Re: Security Policy-Please help

2003-08-06T04:07:48 Kampanellis Ioannis:
> Any advices? Where could I start?

Big, big question. I think you start several steps before the sort of things you mentioned.

The very first thing is to determine the organization's commitment. If you have a positive commitment from senior management, proceed. Otherwise retire from the field:-).

Then you evaluate the organization's needs as they relate to computer security. A reasonable first step would be to describe the functionality they require --- what services they must be able to use, especially focusing on places where security boundaries exist. Then describe the resources that must be protected. Often computer security analysis organizes these resources into categories of confidentiality (keeping certain information secret from some people), integrity (preventing unauthorized modification of certain data), and availability (preventing attackers from denying you the use of your systems).

Once you've sketched this out, the fleshing out of a robust security policy needs to follow a course of describing the overall goals as determined by the above analysis, then enumerating required practices in various areas, motivated by the above goals, and where appropriate including cost/benefit analysis justifying the requirements.

The final step loops back to the beginning. Once the policy has been reviewed and refined by all the major participants who will be required to honor it, you finish it with a statement describing the approval process through which it holds authority, and the revision process required to address any defects found.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

As an example of the analysis process, some organizations have to allow all their users to interact with internet email; that they refuse to bear the perceived cost of using a secure platform from which to do internet email; and they require that their systems be available, and resistant to arbitrary browsing and modification by random strangers. Therefore the bandaid of "virus scanning" must be deployed somewhere in the email transit path before messages reach the users' email clients. Most often the analysis can be structured along these lines; identify a threat, identify any costs that cannot be borne, and thereby motivate the requirement.

-Bennett