Firewall Wizards mailing list archives

RE: Policy ? (was RE: Penetration Tests)

From: Gary Crumrine <gcrum () us-state gov>
Date: Tue, 30 Sep 1997 06:14:25 -0400

I think Ed makes a very subtle, but good point with his 
tiered suggestion.  Put it in the perspective of the user 
audience.  What you would provide to the operations staff, 
will be very different than what the average user would 
need.  If the document is too cumbersome, the user will 
just sign off that they read it and forget it due to 
information overload.  It is unfortunate that we still have 
to deal with some pretty computer illiterate users.  But 
that is a fact of life that we will see continue for quite 
a while.  I cannot go to my challenged users with 
instructions, rules and such and expect them to make sense 
of it all.  Education is the key to enforcement, but 
simplicity, and being able to tailor the policy to the user 
environment may just be the lynchpin in the process.

<snip>
| Hope this isn't going to drift too far off-topic;
|
| Well, the response to mail original mails has fully
| satisfied my
| requirements. I have other peoples valued opinions, some
| confirmations
| and pointers to new products/techniques.
|
| Other than building a 'policy' directly from the
| guidelines in RFC1244,
| I think most organisations need one developing for them.
| Simply because
| they do not understand how all-encompassing this thing 
has
| to be. Do
| commercial organisations go as far as NOT marking the
| computer room on
| the blueprints before filing them at the public records
| office?
|
| Even before most businesses connected to the Internet, or
| had any sort
| of elaborate networks in place, they had 'Non-disclosure'
| references in
| the employees contracts. There were also lists of company
| 'rules' - do's
| and don'ts, and this is what we start with when defining 
a
| policy.
|
| Maybe it isn't so easy in larger organisations, and so a
| tiered policy,
| with levels of implementation might work better, but then
| there is
| always the danger that the wrong 'level' of security is
| used in the
| wrong place.
|
|
| ------------------------------------------------------  
----
| ---
| Edward Cracknell
| Security Administrator/Author
| edward () SecurIT net
| ---------  Okay, who put a "stop payment" on my reality
| check? -----------

Current thread:

Re: Policy ? (was RE: Penetration Tests) Pauline van Winsen - Uniq Professional Services (Sep 28)
- <Possible follow-ups>
- RE: Policy ? (was RE: Penetration Tests) Gary Crumrine (Sep 30)