RE: OT: Information Security policy

[Nigel Willson <NWillson () tbg com>]

> I am looking for information about implementing and 
> considering Information
> Security policies.  
>
> How many people actually consider the BS7799 Standard?

I have found a majority of companies use BS7799 as a base
for policy, especially financial institutions. I built a
60-page document myself although I do not recommend a long
document, better short 2-page focused policies. Human
friendly.
 
> Are there any other standards that people recommend?

Yes, a lot of enterprises are basing policy upon privacy
standards such as HIPAA and Gramm Leach Blilely. It can 
save a lot of cost and pain later.
 
> Do developers and designers or security enforce "roles and 
> access" upon data itself, to ensure that users of the 
> information follow the policy that is set within the company. 

Newer technologies are supporting the enforcement of business
rules/policy in access controls else policy can become, yes we
have policy!, where is it?

RBAC is getting hot, as a leverage of directories and a savior
before migrating to Windows 2000.

Nige.
Senior Consultant,
The Burton Group.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards