Firewall Wizards mailing list archives
Re: Re Where to find a example security policy?
From: "Andy W" <jawiggy () rcn com>
Date: Sun, 24 Sep 2000 18:41:51 -0400
Brian and Aaron ** Before I start this.... If I seem to ramble in this it is because it is Sunday, my day off, and I have 2 little kids running around & screaming. Please bare with me. This should only take about...mmmmmmmm...3-4 hours to do.... ;c ) The "4 E's" I suggest are basically for 3 types of polices...computer usage, e-mail usage and Internet usage. All of which I believe are the foundation polices to work from for more in depth policy development. But as you suggest Brian, keeping the policies in plain English is key as well. They can not be filled with allot of legal or IT talk that no one will ever understand. Brian, your example company seemed to have done things fairly well. The only thing I didn't notice was some sort of legal involvement. The idea of having the IT department draft the polices will work from a tech side but they care and or know very little about the implications involved with the legal issues. Make no mistake about it...this is a legal and binding document. Developing and implementing these polices can be a complicated process, involving substantive issues of law, employee relations, and security. Keep in mind why we are writing these polices. We are protecting the company from legal problems,( i.e.: claims from employees past and present as well as 3rd party claims) and we are protecting company resources and information. I agree that the average end user knows little of how the network works. Most are lucky if they can type in a web site correctly. They have no knowledge of bandwidth or computer resources and to tell you the truth I don't think they have to.What they do have to know is what they can and cannot do with the resources provided for them to do their job. As I've said before, education is the most important piece to the policy puzzle. You can develop and implement policy 'till your blue in the face but if you do not educate your employees about them you have gone thru all that work for not. Showing your employee the policy once, having them sign it, and then expecting them to remember it 1-2 years down the road does not carry any weight at all in a court of law. Continuing policy education is the key. Aaron, the places you have been pointed to for example policies are all good starting places. Use them all, but don't not place all your faith in them. As I said before this is not something you can throw a quick fix at. It is a very complicated process. You are moving in the right direction and are far ahead of allot of other companies that have not even thought about this at all. Don't get discouraged and keep plugging away. There is less expensive book about all of this that I know of. It is called "e-Policy How to develop Computer, E-Mail, and Internet Guidelines to Protect Your Company and Its Assets" written by Michael Overly. A very long title but at the price of $19.95 US another resource to draw from with a less of a hit to the wallet. Best, Andy _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re Where to find a example security policy? Brian Ford (Sep 25)
- Re: Re Where to find a example security policy? Andy W (Sep 25)
- Re: Re Where to find a example security policy? Brian Ford (Sep 25)
- Re: Re Where to find a example security policy? Andy W (Sep 25)
- Re: Re Where to find a example security policy? Brian Ford (Sep 25)
- Re: Re Where to find a example security policy? Andy W (Sep 25)