Security Policy [7:52061]
Hi All, does any one have a copy of a security policy (like a corporate security outline for the company) that they are willing to share, so I can create one using that as a template/guide ? Thanks all John Sydney, Australia ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk * This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52061&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
Hello John, It might be difficult to get a company security policy. Usually the security policy is internal use only. The second reason is, there should be no general templates for security policy, as each company is unique and has different preferences in taking risks. There are some books that describe what should be inside the security policy, and these big points can be used as guide lines. Will try to find out some book titles. Regards, Leonard Ong, CISSP, CSS-1, CCSE, MCSE, MCDBA, CCNP, CCDP, NSA, LCP Network Security Specialist, APAC NOKIA Email. [EMAIL PROTECTED] Mobile. +65 9431 6184 Phone. +65 6723 1724 Fax.+65 6723 1596 -Original Message- From: ext John Brandis [mailto:[EMAIL PROTECTED]] Sent: Monday, August 26, 2002 1:08 PM To: [EMAIL PROTECTED] Subject: Security Policy [7:52061] Hi All, does any one have a copy of a security policy (like a corporate security outline for the company) that they are willing to share, so I can create one using that as a template/guide ? Thanks all John Sydney, Australia Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52066&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
I think this will help you. http://www.cisco.com/warp/public/126/secpol.html Regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52067&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
John, Security policy are for internal use and each security policy varies from company to company. If you do a search on the net for "security policy) you will find plenty of information that will help you to accomplish your goal. There is a lot of information on the Cisco web site, A good example is available in the book Managing Cisco Network Security. Thanks, Juan Blanco -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Brandis Sent: Monday, August 26, 2002 1:08 AM To: [EMAIL PROTECTED] Subject: Security Policy [7:52061] Hi All, does any one have a copy of a security policy (like a corporate security outline for the company) that they are willing to share, so I can create one using that as a template/guide ? Thanks all John Sydney, Australia ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk * This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52072&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
At 11:01 AM + 8/26/02, Juan Blanco wrote: >John, > >Security policy are for internal use and each security policy varies from >company to company. If you do >a search on the net for "security policy) you will find plenty of >information that will help you to accomplish >your goal. There is a lot of information on the Cisco web site, A good >example is available in the book Managing Cisco Network Security. > >Thanks, > >Juan Blanco I generally agree. One thing to remember is the security POLICY should be short (a page or two), approved and enforced by top management, cleared by legal, and be the basis for the security architecture and implementation. For example, at the moment, I'm doing the policy and plan for a service provider that handles personal medical data. There are quite a number of specific legal requirements that apply to them. Military systems have levels of security and work in different environments (e.g., all users have or do not have the same clearance), so there's no cookie-cutter approach there. In the case I'm working with, I think some of the Drug Enforcement Administration directives for protecting systems that can electronically prescribe narcotics are vast overkill, but, so I know I meet them, I'm using some techniques that variously are used for nuclear weapons control and the identity of spies. A large retail chain would have a different policy, as would a financial institution. Frankly, I've never needed to use one of the books devoted to security policy. I do like _Internet Cryptography_ by Smith, and Annlee Hines' (an occasional list contributor) new book, _Planning for Survivable Networks_. Far less readable, but with a great deal of information, are selected Rainbow Series books from the NSA (especially the "understanding" guides). See http://www.fas.org/irp/nsa/rainbow.htm > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >John Brandis >Sent: Monday, August 26, 2002 1:08 AM >To: [EMAIL PROTECTED] >Subject: Security Policy [7:52061] > > >Hi All, > >does any one have a copy of a security policy (like a corporate security >outline for the company) that they are willing to share, so I can create one >using that as a template/guide ? > >Thanks all > >John >Sydney, Australia > > >** > >visit http://www.solution6.com > >UK Customers - http://www.solution6.co.uk > >* >This email message (and attachments) may contain information that is >confidential to Solution 6. If you are not the intended recipient you cannot >use, distribute or copy the message or attachments. In such a case, please >notify the sender by return email immediately and erase all copies of the >message and attachments. Opinions, conclusions and other information in >this message and attachments that do not relate to the official business of >Solution 6 are neither given nor endorsed by it. >* Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52082&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
While security policies need to be unique per organization, there are some common elements that can be recycled. Just to give an example, how about the handling of passwords? Really, do you need to re-create the piece of the policy that says passwords need to be protected, must be of a certain length, and mixed characters? It really doesn't matter if the policy is for Van Kamps fish sticks factory, or for the DEA: both need to ensure that they have some baseline protection for passwords. The below book may help, the high price tag buys you a one-organization copyright. Having a ready-made template can save some time, and enable you to focus on the more unique aspects of the organization's requirements without spending all your time re-inventing the wheel. To that end, John, the following may be useful to you. Check it on Amazon. Information Security Policies Made Easy Version 8 by Charles Cresson Wood HTH, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52134&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
