FORE SEC Academy Security Essentials (II). Basic Security Policy. Preface.
FORESEC AcademySecurity Essentials (II)
It never ceases to amaze me - fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy," butnobody ever explains what the policy is, let alone how to write or evaluate it.
That is why we undertook this research and education project on basic security policy. We hope you will find this module useful and that you will participate in its evolution. Consensus is a powerful tool. We need the ideas and criticisms from the information security community in order to make this, “The Roadmap,” a usable and effective policy. Thank you!
- What is expected of users
- What you plan on doing
- How you plan on doing it
- What other people are required to do
- Program Policy
- Issue-specific Policy
- System-specific Policy
An effective and realistic Security Policy is the key to effective and achievable security.
- draft a policy
- approve a policy
- implement a policy
- The “important bid” story
-When is it okay to violate or change
-Who has the authority to do it?
-What are the risks involved?
- Who has the title
- Who is listed at the top of the
- Who gets things done
- Who really makes decisions
- Enterprise-wide/corporate policy
- Division-wide policy
- Local policy
- Issue-specific policy
- Procedures and checklists
where, and when.
- Does it contain the expected
- Is it clear?
- Is it concise?
- Is it realistic?
- Does it provide sufficient guidance?
- Is it consistent?
- Is it forward-looking?
- Are there means to keep it current?
- Is the policy readily available to those
who need it?
- Various practices risk the introduction of
viruses into systems and networks
- Define the scope
- Layer the defense strategy
- Identify responsibilities
- Measure the effectiveness
- Password assessment is a necessary part of security, but may appear illegal if carried out without proper authority/safeguards
- Identify the risks
- Enumerate the countermeasures
- Enable administrators to legally assess
- Escrow passwords for use during incidents
- Backups are critical to protect information
and allow disaster recovery, but are often
- Identify backups as critical
- Empower system administrators
- Provide for exceptions when necessary
- Make sure the policy is implemented