Uhh, unless I misunderstand your suggestion, I don't believe one size
fits all. I believe that about the best to approach your concept is
to develop a list of high-level generic security goals or requirements
and then for each of the items to list approaches which could separately
or jointly contribute to meeting the requirement. For each of the
approaches a set ofattributes would be established specifing such things as
cost, difficulty of defeat, manpower required to administer, open or
proprietary, ease of use,etc. As different approaches were identified, they
could be added to the "model". This would allow for evolution of the
"standard".
The value of this method would be to allow someone do decide what level(s)
of security were needed, what one could afford and what amount of resources
would be required for maintenance/administration. An idea for a starter
list for goals/requirements might be:
1. Establish a security policy
2. Perform background check on new employees
3. Educate the employees regarding security issues
4. Log all incidents of information access
5. Acquire security tools (virus detection, authenication, encription,etc)
6. Stay current regarding newly discovered/developed security problems
7. Test the security system for vulnerabilities
Note these items above are the goals. A list of approaches to achieve the
goals along with their associated attributes would also need to be developed.
For example for goal #1 above, a list of approaches (but not the associated
attributes) could be:
A. Hire a consultant to develop a custom security policy
B. Hire security expert(s) to develop a custom security policy
C. Develop in-house with existing employees
D. Research other organizations' policies and pick one
E. Use commercial sources (books, etc.) for security policy references
On Thu, 30 Nov 1995, cssmith @
deltacom .
com (Christopher Smith) wrote:
>Just an off the wall question, but why don't we (the list -- whomever) come
>up with our definitions on system security. If I remember correctly,
someone
>was complaining about the lack of firewalls standards, well, seems logical
>that we should start with a workable system security model first. Just a
>thought.
>
>> There are still orange book systems out there, and there
>>are still people working on them, but that's really part of the
>>government's typical inability to terminate an unsuccessful
>>program.
>>
>>
>
>
>
**** cjolley @
iac .
net <Carl Jolley>
**** All opinions are my own and not necessarily those of my employer ****
References:
|
|