>While security policies need to be unique per organization, there are some >common elements that can be recycled. > >Just to give an example, how about the handling of passwords? Really, do >you need to re-create the piece of the policy that says passwords need to be >protected, must be of a certain length, and mixed characters? It really >doesn't matter if the policy is for Van Kamps fish sticks factory, or for >the DEA: both need to ensure that they have some baseline protection for >passwords. Password structure is too detailed for the security policy, although it's necessary in the security design. The policy should state something on the order that people must protect their passwords, whether they can or cannot change their own, etc. And things do vary even here. The DEA, for electronic controlled substance prescribing, also requires digital signatures and biometrics for some functions. > >The below book may help, the high price tag buys you a one-organization >copyright. Having a ready-made template can save some time, and enable you >to focus on the more unique aspects of the organization's requirements >without spending all your time re-inventing the wheel. > >To that end, John, the following may be useful to you. Check it on Amazon. > >Information Security Policies Made Easy Version 8 >by Charles Cresson Wood > >HTH, > >Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52143&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
Howard C. Berkowitz wrote: > > Password structure is too detailed for the security policy, > although > it's necessary in the security design. The policy should state > something on the order that people must protect their > passwords, > whether they can or cannot change their own, etc. > OK, the part about protecting/changing passwords is a given, but I wonder about your comment that "password structure is too detailed..." ...where to put the details about that which you are trying to protect...in a SOP on passwords? or possibly as appendix to the official security policy? My view of security policy is that it needs to lay the law, include specifics on complying with said law, and detail the penalities for non-compliance. Telling people that they need to protect their passwords is not enough, they need to know what the organization considers protecting said passwords. Without these specifics, I could make the case that writing my password backwards on a sticky note and placing it in my wallet is protection enough, and why not, the policy only told me to protect it, it did not tell me the required manner and depth of the protection. Can you clarify further where you would put such details? TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52237&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
>Howard C. Berkowitz wrote: >> >> Password structure is too detailed for the security policy, >> although >> it's necessary in the security design. The policy should state >> something on the order that people must protect their >> passwords, >> whether they can or cannot change their own, etc. >> > >OK, the part about protecting/changing passwords is a given, but I wonder >about your comment that "password structure is too detailed..." > >...where to put the details about that which you are trying to protect...in >a SOP on passwords? or possibly as appendix to the official security policy? > >My view of security policy is that it needs to lay the law, include >specifics on complying with said law, and detail the penalities for >non-compliance. Telling people that they need to protect their passwords is >not enough, they need to know what the organization considers protecting >said passwords. > >Without these specifics, I could make the case that writing my password >backwards on a sticky note and placing it in my wallet is protection enough, >and why not, the policy only told me to protect it, it did not tell me the >required manner and depth of the protection. > >Can you clarify further where you would put such details? In a security procedures manual. Think of the security policy, in part, as something that you might have to explain to nontechical people in court, indicating your management thought of the issues. So, the company security manual might say "writing your password down can be disciplined, initially by one week suspension with pay. Giving the password to an unauthorized person outside the organization is grounds for immediate termination. "Passwords may not be a word in any language, spelled forward or backward. They must be at least x characters long and contain at least y numbers or special characters. Managers may require certain key passwords to be escrowed, with a copy placed in designated secure storage" The policy will say "passwords and other identification devices will be protected. Employees violating this policy face sanctions up to and including dismissal and/or appropriate civil or criminal action." > >TIA, > >Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52245&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
I'd be interested in something like this too, to use as a template. Perhaps someone has a generic dummy security policy from a class or something they can share. tm Tim Medley, CCNP+Voice, CCDP, CWNA Sr. Network Architect VoIP Group iReadyWorld -Original Message- From: John Brandis [mailto:[EMAIL PROTECTED]] Sent: Monday, August 26, 2002 1:08 AM To: [EMAIL PROTECTED] Subject: Security Policy [7:52061] Hi All, does any one have a copy of a security policy (like a corporate security outline for the company) that they are willing to share, so I can create one using that as a template/guide ? Thanks all John Sydney, Australia ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk * This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52252&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
SANS has a great collection of canned policies that are VERY thorough. Grab em -Original Message- From: Tim Medley To: [EMAIL PROTECTED] Sent: 8/28/2002 5:52 PM Subject: RE: Security Policy [7:52061] I'd be interested in something like this too, to use as a template. Perhaps someone has a generic dummy security policy from a class or something they can share. tm Tim Medley, CCNP+Voice, CCDP, CWNA Sr. Network Architect VoIP Group iReadyWorld -Original Message- From: John Brandis [mailto:[EMAIL PROTECTED]] Sent: Monday, August 26, 2002 1:08 AM To: [EMAIL PROTECTED] Subject: Security Policy [7:52061] Hi All, does any one have a copy of a security policy (like a corporate security outline for the company) that they are willing to share, so I can create one using that as a template/guide ? Thanks all John Sydney, Australia ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk * This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52284&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
Policy is not a place to put detailed information. it is a place to state how management feel about the importance of security in the orgazation, and who should execute further security practices. Procedure is a detailed step by step on how to do things. Guidelines is a generic approach of a specific issue. Password Policy is likely to be correctly termed as Password guidelines or procedure depending on their level of details. >OK, the part about protecting/changing passwords is a given, but I wonder >about your comment that "password structure is too detailed..." Regards, Leonard Ong, CISSP, CSS-1, CCSE, MCSE, MCDBA, CCNP, CCDP, NSA, LCP Network Security Specialist, APAC NOKIA Email. [EMAIL PROTECTED] Mobile. +65 9431 6184 Phone. +65 6723 1724 Fax.+65 6723 1596 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52336&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]