1998-04-30-13:47:57 Darren: > 1998-04-30-13:28:20 Bennett Todd: > > But none of this comes near addressing the point you raised: how would > > you go about ``verifying that a security policy is any good''? > > Well, the first step might be to check that it actually exists. Always a good start, yes:-). While you're at it you can also check to make sure it takes the form of a good security policy, giving reasonable justifications for the rules, and documenting its source of authority and its revision procedures. Sounds a lot like a constitution now that I think of it. > The next might be to evaluate it against what the business requires from > whatever it controls and what the security risks are. Sounds like what I was proposing, re-do the thing from scratch and see if you end up at about the same place. Big expensive job, that. Are there people who sell this service? 'Cause anybody you'd trust to do this would have to be at least as good as your best security analyst, preferably better. Hard to find such people. -Bennett
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:01 PDT