On 11/18/95 my mailer assumed that Marcus saith:
> Policies don't provide protection; they provide guidance
>about protection. In the words of St Ansel, "the policy is the
>score: security is the performance"*
> And then the implementation!! Don't forget that part!! I
>have, too often, seen reams of policy languishing on a shelf, while
>the network bleeds from its seams. I've also seen policies cloaked
>in dust, wrapped like mummies in red tape, which, when exhumed, turn
>out to describe access control via hardwire terminals to a mainframe.
> It seems to me often that security policies are like weight
>loss programs: everyone is on one, but not everyone follows it
>as closely as they should. And, like weight loss programs, they
>don't work very well if you periodically nip out for a high fat
>filet broiled in butter at Ruth's Chris.
> Too bad security holes can't be fixed by taping a policy
Couldn't agree more. Unless they're implemented and enforced, policy
statements are of somewhat less use than the old Sears catalog in the outhouse
(come to think of it, maybe the same use).
However, you have to begin somewhere, and policy statements should be that
point. Besides, without policy, management simply *cannot* exist, as things
will be run strictly on whim.
I'd say *Warmly,* but that's taken...
Warren S. Moore, CISSP
Information Security Specialist
Cincinnati Bell Information Systems Inc.