top managers will have access to playboy.com

   and so on (this is rubbish but you can get idea)

c) several documents which describes technical details how thing will
   be done

Example (how that can look like):

a) ....all measures to ensure security of communication will be made....

b) .... Communication between HQ and branches offices will be encrypted. ....

c) For communication between HQ and branch offices blah-blah device will be 
   used using algorithm xx. Master key will be changed every month, it will be
   used for encrypting 'session' key. Distribution of master key will be
   done by couriers. .....(and so on)

There is one book with many security policies but I can't recall title, sorry.

Cheers,

Gaus


------------------------------------------------------------------
EuroCERT                        tel: (+44 1235) 822 382
c/o UKERNA, Atlas Centre        fax: (+44 1235) 822 398
Chilton, Didcot  
Oxon OX11 0QS                   http://www.eurocert.net
UK                              mailto:Damir.Rajnovic () eurocert net
------------------------------------------------------------------

Current thread:

Security Policy Wolfgang 'Robyn' Braun (Oct 21)
- Re: Security Policy Fred Donck (Oct 22)
- Re: Security Policy Damir Rajnovic (Oct 22)
  - Re: Security Policy Paul Pomes (Oct 23)
- Re: Security Policy Adam Shostack (Oct 22)
- Re: Security Policy Bennett Todd (Oct 22)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- <Possible follow-ups>
- Re: Security Policy Bill_Royds (Oct 22)
- RE: Security Policy Januszewski, Joseph (Oct 23)
- Re: Security Policy H. Morrow Long (Oct 23)
- RE: Security Policy McKenna, Joe (Oct 23)
  - Re: Security Policy Bennett Todd (Oct 24)