RE: Proxy server hit... Any ideas?
From: Åke Nordin (Ake.Nordin@ecsoft.se)
Date: 11/22/02
- Previous message: Captain James T Kirk: "RE: Proxy server hit... Any ideas?"
- Maybe in reply to: Mike Cain: "Proxy server hit... Any ideas?"
- Next in thread: Valdis.Kletnieks@vt.edu: "Re: Proxy server hit... Any ideas?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Nov 2002 13:37:10 +0100 From: Åke Nordin <Ake.Nordin@ecsoft.se> To: <mikec@lpinsurance.com>
Maybe slightly off-topic, feel free to advise me of better foras...
At 09:07 2002-11-20 -0600, Mike Cain wrote:
> I have just got back from meeting
> with management to suggest some policies, now they want me to write an
> IT policies handbook, guess I asked for that one huh? :)
Consider yourself lucky. This is about your only chance to introduce
some security awareness in your organisation. Just don't push too
hard...
> So where should I start looking for de-facto policies, and such? Or
RFC 2196 aka Site Security Handbook is usable on a technical level.
It may or may not be pertinent to your requirements.
The general ideas behind ISO17799 are (mostly) fairly sound (bar
it's pushing of security by obscurity in one place), but far too
heavyweight in it's wording. It is indeed a cousin to ISO 9001...
ISO17799 started out as BS7799 part 1, the corresponding BS7799
part 2 is just the requirements clauses with all security
recommendation stuff cut out. I've found it useful to turn those
clauses in the latter to questions: "do we address this?" "if so,
how?". Your answers to this would be your policy.
Be careful with wordings, you've got to cover your bases and be
general enough that "a little tweaking" of a bad usage makes it
compliant to the policy (if not to it's intention).
See also <<http://www.xisec.co.uk/>> for the BS7799 editor pages.
> should I just use my best judgment? I'm thinking the latter is a bad
> idea because if one doesn't pan out, then they say, "Well... YOU wrote
> them..." :)
Use standards as a checklist. Try to keep your sanity by giving
your own answers, not some boilerplate from the standards or
handbooks. As always, the KISS principle applies to the real
world, if not to the standards (they are after all designed by
committees...)
And please note that the ISO/BS stuff addresses "Information security"
from an "organisational" point of view, it's not just (nor even
primarily) about network and computer security technology measures.
To be fair, it does emphasise well that "security is a process".
-- . /Ake Nordin ECsoft: +46-8-506 11100 ake.nordin@ecsoft.se Damian Conway: "The programmer is fighting against the two most destructive forces in the universe: entropy and human stupidity." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Next message: Valdis.Kletnieks@vt.edu: "Re: Proxy server hit... Any ideas?"
- Previous message: Captain James T Kirk: "RE: Proxy server hit... Any ideas?"
- Maybe in reply to: Mike Cain: "Proxy server hit... Any ideas?"
- Next in thread: Valdis.Kletnieks@vt.edu: "Re: Proxy server hit... Any ideas?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
