RE: Proxy server hit... Any ideas?

Maybe slightly off-topic, feel free to advise me of better foras...

At 09:07 2002-11-20 -0600, Mike Cain wrote:
> I have just got back from meeting

Consider yourself lucky. This is about your only chance to introduce some security awareness in your organisation. Just don't push too hard...

> So where should I start looking for de-facto policies, and such? Or

RFC 2196 aka Site Security Handbook is usable on a technical level. It may or may not be pertinent to your requirements.

The general ideas behind ISO17799 are (mostly) fairly sound (bar it's pushing of security by obscurity in one place), but far too heavyweight in it's wording. It is indeed a cousin to ISO 9001...

ISO17799 started out as BS7799 part 1, the corresponding BS7799 part 2 is just the requirements clauses with all security recommendation stuff cut out. I've found it useful to turn those clauses in the latter to questions: "do we address this?" "if so, how?". Your answers to this would be your policy.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Be careful with wordings, you've got to cover your bases and be general enough that "a little tweaking" of a bad usage makes it compliant to the policy (if not to it's intention).

See also <<http://www.xisec.co.uk/>> for the BS7799 editor pages.

> should I just use my best judgment? I'm thinking the latter is a bad

Use standards as a checklist. Try to keep your sanity by giving your own answers, not some boilerplate from the standards or handbooks. As always, the KISS principle applies to the real world, if not to the standards (they are after all designed by committees...)

And please note that the ISO/BS stuff addresses "Information security" from an "organisational" point of view, it's not just (nor even primarily) about network and computer security technology measures. To be fair, it does emphasise well that "security is a process".

-- 
  .
 /Ake Nordin   ECsoft:        +46-8-506 11100  ake.nordin@ecsoft.se
 Damian Conway: "The programmer is fighting against the two most
 destructive forces in the universe: entropy and human stupidity."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com