Firewall Wizards mailing list archives

RE: OT: Information Security policy

From: Ben.Grubin () guardent com
Date: Fri, 16 Feb 2001 12:22:57 -0500

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Accepted standards to follow:

        * ISO17799 (the ISO version of BS7799)
        * Information Security Forum (ISF) Standards of Good Practice
        * Information Systems Audit and Control Foundation (ISACF): Control
and Objectives  for Information and Related Technology (COBIT)
        * General Accounting Office (GAO): Executive Guide, Information
Security Management:    Learning From Leading Organizations

The most important things (imho) to consider (and most commonly
poorly considered) when trying to craft an infosec policy is
enforceability, accountability, and change management.  It is the
role of the security organization to determine how these must be met,
but it should NOT be the role of the security organization to
implement and enforce.  

This is where things get critical, and where the politics creep in to
the game, because a proper policy must define who is responsible for
various means of ensuring compliance and enforcement.  These
functions must be made intrinsic in the business.  It is never
scalable to create a policy where the security organization must
monitor the business in its entirety for assurance.  Designing a
method for determining accountability for business processes is
critical, as is designing a method for ensuring the accountable
owners of the process are always fully aware of the policies that
apply to his/her process.  

This means that security awareness becomes a critical function to
push to business process owners.  Without awareness of the relevant
policies on the part of the accountable owner of  a process, a
security policy can never be effective.

All too often I have seen policy which has been carefully crafted,
but only known to the security organization and perhaps some
management.  The only purpose for this type of policy is for
dictating the actions of a security organization when presented with
a problem.  This form of reactive security management is why we are
all in the state we are in today. 

Finally, a tremendous problem is that of overcoming the desire to put
"best practices" in every area of a security policy.  All too often I
have seen thousand page policies saying thou shalt do this or that or
the other thing to comply with best practices or whatnot.  But in
reality, business processes cannot be made to conform to this
idealized set of practices.  A policy in its first iteration must
describe what the business is doing TODAY, not what it SHOULD be
doing.  Only then can you get an accurate picture of the problem, and
begin planning for the improvement of the business processes that are
in need of attention.  Then the job of the security organization
becomes that of working with business process owners to improve the
security of their process(es), and as they improve, update the policy
to reflect that improvement.  This is the iterative process of moving
a policy (and simultaneously the business) towards better security
practices.  When a policy indicates what should be done, as opposed
to what is being done today, it leaves you open to all sorts of legal
nightmares as well.

Anyway, this already got longer than I intended.  Probably even
further off topic than your original question, too.  Sorry!

Cheers,
Ben

- --------------------------------------------------
Benjamin P. Grubin            bgrubin () guardent com
Guardent, Inc.             http://www.guardent.com
PGP Key:  D33D 22C2 6552 0F6B  44E4 5254 0172 0E10

"The world isn't run by weapons anymore, or energy, or money.  It's
run by little ones and zeros, little bits of data.. it's all just
electrons."

-----Original Message-----
From: Scott, Richard [mailto:Richard.Scott () BestBuy com]
Sent: Thursday, February 15, 2001 12:17 PM
To: Firewall Wizards
Subject: [fw-wiz] OT: Information Security policy

I am looking for information about implementing and 
considering Information
Security policies.  

How many people actually consider the BS7799 Standard?

Are there any other standards that people recommend?

Do developers and designers or security enforce "roles and 
access" upon data
itself, to ensure that users of the information follow the 
policy that is
set within the company. 

Richard
The views expressed in this email do not represent Best Buy
or any of its subsidiaries.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOo1hUCmSO0d5/rT7EQJtCwCcCOgDxxYc71GtiS7e0c/EcAXnmt4An2PZ
hCpi3ulovLeaKuRHf1nggSc2
=RYf/
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

OT: Information Security policy Scott, Richard (Feb 15)
- <Possible follow-ups>
- RE: OT: Information Security policy Nigel Willson (Feb 16)
  - Re: OT: Information Security policy Paul Cardon (Feb 20)
- RE: OT: Information Security policy Keith.Morgan (Feb 16)
- RE: OT: Information Security policy Ben . Grubin (Feb 16)