Re: Security Policy

[Bennett Todd <bet () rahul net>]

On Thu, Oct 23, 1997 at 08:35:58AM -0400, McKenna, Joe wrote:
> For the most part, I agree that the security policy should be the same
> for the firewall and the rest of the organization. [...]

Oops --- I think we're talking past one and other here. From that
statement (and the ones below as well) I'm pretty sure you're saying
``security policy'' and referring to ``security implementation''.

Security _policy_ is a statement of the organization's security
goals and requirements. It is common to all systems; in fact it
doesn't need to mention systems. Different systems have different
uses, and different exposures to risk, and so will require different
sorts of security _implementation_ to address the relevant
requirements of the security _policy_.

> [...] But, there are policies that are mandatory in a firewall
> might be a hard sell for the rest of the organization. [...]

Say instead that that the firewall, being directly exposed to the
internet, requires security restrictions that aren't needed on
interior machines, to meet your organization's security policy. This
is the common state of affairs, and to a degree it's usually
appropriate. It's still important to remember that the firewall
doesn't keep out physical intruders, malicious insiders, people who
succeed in exploiting inappropriate modem hookups on desktops,
people who succeed in burgling sendwhales by remote control, etc.,
etc. There is a lot that can be done on the inside net to fix
security problems without any visible implact on legitimate users,
and it's important to do that.

> [...], but implementing this on an HR system with hundreds of
> users can be a management nightmare.  So people take the easy way out by
> using login name and password and hope others won't probe and snoop.

I doubt many organizations use authentication tokens for internal
logins; userid/passwd are still the norm in that setting.

> The policy can be stated, but enforcing it is another matter.

If enforcing it is another matter, then the security admin has some
work they have to do. From your earlier comments I suspect there
isn't a proper security _policy_ at all. The security policy needs
to lay out the organization's security requirements; these are
generally driven by system availability, data integrity, and data
confidentiality. These will vary from department to department, and
sometimes even within a single department. Such a statement can have
the assistance of a security admin, to help make sure it's complete,
sufficiently detailed to determine the security implementation, and
not too expensive too implement. But whether or not the security
admin helps, the security policy gains the authority it must have
from the senior management that sponsors it. The security policy is
the basis for enforcement of the security implementation. With a
well-designed policy, properly endorsed and supported by senior
management, and a well-crafted security implementation that supports
the security policy with the irreduceable minimum of inconvenience
to users, there's no problem with enforcement, none at all. People
who are breaking the security implementation are directly failing to
support the organization's needs as expressed in the security
policy.

-Bennett