|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Policy ? (was RE: Penetration Tests)
Gary Crumrine (gcrum
us-state.gov)
Tue, 30 Sep 1997 06:14:25 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Leonard Miyata: "Re: firewalls and the incoming traffic problem"
- Previous message: Edward Cracknell: "Re: Policy ? (was RE: Penetration Tests)"
- In reply to: Capt Jim Bailey - SSG/SINS - DSN 596-6106: "Policy ? (was RE: Penetration Tests)"
- Next in thread: Paul D. Robertson: "Re: Penetration Tests"
I think Ed makes a very subtle, but good point with his
tiered suggestion. Put it in the perspective of the user
audience. What you would provide to the operations staff,
will be very different than what the average user would
need. If the document is too cumbersome, the user will
just sign off that they read it and forget it due to
information overload. It is unfortunate that we still have
to deal with some pretty computer illiterate users. But
that is a fact of life that we will see continue for quite
a while. I cannot go to my challenged users with
instructions, rules and such and expect them to make sense
of it all. Education is the key to enforcement, but
simplicity, and being able to tailor the policy to the user
environment may just be the lynchpin in the process.
<snip>
| Hope this isn't going to drift too far off-topic;
|
| Well, the response to mail original mails has fully
| satisfied my
| requirements. I have other peoples valued opinions, some
| confirmations
| and pointers to new products/techniques.
|
| Other than building a 'policy' directly from the
| guidelines in RFC1244,
| I think most organisations need one developing for them.
| Simply because
| they do not understand how all-encompassing this thing
has
| to be. Do
| commercial organisations go as far as NOT marking the
| computer room on
| the blueprints before filing them at the public records
| office?
|
| Even before most businesses connected to the Internet, or
| had any sort
| of elaborate networks in place, they had 'Non-disclosure'
| references in
| the employees contracts. There were also lists of company
| 'rules' - do's
| and don'ts, and this is what we start with when defining
a
| policy.
|
| Maybe it isn't so easy in larger organisations, and so a
| tiered policy,
| with levels of implementation might work better, but then
| there is
| always the danger that the wrong 'level' of security is
| used in the
| wrong place.
|
|
| ------------------------------------------------------
----
| ---
| Edward Cracknell
| Security Administrator/Author
| edwardSecurIT.net
| --------- Okay, who put a "stop payment" on my reality
| check? -----------
- Next message: Leonard Miyata: "Re: firewalls and the incoming traffic problem"
- Previous message: Edward Cracknell: "Re: Policy ? (was RE: Penetration Tests)"
- In reply to: Capt Jim Bailey - SSG/SINS - DSN 596-6106: "Policy ? (was RE: Penetration Tests)"
- Next in thread: Paul D. Robertson: "Re: Penetration Tests"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:59 CDT