|
Subject: |
What protection a policy? |
|
From: |
"Marcus J. Ranum" <mjr @
iwi .
com> |
|
Organization: |
Information Warehouse! Inc, Baltimore, MD |
|
Date: |
Thu, 16 Nov 1995 23:13:27 -0500 (EST) |
|
To: |
firewalls @
greatcircle .
com |
|
Coredump: |
Infocalypse Now!!! |
|
Phone: |
410-889-8569 |
|
Reply-to: |
mjr @
iwi .
com |
|
Url: |
<A HREF="http://iwi.com/mjr/mjr-top.html">mjr's web page</A> |
A few idle ramblings and comments about security policies.
Exerpts from postings by various members of the list:
>The seasoned policy writer will (very) frequently come across sections of
>policies in the book which need to be incorporated into the organization's
>policies to provide protection against unforseen risks.
Policies don't provide protection; they provide guidance
about protection. In the words of St Ansel, "the policy is the
score: security is the performance"*
>For example, I want so kind of enhanced authentication. CSW's
>policies don't help me to argue for it. However, if I get it, using
>CSW, I can hammer out a policy in a day.
And then the implementation!! Don't forget that part!! I
have, too often, seen reams of policy languishing on a shelf, while
the network bleeds from its seams. I've also seen policies cloaked
in dust, wrapped like mummies in red tape, which, when exhumed, turn
out to describe access control via hardwire terminals to a mainframe.
It seems to me often that security policies are like weight
loss programs: everyone is on one, but not everyone follows it
as closely as they should. And, like weight loss programs, they
don't work very well if you periodically nip out for a high fat
filet broiled in butter at Ruth's Chris.
Too bad security holes can't be fixed by taping a policy
over them.
mjr.
(*and may he forgive me)
|
|
