[olug] Computer Security Policy

Chad Homan choman at gmail.com
Tue Nov 30 04:37:28 UTC 2010 

Should be able to get some other info from
http://www.nist.gov/information-technology-portal.cfm


Chad, CISSP


On Mon, Nov 29, 2010 at 10:20 PM, Dan Anderson <dan-anderson at cox.net> wrote:

> Hi,
>
> +1 on the SANS suggestion...  That's a good place to get a policy for
> an assignment like this.  You aren't likely to get too many actual
> corporate policies - these are generally considered confidential to
> one degree or another.
>
> For this assignment, I'd probably select a "policy" like an Internet
> usage policy or acceptable use policy.  This is likely what they
> expect and will be pretty easy to write about/discuss.
>
> That said, the rest of this is less about those two examples of "policies."
>
> > - Have you seen security policies work to keep information and the
> networks
> > of your employer safe?
>
> Absolutely, a proper security policy framework is essential for
> security.  Like a foundation, you can build a great security program
> on top of properly designed policies - but like a foundation is not a
> complete building - a security policy is also not a comprehensive
> security program by itself.
>
> > - What is needed in a security policy to make it strong and thorough?
>
> 1.  Management support from the highest levels.
> 2.  See #1  :)
> 3.  Policies should be high-level and relatively constant over time -
> more fluid standards should be derived from the application of the
> high-level policy as it relates to specific technology and process
> needs - specific detailed operational procedures can be developed that
> ensure compliance with the standards, etc.
> 4.  Some degree of risk analysis (formal or informal depending on the
> environment) should (read: MUST) be undertaken prior to the creation
> of policy. (I suspect SANS also has some useful info related to this
> activity)
> 5.  Policy exists to support the business - not the other way around.
>
> > - Do you have any examples of a security policy being effective and
> > ineffective?
>
> Not specifically, but huge successes and spectacular failures usually,
> IMO, directly relate to the things mentioned above.
>
> Good luck on your project!
> Dan
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list