1998-04-30-13:47:57 Darren:
> 1998-04-30-13:28:20 Bennett Todd:
> > But none of this comes near addressing the point you raised: how would
> > you go about ``verifying that a security policy is any good''?
>
> Well, the first step might be to check that it actually exists.
Always a good start, yes:-). While you're at it you can also check to
make sure it takes the form of a good security policy, giving reasonable
justifications for the rules, and documenting its source of authority
and its revision procedures.
Sounds a lot like a constitution now that I think of it.
> The next might be to evaluate it against what the business requires from
> whatever it controls and what the security risks are.
Sounds like what I was proposing, re-do the thing from scratch and see
if you end up at about the same place. Big expensive job, that. Are
there people who sell this service? 'Cause anybody you'd trust to do
this would have to be at least as good as your best security analyst,
preferably better. Hard to find such people.
-Bennett
Received on May 01 1998
Intro
