Security Basics mailing list archives
RE: Security policy
From: "Ramirez, Steven" <Steven.Ramirez () louisvilleky gov>
Date: Thu, 26 Oct 2006 08:55:13 -0400
Hi Francois When I entered my current position I was tasked with the same thing. I work for a local city govt and had never done this before. My starting point included gathering whatever policies the org already had, researching all the available city, state, federal, private business and educational institution policies I could find on the net. I did use some of the ones referred to in this thread. I found most to be vague and had to be tailored for your environment. I then I spoke with numerous personnel from the IT Dept. They also proof-read and offered suggestions. The last reviewer was legal where they offered their suggestions. So, I took all I could find, notes form interviews and my experience regarding best practices and how things "should" be....and started writing. One thing in regards to format I did was try to make them look like the HR policies that were already in place. In regards to what policies I focused on...I started with an Executive Summary stating what the policies were about and why they exist. I then broke them down to the usual things; Acceptable Use, Password, Remote Access, Network Access/Configuration, Data Sensitivity/Classification/Retention, Software, Incident Response, Data Center Access...and a couple more. Of course, I included a table of contents and glossary as there were several technical terms. It ended up being about 12 policies at approx 40 pages. Then I got into distribution which was a whole separate project...we went digital signatures and forced users to sign or be disabled. It worked. Steve -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Francois Yang Sent: Wednesday, October 25, 2006 4:02 PM To: security-basics () lists securityfocus com Subject: Re: Security policy thank you everyone for you inputs. I did look at SANS's website but again I wasn't sure which was the best way. to have a big policy or multiple small ones. The main concern with both ways is that if it is too long, then people won't read the whole thing and if there are too many of them. We won't keep track of them. So I think this is how I'm going to do things. 1. create specific policies, like e-mail, remote access, password, etc... 2. Create a generic security policy that reference to other policies. 3. Create procedures and standards to go with the more specific policies. Any other thoughts? On 10/25/06, Laundrup, Jens <Jens.Laundrup () metrokc gov> wrote:
My suggestion would be to first look at the overall security policy in place. Ensure that your IT policy reflects that same level and
emphasis
of security. Then divide up separate security policies for the major areas (Firewall, acceptable use, access, etc.) Each policy should be between 2 and 3 pages long. They should cover
the
overarching concepts but should be technology independent example: "The system shall be protected by a firewall" -technology dependent "The system shall be protected from outside the domain" -technology Independent Then under each policy, develop a standard that addresses the
technology
and the specific implementation of technology to accomplish the goal
of
the policy. This way, the policies, which require high level (CISO,
CSO
or CEO) approval are not altered very often whereas the specific implementation can be controlled at the Security analyst/architect
level
and can change regularly while still fulfilling the objectives of the enterprise as stated in the policy. A good source for information for the documents is NIST. There are
also
companies who specialize in developing policy, standard and
instruction
templates that you can purchase and create from there. A great place
to
go for free stuff are the government agencies since none of their documents are copyrighted. If you go to http://www.e-publishing.af.mil/pubs/majcom.asp?org=AF you can see all the Air Force policies and procedures (focus on areas 31 and 33 for
what
you seek). And there are many other government agencies (federal,
State
and local) that have all their policies published and available for public consumption on line. Good luck Jens -----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of Francois Yang Sent: Tuesday, October 24, 2006 2:39 PM To: security-basics () lists securityfocus com Subject: Security policy Can anyone please point me in the right direction. I need to write some security policies, but I'm not sure where to
begin.
I know there are alot of examples and templates out there, but what do I include in the policy. I see seperated policies for e-mail, password, remote access, acceptable use, etc...but I was also told that it is better to try to make all of those fit into one so that we don't have to keep track of 10 different policies. The question is, which one do I include in one big security policy and which ones to I make them seperate? thank you.
------------------------------------------------------------------------
--- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: Security policy, (continued)
- RE: Security policy Roger A. Grimes (Oct 25)
- RE: Security policy Weir, Jason (Oct 25)
- Re: Security policy Russ Foster (Oct 25)
- Re: Security policy Tamarcus A Person (Oct 25)
- Re: Security policy Matt Lye (Oct 27)
- RE: Security policy Laundrup, Jens (Oct 25)
- Re: Security policy Francois Yang (Oct 25)
- RE: Security policy Murda Mcloud (Oct 27)
- Re: Security policy Tamarcus A Person (Oct 27)
- Re: Security policy Francois Yang (Oct 25)
- RE: Security policy Luis Lopez Sanchez (Oct 27)
- RE: Security policy Ramirez, Steven (Oct 27)