Hi Parks,
On Thu, 5 Oct 1995, Parks Fields wrote:
>Hello world,
>I know the basic of security is a good security policy. I have
>created a security policy but I am not 100% happy with it. Could some
>of you
>send me a copy of yours so I can figure out what mine is missing?
>Thank you.
The official response by most may be as follows
1) don't send out our security policy to anyone
2) deleted because of 1)
;-)
On a more serious note, various books on firewalls have good sections
on going about designing a security policy. Cheswick and Bellovin
Firwalls and Internet Security (Addison-Wesley Publishing) has been an
invaluable reference source for us.
Our policy was designed and then agreed upon before the technology was
looked at i.e.. taking a leaf from my Business Systems Analysis hat.
We designed it based on what the business wanted to achieve. This
allowed us to apply current and future technology to a well defined
business need.
We then applied the technology (Fire wall, routers, client
applications, access rules etc..). Then we designed the business
process's required to maintain the security level. After all the
firewall and those that have the responsibility to maintain it are now
(at least from our companies perspective) performing a business
critical function.
The biggest problem that needs to be overcome is getting management to
sign on the dotted line. Without the policy being adopted high enough
up in the organisational structure the ability to maintain the
required security level (from a business perspective) it sure to be
watered down.
Do as much Analysis as you can within the time they (management) will
allow. I wish I had the information contained in Alan Dowd's responses
to this query when I got my fingers bunt (-:
Good luck
Greg.
Senior Systems/Network Analyst
Cybergraphic Systems PTY LTD
862 Glenferrie Rd. Hawthorn
Melbourne, Australia 3122
|
|
