Re: Security policy & setup for portable computers

[Mitch Pirtle <mitchell.pirtle () verizon net>]

Replying direct, my posts keep getting moderated.  ?

On Sat, 2003-06-21 at 08:27, Hilal Hussein wrote:
> Dear Gentlemen,
>
> My Boss asked me to write down :
> 1 - the Password Policy
> 2 - The Client 'winXP,win98,winNT Wordstation' Security Policy
> 3 - The Information Technology Security Policy in General in our company
>
> 1-For the Password Policy, i got lots of documents from the net, and i came 
> out with two policies, one for "the creation of strong passwords, the 
> protection of those passwords, and the frequency of change" and the other is 
> for "how to write down passwords and seal them in an envelope, how to store 
> them and retrieve them appropriately".
> Q1: do I have to keep it two policies or it is perferable to merge both in 
> one document?

I kept them separate, with one targeted at end users and the others
directly to IT.

> 2 - For the Client security policy
> Q2: Is there any simple/clear and compelete document that is already 
> available for free on the net?

SANS (www.sans.org) has plenty of documents to pull from, you could
certainly create something from their information.

> 3 - For the IT security policy in General,
> Q3: I got lots of documents, but till now, i am not able to see a complete 
> policy that will be a reference in my security dept, since we have firewall, 
> servers "domain, exchange, webmail, Oracle web application, ...
> Is there any Document that is covering all of hte above mentioned IT 
> services, and more?

Again, there are sample policies available for inspiration, I prefer the
layered approach, with an overall strategy (the dreaded "I have visions"
paper), more specific policies (still general, e.g. passwords) and
detailed papers (e.g. "Do these steps for every Solaris box you
install").

I've also found that in global organizations it helps to farm out the
detailed paper-writing work to the local IT staff, as they like the
ownership, speak the local language, and become intimate with your
security plans...

> One further question: what is the Security policy for a laptop? and what 
> setup should be for teh laptop to be secure since users will travel with teh 
> laptop using other network or internet connections, then come back to our 
> secure network, i am sure that some extra care should be taken in advanced 
> in order not to introduce any vulnerability to our secure network.

Depends on the hardware and OS capabilities, don't you think?  Newer IBM
ThinkPads have access protection within the hard drives, and are much
more secure than simple BIOS-based systems.  And W2K is much more
tightly controlled (from a permissions standpoint) than Win9X.  Make
sure your policy can be implemented on existing systems, or enforcing it
will be moot.

Feel free to contact me with any other questions about policies, I'd
love to see more open flow of information regarding the topic and would
gladly help.

-- Mitch

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards