RE: Proxy server hit... Any ideas?

From: Åke Nordin (Ake.Nordinat_private)
Date: Fri Nov 22 2002 - 04:37:10 PST

Next message: Valdis.Kletnieksat_private: "Re: Proxy server hit... Any ideas?"

Previous message: Captain James T Kirk: "RE: Proxy server hit... Any ideas?"
Maybe in reply to: Mike Cain: "Proxy server hit... Any ideas?"
Next in thread: Valdis.Kletnieksat_private: "Re: Proxy server hit... Any ideas?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Maybe slightly off-topic, feel free to advise me of better foras...

At 09:07 2002-11-20 -0600, Mike Cain wrote:
> I have just got back from meeting
> with management to suggest some policies, now they want me to write an
> IT policies handbook, guess I asked for that one huh? :)

Consider yourself lucky. This is about your only chance to introduce
some security awareness in your organisation. Just don't push too
hard...

> So where should I start looking for de-facto policies, and such? Or

RFC 2196 aka Site Security Handbook is usable on a technical level.
It may or may not be pertinent to your requirements.

The general ideas behind ISO17799 are (mostly) fairly sound (bar
it's pushing of security by obscurity in one place), but far too 
heavyweight in it's wording. It is indeed a cousin to ISO 9001...

ISO17799 started out as BS7799 part 1, the corresponding BS7799 
part 2 is just the requirements clauses with all security 
recommendation stuff cut out. I've found it useful to turn those
clauses in the latter to questions: "do we address this?" "if so, 
how?". Your answers to this would be your policy. 

Be careful with wordings, you've got to cover your bases and be 
general enough that "a little tweaking" of a bad usage makes it 
compliant to the policy (if not to it's intention).

See also <<http://www.xisec.co.uk/>> for the BS7799 editor pages.

> should I just use my best judgment? I'm thinking the latter is a bad
> idea because if one doesn't pan out, then they say, "Well... YOU wrote
> them..." :) 

Use standards as a checklist. Try to keep your sanity by giving 
your own answers, not some boilerplate from the standards or 
handbooks. As always, the KISS principle applies to the real 
world, if not to the standards (they are after all designed by 
committees...)

And please note that the ISO/BS stuff addresses "Information security" 
from an "organisational" point of view, it's not just (nor even 
primarily) about network and computer security technology measures.
To be fair, it does emphasise well that "security is a process".

-- 
  .
 /Ake Nordin   ECsoft:        +46-8-506 11100  ake.nordinat_private
 Damian Conway: "The programmer is fighting against the two most
 destructive forces in the universe: entropy and human stupidity."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Valdis.Kletnieksat_private: "Re: Proxy server hit... Any ideas?"
Previous message: Captain James T Kirk: "RE: Proxy server hit... Any ideas?"
Maybe in reply to: Mike Cain: "Proxy server hit... Any ideas?"
Next in thread: Valdis.Kletnieksat_private: "Re: Proxy server hit... Any ideas?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 08:57:57 PST