Is this policy a "Corporate" policy? If that's the case you should not
do this alone. A corporate policy comes from executive level and is then
published to employees. This policy must set expectations for security
behavior and it also sets the core for IT to secure systems based on
this policy and its expectations.
I just completed one and it took "US" more than 3 months and is not even
published yet. You must meet with department managers or VPs to ensure
that the policy meets company security requirements but yet that it does
not restrict business processes. It is critical to identify what needs
to be secured, how can the security admin secure it, and what is
expected from employees. This document will lay the foundation for
security architecture for current and future systems. It can be as
lengthy as needed depending on how many different areas need to be
addressed in the policy.
I've participated in 3 such procedures and one thing I've learned is
that you have to keep a "business-oriented" mind when putting a security
policy in place. As security admins we like the challenge of locking
everything up but in reality that can also prevent business units from
performing the way the company expects them to.
Identify who should have a say in this policy.
Identify areas of concern (sensitive, critical, communications, etc...)
Identify ownership of areas to address
Draft the policy in compliance to the rest of company
Make sure HR has a chance to review it
Publish it.
I've had better success when I form a team to provide input before
moving forward. It may even be necessary to have a few meetings to shine
some light on security and why it is important to draft a policy.
Hope this helps
-----Original Message-----
From: Chris Hammer [mailto:CHammer@fcbnm.com]
Sent: Wednesday, August 23, 2006 10:55 AM
To: security-basics@securityfocus.com
Subject: Writing a comprehensive Network Policy
Hello,
I am currently writing a network policy for our business. I am having
trouble figuring out exactly what I should put into it while meeting
these requirements:
1.) Should be a policy and not a procedure
2.) Keep the standard 3-5 page policy length
3.) Policy should cover network architecture including: routers,
switches, hubs, firewalls, etc....
Any examples or a general idea of where to start would be appreciated!
Cheers,
CH
------------------------------------------------------------------------
---
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
