RE: Writing a comprehensive Network Policy

Is this policy a "Corporate" policy? If that's the case you should not
do this alone. A corporate policy comes from executive level and is then
published to employees. This policy must set expectations for security
behavior and it also sets the core for IT to secure systems based on
this policy and its expectations.

I just completed one and it took "US" more than 3 months and is not even
published yet. You must meet with department managers or VPs to ensure
that the policy meets company security requirements but yet that it does
not restrict business processes. It is critical to identify what needs
to be secured, how can the security admin secure it, and what is
expected from employees. This document will lay the foundation for
security architecture for current and future systems. It can be as
lengthy as needed depending on how many different areas need to be
addressed in the policy.

I've participated in 3 such procedures and one thing I've learned is
that you have to keep a "business-oriented" mind when putting a security
policy in place. As security admins we like the challenge of locking
everything up but in reality that can also prevent business units from
performing the way the company expects them to.

Identify who should have a say in this policy.
Identify areas of concern (sensitive, critical, communications, etc...)
Identify ownership of areas to address
Draft the policy in compliance to the rest of company
Make sure HR has a chance to review it
Publish it.

I've had better success when I form a team to provide input before
moving forward. It may even be necessary to have a few meetings to shine
some light on security and why it is important to draft a policy.

Hope this helps

-----Original Message-----
From: Chris Hammer [mailto:CHammer@xxxxxxxxx]
Sent: Wednesday, August 23, 2006 10:55 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Writing a comprehensive Network Policy

Hello,

I am currently writing a network policy for our business. I am having
trouble figuring out exactly what I should put into it while meeting
these requirements:

1.) Should be a policy and not a procedure

2.) Keep the standard 3-5 page policy length

3.) Policy should cover network architecture including: routers,
switches, hubs, firewalls, etc....

Any examples or a general idea of where to start would be appreciated!

Cheers,
CH


------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • RE: preventing run-as option
    ... should be a policy issue. ... For example employee A is given the permission and B does not have ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)
  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ... supports a finite number of "rules" or "policies". ...
    (Firewall-Wizards)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... The report you cite is CheckPoint originated and deals with older NetScreen ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ...
    (Firewall-Wizards)