Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Security policy exceptions template?

from [John Blackley] Network Security [Permanent Link]
Subject: Re: Security policy exceptions template?
Date: 1 Nov 2004 22:02:40 -0000 
In-Reply-To: <5383591.1098970428472.SLOX.WebMail.wwwrun@mail.synaxis.org>

I think the issue in your organisation lies in your second-to-last  paragraph: 
"the question is how to approve and document exceptions to the policy" and I 
have to ask you, how did you gain approval for the policy itself - and from 
whom?

Although I fear that it may not be the answer, I'm hoping that you would be 
able to say, "From the Executive Committee" and then I'd be able to say, "Well 
my friend, you have your Executive Committee appoint someone to act on their 
behalf to review requests for policy exceptions and to make recommendations to 
the Executive Committee on whether or not to grant them."

Absenting all that, (and here I'm assuming something else entirely - that you 
got your policy as a sop to make you be quiet and go away and that there is 
little management interest in an actual, effective information security 
program) then here's a suggestion (well, two, actually): Send out an 
all-company email telling everyone that exceptions to policy must be approved 
by an XXX-level manager and that the XXX-level manager must maintain the 
following documentation on the exception and review it at least annually 
(naturally, you will also append the documentation). If that sounds like career 
suicide, here's my second suggestion - similar to the first. You send out the 
all-company email but you say that YOU must approve all etc., etc., etc. and 
then you embark on a campaign to educate your management on what a risk this 
non-separation or duties represents for your company.

Hope this helps.

John A Blackley
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IT Policies & Standards - mapping the gap, plokta
Next by Date:  checklist for stream-lining security inputs into corporate IT projects, Jeffrey Choi
Previous by Thread:  RE: Security policy exceptions template?, David Lyons
Next by Thread:  RE: Integrity metrics ?, Nimrod Steinbock
Indexes:  [Date] [Thread] [Top] [All Lists]