Actually, Policies are broad reaching statements of what Senior Management views are on security, they are not all encompassing documents, nor do they have all the details of how the controls are to be applied, those are done in the process and procedures of the implementation of the controls ( Technical, Administrative, and Physical) to meet the letter of the policy. You have system specific polices to cover things like email use, internet use ( usually covered under acceptable use policy, or broke out to its own policy altogether).
I tend to favor the approach of more individual/system specific policies that are linked back to the greater institution security policy but cover the required items to cover items facing the business. I do agree if HR isn't a partner with you from the beginning then you have less muscle in the policy but if Management doesn't support or enforce the policy, then the policy isn't worth the paper its written on, and trust me there are plenty of managers out there that don't enforce the policies they should be enforcing which sets a bad tone for their companies accordingly. Nobody comes out unscathed from policy writing or enforcement nor is it a pretty process, but it is necessary to maintain law and order within the organization, or things will run wild in a hurry and you will be looking at the wild wild west, with no recourse as compared to structure and organization accordingly. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: Jon Harris [mailto:[email protected]] Sent: Tuesday, May 04, 2010 3:21 PM To: NT System Admin Issues Subject: Re: Internet Policies When you are building the policy put everything you can in it to deal with as many issues as possible. Issues like who can and can not install software, what kind of monitoring is allowed on the clients or in the network traffic, get HR involved early on and make sure there is some real teeth in the policy and don't go with something that is easly to work around. Been there and gotten bitten more than one time. If you are one of the few that still allows users to be power users or admins now is the time to strip them if you can of this. Since the CEO/Owner is concerned work fast their attention span is not as long as a mill-second. Jon On Tue, May 4, 2010 at 2:53 PM, Angus Scott-Fleming <[email protected]> wrote: On 4 May 2010 at 12:39, Murray Freeman wrote: > Well, as long as we're discussing IM, we don't allow it currently. But, I > have trouble understanding how IM is better than either email or a meeting, > or using a telephone to accomplish the very same thing as an IM. Can someone > explain that to me. Oh, we've recently adopted social networking for our > organization, but primarily for our membership. I'm having trouble > understanding how social networking will help our members too! IM is "Instant" whereas email isn't, but it can be ignored if you're on a critical phone call or busy doing something that requires thought, which a phone call can't. I use IM with my-son-the-university-tech-support-geek when I'm picking his brains while debugging a client situation that's more up his alley, very useful as I can get links from him and dump screenshots back to him instantly which email doesn't allow. Also, for a multi-building company I can see where an internal Jabber network could be very useful. Social networking is a different disallowed beast altogether IMHO, although I can see where LinkedIn might be useful in some businesses. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
