[olug] Computer Security Policy
Dan Linder
dan at linder.org
Tue Nov 30 16:43:03 UTC 2010
On Mon, Nov 29, 2010 at 22:20, Dan Anderson <dan-anderson at cox.net> wrote:
> > - What is needed in a security policy to make it strong and thorough?
>
> 1. Management support from the highest levels.
> 2. See #1 :)
> 3. Policies should be high-level and relatively constant over time -
> more fluid standards should be derived from the application of the
> high-level policy as it relates to specific technology and process
> needs - specific detailed operational procedures can be developed that
> ensure compliance with the standards, etc.
> 4. Some degree of risk analysis (formal or informal depending on the
> environment) should (read: MUST) be undertaken prior to the creation
> of policy. (I suspect SANS also has some useful info related to this
> activity)
> 5. Policy exists to support the business - not the other way around.
>
(Related to #3) I'd also suggest that the policies be general enough and not
specifically call out a specific protocol, department, or person (Yes, I've
seen a policy written to that level!).
I'd also suggest that the policies apply to EVERYONE! At a past company,
when I came in and was asked to review their firewall configurations, the
"IT Department" rule was a wide-open permit on all ports/protocols straight
to the Internet with no logging, whereas everyone else was under a tightly
controlled and logged access to the Internet through a mandatory proxy
server.
Dan
--
***************** ************* *********** ******* ***** *** **
"Quis custodiet ipsos custodes?"
(Who can watch the watchmen?)
-- from the Satires of Juvenal
"I do not fear computers, I fear the lack of them."
-- Isaac Asimov (Author)
** *** ***** ******* *********** ************* *****************
More information about the OLUG
mailing list