Hi, The OSSTMM from Ideahamster http://www.ideahamster.org/ has actually gotten a lot of attention recently for writing security policies. In the module called Security Policy, there is a list of tasks that a security tester should "audit" in order to verify the policy against reality. When writng it, I don't think the idea was there that it could apply to using those tasks for writng a policy. Of course, policies are much more dynamic and involved but I think it's a decent starting point.
thanks, -pete. -----Original Message----- From: leon [mailto:[EMAIL PROTECTED]] Sent: jueves, 15 de noviembre de 2001 21:30 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Basic Security Policy If you understand the basics of what goes into a security policy then you really understand that a security policy is extremely dynamic and different for each organization and set of circumstances. So you really kind of sound like you have just about all the tools you need to sit down and write one. No one is going to be able hand you one that is going to fit your organization perfectly. Why not look at securityfocus for articles? They just did a series on writing a security policy (you can skip this if you feel you are 100 percent ready to go). If you need a template, there was someone who was looking for one in French on this list so you might want to try to contact them to see how they made out. Finally you could try http://www.ideahamster.org/ and see how that works for you. Regards, Leon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 5:17 AM To: [EMAIL PROTECTED] Subject: Basic Security Policy Dear All, I have just been put in charge of network security within our company and the first thing I need to do is define a Network Security Policy that we can apply to our Internet Services and customer intranets. I would like to have some input on things to add into the policy and possibly some links to example policies. So far I have read RFC2196 which has given me some good insights, but I would like to not have to start from scratch as there is just one of me and I am limited for time. I have a good understanding of some of the things that should be in a Securit Policy, but real-world help would be appreciated. Many Thanks, Dave Stout Internet Security Engineer #********************************************************************** This message is intended solely for the use of the individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Hughes Network Systems Limited, including its European subsidiaries and affiliates. Hughes Network Systems Limited, including its European subsidiaries and affiliates accepts no responsibility for loss or damage arising from its use, including damage from virus. #**********************************************************************
