[olug] Computer Security Policy

Dan Linder dan at linder.org
Tue Nov 30 16:43:03 UTC 2010

On Mon, Nov 29, 2010 at 22:20, Dan Anderson <dan-anderson at cox.net> wrote:

> > - What is needed in a security policy to make it strong and thorough?
> 1.  Management support from the highest levels.
> 2.  See #1  :)
> 3.  Policies should be high-level and relatively constant over time -
> more fluid standards should be derived from the application of the
> high-level policy as it relates to specific technology and process
> needs - specific detailed operational procedures can be developed that
> ensure compliance with the standards, etc.
> 4.  Some degree of risk analysis (formal or informal depending on the
> environment) should (read: MUST) be undertaken prior to the creation
> of policy. (I suspect SANS also has some useful info related to this
> activity)
> 5.  Policy exists to support the business - not the other way around.

(Related to #3) I'd also suggest that the policies be general enough and not
specifically call out a specific protocol, department, or person (Yes, I've
seen a policy written to that level!).

I'd also suggest that the policies apply to EVERYONE!  At a past company,
when I came in and was asked to review their firewall configurations, the
"IT Department" rule was a wide-open permit on all ports/protocols straight
to the Internet with no logging, whereas everyone else was under a tightly
controlled and logged access to the Internet through a mandatory proxy


***************** ************* *********** ******* ***** *** **
"Quis custodiet ipsos custodes?"
    (Who can watch the watchmen?)
    -- from the Satires of Juvenal
"I do not fear computers, I fear the lack of them."
    -- Isaac Asimov (Author)
** *** ***** ******* *********** ************* *****************

More information about the OLUG mailing list