Re: Re Where to find a example security policy?

["Rafael Jose Teixeira (ESDI-NSI)" <rjteixeira () bes pt>]

Another good sources of that kind of books are :
A Guide to Developing Computing Policy Documents - Barbara L. Dijker -
SAGE Edition (www.usenix.org)
Information security Policies Made Easy - Charles Cresson Wood -
www.baselinesoft.com (expensive)
The NCSA Guide to Enterprise Security - Michel E. Kabay (McGraw-Hill)

However, "security awareness" must be developed from bottom-up, with
user education, enforced with management enpowerment (formal one).
Talking with the "techies" might be a nightmare, but they know th
system, and were it might crack....


Rafael Teixeira

Brian Ford wrote:
> Andy and Aaron,
>
> I thought your advice on the "4 E's" was excellent with regard to Internet Acceptable Use Policy.  But with respect 
> to overall Security Policy there are some areas where your suggestions break down.
>
> You spoke about policies and culture.  It is nice to think that a group of employees working for the same company 
> could come together, draft and publish such a policy document. In my experience many times these efforts go side ways 
> when employees can't agree on specifics (like exactly which applications should be supported by the company) or 
> ignore the reality of how the corporate network works (how much Internet can you push or pull over a T-1 line?).  
> Yes, many employees want to do the right thing and "just need to know what is right and what is wrong".  Often it's 
> difficult to get them to agree on right and wrong (after all they are human).
>
> The most successful effort to develop and put in place a policy that I ever witnessed involved a draft that was 
> written by the IT department (that was 3 people).  It was based on the companies specific environment (applications, 
> network, etc...).  It was forwarded to the CEO who read it and discovered that he had to ask questions to understand 
> various chunks.  But after he asked and got answers to all his questions he drafted a memo to all employees.  In that 
> memo the CEO discussed the objective of putting the policy in place, defined the policy, and how it should work.
>
> He followed that up with an all employee meeting.  That resulted in questions from employees about how various things 
> should work.  Questions about use of applications.  A lot of questions about backing up data.  The IT department 
> wound up bringing in some trainers who then focused on those employee questions.  It wasn't "rammed" as everyone was 
> given an opportunity to ask questions.  The policy as defined by the CEO went into place.
>
> After the security policy was in place the IT group went back (working with management and HR), drafted, and 
> implemented an acceptable use policy.  And by that time all employees were "pulling the oars in the same direction".  
> It made sense.  It was worded so that everyone understood what was in and out of bounds behavior. Many employees 
> signed off right away.  But they still had folks who objected.  I believe that company made renewal of the policy 
> part of an annual review (not sure).
>
> I've wanted to write about this effort for some time.  This wasn't my employer.  The company involved has no interest 
> in being "a reference" for such a paper.  So, the best I can do is this.
>
> Lessons that I learned from that company were that you can't assume everyone will understand the policy.  You have to 
> deliver it in "plain talk" format.  You have to follow up, solicit questions (and objections), and talk to people 
> about it.  Education is important, if not critical to success.  The policy has to apply to everyone, and be enforced 
> equally on everyone. Imagine the scene when an employee claims wrongful dismissal and proves that the executive staff 
> (or others) are not held to the same "all employee" standards.
>
> And no matter how much good work you do some people will ask if they can "opt-out".
>
> Regards,
>
> Brian
>
> Brian Ford
> brford () cisco com
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards

Attachment: rpt.vcf
Description: Card for Rafael Teixeira