Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: third party access information

from [John Blackley] Network Security [Permanent Link]
Subject: Re: third party access information
Date: 10 Aug 2004 20:01:52 -0000 
In-Reply-To: <20040806155109.67689.qmail@web40506.mail.yahoo.com>

A good place to begin is with ISO17799 - Code of Practice For Information 
Security Management. Section 4.2 of that code deals with 3rd party access and 
the management of that particular risk. WIth a little imagination, the section 
can even be seen to provide policy statements for the management of this type 
of risk.

As to other comments in this stream about policy (what is and is not policy), 
these are questions that are debated in every corner of our trade. Once again, 
here is my two cents' worth on what constitutes policy, standards, etc.:

Policy ? Definition: a policy is a high-level statement of enterprise beliefs, 
goals, and objectives and the general means for their attainment for a 
specified subject area. 

Because policy is written at a high level, organizations must also develop 
standards and procedures that offer clear steps to implementing the policy and 
meeting the organization?s business objectives or mission. A policy is not a 
specific and detailed description of the situation and every step needed to 
implement the policy.  

Key Points:
o When developing the policy, there is as much danger in saying too much as 
there is in saying too little.  
o The policy should provide the direction required by the organization while 
maintaining business unit management discretion in the actual implementation of 
the policy.  
o The more intricate and detailed the policy, the more frequent the update 
requirements and the more complicated the training process for employees.
o While it is important to keep to the facts and keep the document brief, it is 
also important to include a clear discussion on the proprietary rights of the 
organization.  
o The employees deserve to know what is expected of them and how they will be 
appraised with respect to their obligations.  
o By establishing well-written policies, the enterprise can expect that 
management will (if properly trained) take approximately the same course of 
action in similar circumstances

Standard - Standards are mandatory activities, actions, rules, or regulations 
designed to provide policies with the support structure, and specific direction 
they require to be meaningful and effective. They are often expensive to 
administer and, therefore, should be used judiciously.

Guidelines - Guidelines are more general statements that are designed to 
achieve the policy?s objectives by providing a framework within which to 
implement procedures.  Where standards are mandatory, guidelines are 
recommendations.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Risk Assessment Modelling, Burke, Charles
Next by Date:  Incidents per Analyst, i94yj
Previous by Thread:  RE: third party access information, Parthasarathy, Shree (US - New York)
Next by Thread:  RE: Risk Assessment Modelling, Stan Guzik
Indexes:  [Date] [Thread] [Top] [All Lists]