Firewall Wizards mailing list archives
Re: Policy ? (was RE: Penetration Tests)
From: Edward Cracknell <edward () securIT net>
Date: Mon, 29 Sep 1997 08:35:54 +0100 (BST)
bailey () ddn af mil (Capt Jim Bailey - SSG/SINS - DSN 596-6106) wrote: bailey >I think everyone agrees that having a solid security policy is needed before bailey >implementing any feasible security architecture. My question is what does bailey >this policy encompass? My question is not directed at the technical details bailey >of how to get things done, but more towards the high level that has to be bailey >sold to Joe and Jane user, the management, etc. Are you looking at writing bailey >a document that states such general things like "don't use the network for bailey >unofficial business"? Or do you get more specific like "all web traffic bailey >will be proxied and only allowed to the following sites..." Hope this isn't going to drift too far off-topic; Well, the response to mail original mails has fully satisfied my requirements. I have other peoples valued opinions, some confirmations and pointers to new products/techniques. Other than building a 'policy' directly from the guidelines in RFC1244, I think most organisations need one developing for them. Simply because they do not understand how all-encompassing this thing has to be. Do commercial organisations go as far as NOT marking the computer room on the blueprints before filing them at the public records office? Even before most businesses connected to the Internet, or had any sort of elaborate networks in place, they had 'Non-disclosure' references in the employees contracts. There were also lists of company 'rules' - do's and don'ts, and this is what we start with when defining a policy. Maybe it isn't so easy in larger organisations, and so a tiered policy, with levels of implementation might work better, but then there is always the danger that the wrong 'level' of security is used in the wrong place. ------------------------------------------------------------- Edward Cracknell Security Administrator/Author edward () SecurIT net --------- Okay, who put a "stop payment" on my reality check? -----------
Current thread:
- Penetration Tests Edward Cracknell (Sep 25)
- Re: Penetration Tests Marcus J. Ranum (Sep 25)
- Re: Penetration Tests Brian Mitchell (Sep 26)
- Re[2]: Penetration Tests Edward Cracknell (Sep 26)
- Re: Re[2]: Penetration Tests Arjan Vos (Sep 27)
- Re: Re[2]: Penetration Tests Alfred Huger (Sep 27)
- Re: Penetration Tests Brian Mitchell (Sep 26)
- Re: Penetration Tests Marcus J. Ranum (Sep 25)
- Re: Penetration Tests Paul D. Robertson (Sep 26)
- Re: Penetration Tests Bennett Todd (Sep 26)
- Policy ? (was RE: Penetration Tests) Capt Jim Bailey - SSG/SINS - DSN 596-6106 (Sep 26)
- Re: Policy ? (was RE: Penetration Tests) Edward Cracknell (Sep 29)
- Re: Policy ? (was RE: Penetration Tests) Bennett Todd (Sep 29)
- Re: Policy ? (was RE: Penetration Tests) Paul D. Robertson (Sep 30)
- Policy ? (was RE: Penetration Tests) Capt Jim Bailey - SSG/SINS - DSN 596-6106 (Sep 26)
- Re[2]: Penetration Tests Edward Cracknell (Sep 26)
- Re: Penetration Tests -= ArkanoiD =- (Sep 26)
- <Possible follow-ups>
- Re: Penetration tests Bill Kennedy (Sep 26)
- Re[2]: Penetration Tests Frank Willoughby (Sep 29)
- RE: Penetration Tests Gary Crumrine (Sep 29)
- RE: Penetration Tests Andreas Siegert (Sep 30)