Firewall Wizards mailing list archives
RE: Policy ? (was RE: Penetration Tests)
From: Gary Crumrine <gcrum () us-state gov>
Date: Tue, 30 Sep 1997 06:14:25 -0400
I think Ed makes a very subtle, but good point with his tiered suggestion. Put it in the perspective of the user audience. What you would provide to the operations staff, will be very different than what the average user would need. If the document is too cumbersome, the user will just sign off that they read it and forget it due to information overload. It is unfortunate that we still have to deal with some pretty computer illiterate users. But that is a fact of life that we will see continue for quite a while. I cannot go to my challenged users with instructions, rules and such and expect them to make sense of it all. Education is the key to enforcement, but simplicity, and being able to tailor the policy to the user environment may just be the lynchpin in the process. <snip> | Hope this isn't going to drift too far off-topic; | | Well, the response to mail original mails has fully | satisfied my | requirements. I have other peoples valued opinions, some | confirmations | and pointers to new products/techniques. | | Other than building a 'policy' directly from the | guidelines in RFC1244, | I think most organisations need one developing for them. | Simply because | they do not understand how all-encompassing this thing has | to be. Do | commercial organisations go as far as NOT marking the | computer room on | the blueprints before filing them at the public records | office? | | Even before most businesses connected to the Internet, or | had any sort | of elaborate networks in place, they had 'Non-disclosure' | references in | the employees contracts. There were also lists of company | 'rules' - do's | and don'ts, and this is what we start with when defining a | policy. | | Maybe it isn't so easy in larger organisations, and so a | tiered policy, | with levels of implementation might work better, but then | there is | always the danger that the wrong 'level' of security is | used in the | wrong place. | | | ------------------------------------------------------ ---- | --- | Edward Cracknell | Security Administrator/Author | edward () SecurIT net | --------- Okay, who put a "stop payment" on my reality | check? -----------
Current thread:
- Re: Policy ? (was RE: Penetration Tests) Pauline van Winsen - Uniq Professional Services (Sep 28)
- <Possible follow-ups>
- RE: Policy ? (was RE: Penetration Tests) Gary Crumrine (Sep 30)