Firewall Wizards mailing list archives

Re: Policy ? (was RE: Penetration Tests)

From: Edward Cracknell <edward () securIT net>
Date: Mon, 29 Sep 1997 08:35:54 +0100 (BST)

bailey () ddn af mil (Capt Jim Bailey - SSG/SINS - DSN 596-6106) wrote:
bailey >I think everyone agrees that having a solid security policy is needed
before
bailey >implementing any feasible security architecture.  My question is what
does
bailey >this policy encompass?  My question is not directed at the technical
details
bailey >of how to get things done, but more towards the high level that has
to be 
bailey >sold to Joe and Jane user, the management, etc.  Are you looking at
writing
bailey >a document that states such general things like "don't use the
network for
bailey >unofficial business"? Or do you get more specific like "all web
traffic
bailey >will be proxied and only allowed to the following sites..."

Hope this isn't going to drift too far off-topic;

Well, the response to mail original mails has fully satisfied my
requirements. I have other peoples valued opinions, some confirmations
and pointers to new products/techniques.

Other than building a 'policy' directly from the guidelines in RFC1244,
I think most organisations need one developing for them. Simply because
they do not understand how all-encompassing this thing has to be. Do
commercial organisations go as far as NOT marking the computer room on
the blueprints before filing them at the public records office?

Even before most businesses connected to the Internet, or had any sort
of elaborate networks in place, they had 'Non-disclosure' references in
the employees contracts. There were also lists of company 'rules' - do's
and don'ts, and this is what we start with when defining a policy.

Maybe it isn't so easy in larger organisations, and so a tiered policy,
with levels of implementation might work better, but then there is
always the danger that the wrong 'level' of security is used in the
wrong place.


-------------------------------------------------------------
Edward Cracknell 
Security Administrator/Author
edward () SecurIT net
---------  Okay, who put a "stop payment" on my reality check? -----------

Current thread:

Penetration Tests Edward Cracknell (Sep 25)
- Re: Penetration Tests Marcus J. Ranum (Sep 25)
  - Re: Penetration Tests Brian Mitchell (Sep 26)
    - Re[2]: Penetration Tests Edward Cracknell (Sep 26)
    - Re: Re[2]: Penetration Tests Arjan Vos (Sep 27)
    - Re: Re[2]: Penetration Tests Alfred Huger (Sep 27)
- Re: Penetration Tests Paul D. Robertson (Sep 26)
- Re: Penetration Tests Bennett Todd (Sep 26)
  - Policy ? (was RE: Penetration Tests) Capt Jim Bailey - SSG/SINS - DSN 596-6106 (Sep 26)
    - Re: Policy ? (was RE: Penetration Tests) Edward Cracknell (Sep 29)
    - Re: Policy ? (was RE: Penetration Tests) Bennett Todd (Sep 29)
    - Re: Policy ? (was RE: Penetration Tests) Paul D. Robertson (Sep 30)
- Re: Penetration Tests Darren Reed (Sep 26)
  - Re[2]: Penetration Tests Edward Cracknell (Sep 26)
  - Re: Penetration Tests -= ArkanoiD =- (Sep 26)
- Re: Penetration Tests Chuck Kenyon (Sep 26)
- <Possible follow-ups>
- Re: Penetration tests Bill Kennedy (Sep 26)
- Re[2]: Penetration Tests Frank Willoughby (Sep 29)
- RE: Penetration Tests Gary Crumrine (Sep 29)
- RE: Penetration Tests Andreas Siegert (Sep 30)