Re: writing security policy

From: Urmas Aamisepp (urmas.aamisepp@teliaNOSPAM.com)
Date: 11/27/02 

From: "Urmas Aamisepp" <urmas.aamisepp@teliaNOSPAM.com>
Date: Wed, 27 Nov 2002 20:40:59 GMT

The most important things to have when creating and implementing policies
are management support and proper funding.
Getting management support can sometimes be tricky. You need to make them
"feel the pain" of bad security. This can be done in different ways. One of
my favourites is a risk analysis. Once the management is there, they are
actually part of the process, which makes the rest of the security work a
lot easier.

Next step after getting policies signed off is enforcing it. First thing you
need to do is to make everyone aware of the policies, which means training.
This doesn't have to be class room training. It's actually better to do this
on department meetings, kick offs etc. Just make sure that management
stresses some aspect of security on every meeting. This takes time since
you´re trying to change peoples attitudes - this is never done easily.

There will always be people who don't follow rules. In order to handle these
people you need a policy that describes the disciplinary actions taken when
rules are broken. This one needs to be enforced - even if it's someone from
management who'll eventually get fired for not following company
policy...:-)

Hope that helps a little...

Urmas

"Michael Mimoso" <mmimoso@techtarget.com> skrev i meddelandet
news:f9633e53.0211270953.6e5723c3@posting.google.com...
> I am the news editor for SearchSecurity.com
> http://searchsecurity.techtarget.com and I'm working on a story on
> writing security policies.
>
> Basically, I'm looking for input from security professionals who have
> been involved in the process on the difficulties in writing a security
> policy, getting it signed off by management and then enforcing them
> once in place.
>
> Please reply here or in an email to me at mmimoso@techtarget.com. Any
> feedback will be much appreciated.
>
> Thanks

Relevant Pages

  • Re: Proxy server hit... Any ideas?
    ... > IT policies handbook, guess I asked for that one huh? ... > learning the security scene A LOT less painful. ... I also recommend the short topics booklets on ... A Management Perspective," which are also useful to anyone in the security ...
    (Incidents)
  • Re: career doldrums
    ... At every place I've worked for, big and small, I've eventually found that company policies actually prevent me from doing my job properly, and that drives me NUTS. ... As a result, management at all levels tell their underlings how to get the job done by side-stepping the policies, even if the policy states you'll be terminated for doing so. ... - a couple of idiots can demoralize a thousand good employees. ... Cut too many costs and pull a few bone head moves and those good people might as well stay in their offices and play with themselves. ...
    (sci.research.careers)
  • Re: Audit Framework
    ... > My company has recently asked me to perform a high-level security audit of ... > - General policies and procedures ... > - Password management ... > - Security training ...
    (Security-Basics)
  • RE: Proxy server hit... Any ideas?
    ... > a clue about NT or about ANY security... ... > with management to suggest some policies, ... Do you Yahoo!? ... For more information on this free incident handling, management ...
    (Incidents)
  • Re: Users "bypassing" Group Policy restrictions
    ... Are there company management policies in place to deal ... violating such policies. ... Have you even talked to management about the activities ... of some employees in this situation? ...
    (Focus-Microsoft)