Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Policy ? (was RE: Penetration Tests)

From: bailey () ddn af mil (Capt Jim Bailey - SSG/SINS - DSN 596-6106)
Date: Fri, 26 Sep 1997 14:36:49 -0500 (CDT)

Note that for any testing --- any useful security work at all, for that matter
--- you've gotta have a security policy in force; it has to do a good job of
reflecting the organization's needs, it has to have management support, and it
has to specify enough detail so it defines a spec that the security
infrastructure must meet. And you know, once you get done with _that_ chore
merely certifying the correctness of a firewall seems like a piece of cake.

-Bennett



I think everyone agrees that having a solid security policy is needed before
implementing any feasible security architecture.  My question is what does
this policy encompass?  My question is not directed at the technical details
of how to get things done, but more towards the high level that has to be 
sold to Joe and Jane user, the management, etc.  Are you looking at writing
a document that states such general things like "don't use the network for
unofficial business"? Or do you get more specific like "all web traffic
will be proxied and only alowed to the following sites..."

Jim Bailey
Previous By Date Next
Previous By Thread Next

Current thread: