Firewall Wizards mailing list archives

Re: Security policy & setup for portable computers

From: Paul Robertson <proberts () patriot net>
Date: Sun, 22 Jun 2003 09:59:25 -0400 (EDT)

On Sat, 21 Jun 2003, Hilal Hussein wrote:

Dear Gentlemen,


[FWIW, there are a good number of non-male subscribers to the list.]


My Boss asked me to write down :
1 - the Password Policy
2 - The Client 'winXP,win98,winNT Wordstation' Security Policy
3 - The Information Technology Security Policy in General in our company

1-For the Password Policy, i got lots of documents from the net, and i came 
out with two policies, one for "the creation of strong passwords, the 
protection of those passwords, and the frequency of change" and the other is 
for "how to write down passwords and seal them in an envelope, how to store 
them and retrieve them appropriately".
Q1: do I have to keep it two policies or it is perferable to merge both in 
one document?


It depends on if they're for the same audience.  Also, you should think 
very seriously about the value of "strong passwords" versus the fact that 
end-users will write them down, and they'll be either in the top desk 
drawer, under the mousepad, on the monitor, or under the keyboard when you 
go to look.  Most dictionary programs these days are good enough that the 
value from "strong" passwords is negated for all systems that don't have 
exposure to the Internet and password guessing attacks.

One further question: what is the Security policy for a laptop? and what 
setup should be for teh laptop to be secure since users will travel with teh 
laptop using other network or internet connections, then come back to our 
secure network, i am sure that some extra care should be taken in advanced 
in order not to introduce any vulnerability to our secure network.


Generally, I'd require up-to-date AV where appropriate (Win*) and some 
sort of local firewall with an approved policy on the laptop itself.  
Encryption of sensaitve information is probably a good thing too, 
depending on yoru local laws.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Security policy & setup for portable computers Hilal Hussein (Jun 22)
- Re: Security policy & setup for portable computers Paul Robertson (Jun 22)
- Re: Security policy & setup for portable computers Mitch Pirtle (Jun 23)