Hi,
As such there is no need of asking User's to sign individual policies.
Also, if you modify certain policy tomorrow, would you be again going to
each individual user and get it signed again?
My dear friend, according to me, best is ask them to sign a document
which clearly states that "I would abide by and follow all
organizational policies". May be you would like to add the location of
policies also. This would suffice the job. Later on, if you would have
to modify the policies, you can do that easily.
Organization of policies would be easy, if you create a master policy
document and add all policies as appendix to that. You can get this
master policy itself signed by your user.
For the purpose of your Users to READ your policies, introduce some kind
of Objective Test based on your policies and make it mandatory to pass
in that test to get through the CONFIRMATION PROCESS in your
organization.
Regards,
Lalit Gupta, Specialist-Information Security
(: 5219
Great LGSI Great Security
-----Original Message-----
From: Neksus [mailto:neksus@gmail.com]
Sent: Tuesday, January 10, 2006 2:35 AM
To: security-management@securityfocus.com
Subject: How to organize a lot of policies?
Hello,
I am currently working on rewriting / re-working security policies and
there are a *lot* of policies. I'm thinking it's probably not a good
idea to have users sign them all (especialy if they don't apply to
them). What I would like to do is structure them in an easy to
organize/update scheme.
I have a couple of strategies in mind and would appreciate some input.
1. Have a mother-security policiy which will basically say "be nice",
then point to other specific policies (email use, VPN use,
developper's code of conduit, etc.) for more specific details. This
approach is really a "company wide" approach where 1 signature means
the user agrees to all the policies in place. It's easy but there is
no or very low customization possible.
2. Have a fair usage policies that is wider than the one above and ask
the user's supervisor to make sure the users signs the right ones. I
guess this could be seen as a role-based. If a user is a developper,
he would have to sign X number of policies that would apply to him. I
think this is hard to track.
One of the major goal is to be able to have specific
policies/standards/procedures that are easily understandable by the
common user and not just a "sign here" type of document. By focusing
on the role of the user, I hope he/she will take the time to read what
applies to himself.
Any thoughts?
Thanks!
(N)
#########################################################
THIS EMAIL MESSAGE IS FOR THE SOLE USE OF THE INTENDED
RECIPIENT(S) AND MAY CONTAIN CONFIDENTIAL AND PRIVILEGED
INFORMATION. ANY UNAUTHORIZED REVIEW, USE, DISCLOSURE OR
DISTRIBUTION IS PROHIBITED.BEFORE OPENING ANY ATTACHMENTS
PLEASE CHECK FOR VIRUSES AND DEFECTS.IF YOU ARE NOT THE
INTENDED RECIPIENT, PLEASE NOTIFY US IMMEDIATELY BY REPLY
E-MAIL AND DELETE THE ORIGINAL MESSAGE.
##########################################################
