Firewall Wizards mailing list archives
Re: Policy ? (was RE: Penetration Tests)
From: "Paul D. Robertson" <proberts () clark net>
Date: Tue, 30 Sep 1997 11:06:37 -0400 (EDT)
On Mon, 29 Sep 1997, Bennett Todd wrote: [snip]
Now _there's_ a provocative question! I don't have the expertise to offer any kind of general answer; I doubt many people have. The short answer is of course "Yes"; it might say "don't use the network for unofficial business", it might say "all web traffic will be proxied and ...". Exactly what it says will vary widely, and better closely reflect the specific needs of the organization --- though use of proxies is less likely to belong in the policy manual; that's just one way to implement a policy.
I'll take a stab at unraveling this puzzle. What's being discussed here should be something like: Usage Policy - This is where you tell users what they can and can't do within the realms of their duties. This is also where, if you're in the US for sure, and hopefully elswhere, you explicitly explain that none of what they do is private. Everyone who touches a computer on your network should be made to read this (Employees, contractors, vendor maintenance staff...). Security Policy - This is where you define for your administrators what they can and can't do within the realms of their duties at a level of what those duties are (check logs, incident response, investigations...) . It's also where you define you basic stance (deny all but what's explicitly accepted, etc.), and enumerate what is allowed (or denied, depending on stance), as well as the criteria, metrics, and procedures for adding and deleting from that list. This document should be of a more limited distribution than the above document, or split into site and user sections if things like user responsibilities, password policies, and the like are included. This is also the criteria for any security audits. Implementation Documentation - This is where you name names, products, versions, IP addresses, user-ids, filter rules, which logs will be checked for what info, and other specific implementation details. This document should be distributed only to a very small set of people who 'need' it. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: Penetration Tests, (continued)
- Re: Penetration Tests Marcus J. Ranum (Sep 25)
- Re: Penetration Tests Brian Mitchell (Sep 26)
- Re[2]: Penetration Tests Edward Cracknell (Sep 26)
- Re: Re[2]: Penetration Tests Arjan Vos (Sep 27)
- Re: Re[2]: Penetration Tests Alfred Huger (Sep 27)
- Re: Penetration Tests Brian Mitchell (Sep 26)
- Re: Penetration Tests Marcus J. Ranum (Sep 25)
- Re: Penetration Tests Paul D. Robertson (Sep 26)
- Re: Penetration Tests Bennett Todd (Sep 26)
- Policy ? (was RE: Penetration Tests) Capt Jim Bailey - SSG/SINS - DSN 596-6106 (Sep 26)
- Re: Policy ? (was RE: Penetration Tests) Edward Cracknell (Sep 29)
- Re: Policy ? (was RE: Penetration Tests) Bennett Todd (Sep 29)
- Re: Policy ? (was RE: Penetration Tests) Paul D. Robertson (Sep 30)
- Policy ? (was RE: Penetration Tests) Capt Jim Bailey - SSG/SINS - DSN 596-6106 (Sep 26)
- Re[2]: Penetration Tests Edward Cracknell (Sep 26)
- Re: Penetration Tests -= ArkanoiD =- (Sep 26)