Firewall Wizards mailing list archives
Re: Client Security Policy, IT security Policy Samples
From: Mitch Pirtle <mitchell.pirtle () verizon net>
Date: 03 Jun 2003 10:02:05 -0400
Good morning/evening, SANS has an excellent resource at: http://www.sans.org/resources/policies/ OR http://www.sans.org/rr/catindex.php?cat_id=50 There you can get all the answers you are looking for. IMHO I think you're working on these in reverse order, because the InfoSec policy defines the WHAT that is specified to WHOM, and HOW. This is the high level strategy document. Once you get this defined, the rest is much more intuitive.
From previous experience, I'd say that your password policies are really
guidelines (one for "users" and the other for IT staff, regarding "group accounts" like root/Administrator etc.), the client policy is really a standard, and the InfoSec policy is the real policy. But this is my own system cobbled from repetitive policy treatment at several organizations, definitely not the norm! Something else to consider - depending on the size of your organization - is defining security teams, including incident response and forensics. Last time I went through this exercise it was for a global organization whose security efforts were completely matrixed (spanning multiple departments). Instead of politics, I got a great cross-divisional team of people that supposedly hated each other. As for the client security policy, I'd take a hard look at the guidelines already prepared by SANS and NIST as well: http://csrc.nist.gov/ If you have more policy questions just ask. I just relocated to NYC from Europe, and am sitting on the bench with plenty of time... -- Mitch On Tue, 2003-06-03 at 02:47, Hilal Hussein wrote:
Dear Gentlemen, My Boss asked me to write down : 1 - the Password Policy 2 - The Client 'winXP,win98,winNT Wordstation' Security Policy 3 - The Information Technology Security Policy in General in our company 1-For the Password Policy, i got lots of documents from the net, and i came out with two policies, one for "the creation of strong passwords, the protection of those passwords, and the frequency of change" and the other is for "how to write down passwords and seal them in an envelope, how to store them and retrieve them appropriately". Q1: do I have to keep it two policies or it is perferable to merge both in one document? 2 - For the Client security policy Q2: Is there any simple/clear and compelete document that is already available for free on the net? 3 - For the IT security policy in General, Q3: I got lots of documents, but till now, i am not able to see a complete policy that will be a reference in my security dept, since we have firewall, servers "domain, exchange, webmail, Oracle web application, ... Is there any Document that is covering all of hte above mentioned IT services, and more? your comments and supports are really appreciated with regards, Hilal Hussein _________________________________________________________________ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Client Security Policy, IT security Policy Samples Hilal Hussein (Jun 03)
- RE: Client Security Policy, IT security Policy Samples Bob Wanamaker - Avant Systems, Inc. (Jun 03)
- RE: Client Security Policy, IT security Policy Samples Marcus J. Ranum (Jun 03)
- Re: Client Security Policy, IT security Policy Samples Mitch Pirtle (Jun 03)
- RE: Client Security Policy, IT security Policy Samples Bob Wanamaker - Avant Systems, Inc. (Jun 03)