RE: Proxy server hit... Any ideas?

From: Åke Nordin (
Date: 11/22/02

  • Next message: "Re: Proxy server hit... Any ideas?"
    Date: Fri, 22 Nov 2002 13:37:10 +0100
    From: Åke Nordin <>
    To: <>

    Maybe slightly off-topic, feel free to advise me of better foras...

    At 09:07 2002-11-20 -0600, Mike Cain wrote:
    > I have just got back from meeting
    > with management to suggest some policies, now they want me to write an
    > IT policies handbook, guess I asked for that one huh? :)

    Consider yourself lucky. This is about your only chance to introduce
    some security awareness in your organisation. Just don't push too

    > So where should I start looking for de-facto policies, and such? Or

    RFC 2196 aka Site Security Handbook is usable on a technical level.
    It may or may not be pertinent to your requirements.

    The general ideas behind ISO17799 are (mostly) fairly sound (bar
    it's pushing of security by obscurity in one place), but far too
    heavyweight in it's wording. It is indeed a cousin to ISO 9001...

    ISO17799 started out as BS7799 part 1, the corresponding BS7799
    part 2 is just the requirements clauses with all security
    recommendation stuff cut out. I've found it useful to turn those
    clauses in the latter to questions: "do we address this?" "if so,
    how?". Your answers to this would be your policy.

    Be careful with wordings, you've got to cover your bases and be
    general enough that "a little tweaking" of a bad usage makes it
    compliant to the policy (if not to it's intention).

    See also <<>> for the BS7799 editor pages.

    > should I just use my best judgment? I'm thinking the latter is a bad
    > idea because if one doesn't pan out, then they say, "Well... YOU wrote
    > them..." :)

    Use standards as a checklist. Try to keep your sanity by giving
    your own answers, not some boilerplate from the standards or
    handbooks. As always, the KISS principle applies to the real
    world, if not to the standards (they are after all designed by

    And please note that the ISO/BS stuff addresses "Information security"
    from an "organisational" point of view, it's not just (nor even
    primarily) about network and computer security technology measures.
    To be fair, it does emphasise well that "security is a process".

     /Ake Nordin   ECsoft:        +46-8-506 11100
     Damian Conway: "The programmer is fighting against the two most
     destructive forces in the universe: entropy and human stupidity."
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    Relevant Pages

      ... management say "that's nice", and move on. ... education, certification, experience, know-how, abilities, and ... Many 'security jobs' are nothing shy than that of an overly glorified ... Download FREE whitepaper on how a managed service ...
    • RE: security not a big priority?
      ... But I have found that upper management will only ... and push out the changes; management has to have this information to ... Network Security Engineer ... Network team with Project Management tasks. ...
    • RE: Down with DHCP!!!!
      ... Managing/monitoring the DHCP pools as assignments yourself ... -Other management tools as in Asset ... Security Administrator ... Network Operations-ICW Group ...
    • Re: [fw-wiz] Securing a Linux Firewall
      ... site, management wants to use IM/ICQ/etc, different businuss groups want ... protocols from the ground up to fix the issues of security. ... > a minimal install as Known Good is an act of hopeful optimism that I ... need a whole department broken into OS/hw groups to maintain proper builds ...
    • RE: [lists] Re: Rootkits
      ... Better yet, install SuSE Linux, VMWare GSX Server, various Windoze virtual ... If you spend more on coffee than on IT security, ... Download FREE whitepaper on how a managed service can help you: ... vulnerability management needs. ...