Firewall Wizards mailing list archives
Re: Security policy & setup for portable computers
From: Mitch Pirtle <mitchell.pirtle () verizon net>
Date: 23 Jun 2003 11:09:43 -0400
Replying direct, my posts keep getting moderated. ? On Sat, 2003-06-21 at 08:27, Hilal Hussein wrote:
Dear Gentlemen, My Boss asked me to write down : 1 - the Password Policy 2 - The Client 'winXP,win98,winNT Wordstation' Security Policy 3 - The Information Technology Security Policy in General in our company 1-For the Password Policy, i got lots of documents from the net, and i came out with two policies, one for "the creation of strong passwords, the protection of those passwords, and the frequency of change" and the other is for "how to write down passwords and seal them in an envelope, how to store them and retrieve them appropriately". Q1: do I have to keep it two policies or it is perferable to merge both in one document?
I kept them separate, with one targeted at end users and the others directly to IT.
2 - For the Client security policy Q2: Is there any simple/clear and compelete document that is already available for free on the net?
SANS (www.sans.org) has plenty of documents to pull from, you could certainly create something from their information.
3 - For the IT security policy in General, Q3: I got lots of documents, but till now, i am not able to see a complete policy that will be a reference in my security dept, since we have firewall, servers "domain, exchange, webmail, Oracle web application, ... Is there any Document that is covering all of hte above mentioned IT services, and more?
Again, there are sample policies available for inspiration, I prefer the layered approach, with an overall strategy (the dreaded "I have visions" paper), more specific policies (still general, e.g. passwords) and detailed papers (e.g. "Do these steps for every Solaris box you install"). I've also found that in global organizations it helps to farm out the detailed paper-writing work to the local IT staff, as they like the ownership, speak the local language, and become intimate with your security plans...
One further question: what is the Security policy for a laptop? and what setup should be for teh laptop to be secure since users will travel with teh laptop using other network or internet connections, then come back to our secure network, i am sure that some extra care should be taken in advanced in order not to introduce any vulnerability to our secure network.
Depends on the hardware and OS capabilities, don't you think? Newer IBM ThinkPads have access protection within the hard drives, and are much more secure than simple BIOS-based systems. And W2K is much more tightly controlled (from a permissions standpoint) than Win9X. Make sure your policy can be implemented on existing systems, or enforcing it will be moot. Feel free to contact me with any other questions about policies, I'd love to see more open flow of information regarding the topic and would gladly help. -- Mitch _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Security policy & setup for portable computers Hilal Hussein (Jun 22)
- Re: Security policy & setup for portable computers Paul Robertson (Jun 22)
- Re: Security policy & setup for portable computers Mitch Pirtle (Jun 23)