Firewall Wizards mailing list archives
RE: OT: Information Security policy
From: Ben.Grubin () guardent com
Date: Fri, 16 Feb 2001 12:22:57 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Accepted standards to follow: * ISO17799 (the ISO version of BS7799) * Information Security Forum (ISF) Standards of Good Practice * Information Systems Audit and Control Foundation (ISACF): Control and Objectives for Information and Related Technology (COBIT) * General Accounting Office (GAO): Executive Guide, Information Security Management: Learning From Leading Organizations The most important things (imho) to consider (and most commonly poorly considered) when trying to craft an infosec policy is enforceability, accountability, and change management. It is the role of the security organization to determine how these must be met, but it should NOT be the role of the security organization to implement and enforce. This is where things get critical, and where the politics creep in to the game, because a proper policy must define who is responsible for various means of ensuring compliance and enforcement. These functions must be made intrinsic in the business. It is never scalable to create a policy where the security organization must monitor the business in its entirety for assurance. Designing a method for determining accountability for business processes is critical, as is designing a method for ensuring the accountable owners of the process are always fully aware of the policies that apply to his/her process. This means that security awareness becomes a critical function to push to business process owners. Without awareness of the relevant policies on the part of the accountable owner of a process, a security policy can never be effective. All too often I have seen policy which has been carefully crafted, but only known to the security organization and perhaps some management. The only purpose for this type of policy is for dictating the actions of a security organization when presented with a problem. This form of reactive security management is why we are all in the state we are in today. Finally, a tremendous problem is that of overcoming the desire to put "best practices" in every area of a security policy. All too often I have seen thousand page policies saying thou shalt do this or that or the other thing to comply with best practices or whatnot. But in reality, business processes cannot be made to conform to this idealized set of practices. A policy in its first iteration must describe what the business is doing TODAY, not what it SHOULD be doing. Only then can you get an accurate picture of the problem, and begin planning for the improvement of the business processes that are in need of attention. Then the job of the security organization becomes that of working with business process owners to improve the security of their process(es), and as they improve, update the policy to reflect that improvement. This is the iterative process of moving a policy (and simultaneously the business) towards better security practices. When a policy indicates what should be done, as opposed to what is being done today, it leaves you open to all sorts of legal nightmares as well. Anyway, this already got longer than I intended. Probably even further off topic than your original question, too. Sorry! Cheers, Ben - -------------------------------------------------- Benjamin P. Grubin bgrubin () guardent com Guardent, Inc. http://www.guardent.com PGP Key: D33D 22C2 6552 0F6B 44E4 5254 0172 0E10 "The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeros, little bits of data.. it's all just electrons."
-----Original Message----- From: Scott, Richard [mailto:Richard.Scott () BestBuy com] Sent: Thursday, February 15, 2001 12:17 PM To: Firewall Wizards Subject: [fw-wiz] OT: Information Security policy I am looking for information about implementing and considering Information Security policies. How many people actually consider the BS7799 Standard? Are there any other standards that people recommend? Do developers and designers or security enforce "roles and access" upon data itself, to ensure that users of the information follow the policy that is set within the company. Richard The views expressed in this email do not represent Best Buy or any of its subsidiaries. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOo1hUCmSO0d5/rT7EQJtCwCcCOgDxxYc71GtiS7e0c/EcAXnmt4An2PZ hCpi3ulovLeaKuRHf1nggSc2 =RYf/ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- OT: Information Security policy Scott, Richard (Feb 15)
- <Possible follow-ups>
- RE: OT: Information Security policy Nigel Willson (Feb 16)
- Re: OT: Information Security policy Paul Cardon (Feb 20)
- RE: OT: Information Security policy Keith.Morgan (Feb 16)
- RE: OT: Information Security policy Ben . Grubin (Feb 16)