Re [fw-wiz] Where to find a example security policy?
Rafael Jose Teixeira (ESDI-NSI)
Fri, 29 Sep 2000 15:37:12 +0100
This is a multi-part message in MIME format.
Content-Type: text/plain; charset=us-ascii
Another good sources of that kind of books are :
A Guide to Developing Computing Policy Documents - Barbara L. Dijker -
SAGE Edition (www.usenix.org)
Information security Policies Made Easy - Charles Cresson Wood -
The NCSA Guide to Enterprise Security - Michel E. Kabay (McGraw-Hill)
However, "security awareness" must be developed from bottom-up, with
user education, enforced with management enpowerment (formal one).
Talking with the "techies" might be a nightmare, but they know th
system, and were it might crack....
Brian Ford wrote:
> Andy and Aaron,
> I thought your advice on the "4 E's" was excellent with regard to Internet Acceptable Use Policy. But with respect to overall Security Policy there are some areas where your suggestions break down.
> You spoke about policies and culture. It is nice to think that a group of employees working for the same company could come together, draft and publish such a policy document. In my experience many times these efforts go side ways when employees can't agree on specifics (like exactly which applications should be supported by the company) or ignore the reality of how the corporate network works (how much Internet can you push or pull over a T-1 line?). Yes, many employees want to do the right thing and "just need to know what is right and what is wrong". Often it's difficult to get them to agree on right and wrong (after all they are human).
> The most successful effort to develop and put in place a policy that I ever witnessed involved a draft that was written by the IT department (that was 3 people). It was based on the companies specific environment (applications, network, etc...). It was forwarded to the CEO who read it and discovered that he had to ask questions to understand various chunks. But after he asked and got answers to all his questions he drafted a memo to all employees. In that memo the CEO discussed the objective of putting the policy in place, defined the policy, and how it should work.
> He followed that up with an all employee meeting. That resulted in questions from employees about how various things should work. Questions about use of applications. A lot of questions about backing up data. The IT department wound up bringing in some trainers who then focused on those employee questions. It wasn't "rammed" as everyone was given an opportunity to ask questions. The policy as defined by the CEO went into place.
> After the security policy was in place the IT group went back (working with management and HR), drafted, and implemented an acceptable use policy. And by that time all employees were "pulling the oars in the same direction". It made sense. It was worded so that everyone understood what was in and out of bounds behavior. Many employees signed off right away. But they still had folks who objected. I believe that company made renewal of the policy part of an annual review (not sure).
> I've wanted to write about this effort for some time. This wasn't my employer. The company involved has no interest in being "a reference" for such a paper. So, the best I can do is this.
> Lessons that I learned from that company were that you can't assume everyone will understand the policy. You have to deliver it in "plain talk" format. You have to follow up, solicit questions (and objections), and talk to people about it. Education is important, if not critical to success. The policy has to apply to everyone, and be enforced equally on everyone. Imagine the scene when an employee claims wrongful dismissal and proves that the executive staff (or others) are not held to the same "all employee" standards.
> And no matter how much good work you do some people will ask if they can "opt-out".
> Brian Ford
> Firewall-wizards mailing list
Content-Type: text/x-vcard; charset=us-ascii;
Content-Description: Card for Rafael Teixeira
tel;fax:(+351) 21 416 8044
tel;work:(+351) 21 416 8000 ext 6350
org:Banco Espírito Santo
fn:Rafael Palma Teixeira