On 10/01/06 12:41 +0530, Lalit Gupta wrote:
Hi,
As such there is no need of asking User's to sign individual policies.
Also, if you modify certain policy tomorrow, would you be again going to
each individual user and get it signed again?
Why not? If it gets too painful for you to do this, don't change
policies that often.
My dear friend, according to me, best is ask them to sign a document
which clearly states that "I would abide by and follow all
organizational policies". May be you would like to add the location of
policies also. This would suffice the job. Later on, if you would have
to modify the policies, you can do that easily.
And if the organisational policies change tomorrow, as an end user,
I want to know. Some policies may not be acceptable to me, and I sure
would like to be able to add my comments on those (and optionally quit).
Far more importantly, if policies change and I am _not_ informed, I can
very well violate an acceptable policy unknowingly.
Organization of policies would be easy, if you create a master policy
document and add all policies as appendix to that. You can get this
master policy itself signed by your user.
This is a good idea.
For the purpose of your Users to READ your policies, introduce some kind
of Objective Test based on your policies and make it mandatory to pass
in that test to get through the CONFIRMATION PROCESS in your
organization.
Bleh. Not necessarily a good idea. You end up with parrots.
Regards,
Lalit Gupta, Specialist-Information Security
(: 5219
Great LGSI Great Security
-----Original Message-----
From: Neksus [mailto:neksus@gmail.com]
Sent: Tuesday, January 10, 2006 2:35 AM
To: security-management@securityfocus.com
Subject: How to organize a lot of policies?
Hello,
I am currently working on rewriting / re-working security policies and
there are a *lot* of policies. I'm thinking it's probably not a good
idea to have users sign them all (especialy if they don't apply to
them). What I would like to do is structure them in an easy to
organize/update scheme.
I have a couple of strategies in mind and would appreciate some input.
1. Have a mother-security policiy which will basically say "be nice",
then point to other specific policies (email use, VPN use,
developper's code of conduit, etc.) for more specific details. This
approach is really a "company wide" approach where 1 signature means
the user agrees to all the policies in place. It's easy but there is
no or very low customization possible.
I would go this way. A small, single policy document which works for
everything. Then additional small documents for specific purposes if
needed. Ideally, you should not need much more.
"I will not divulge information proprietary to the company." is a good
clause.
This make policies more general, smaller and more effective.
2. Have a fair usage policies that is wider than the one above and ask
the user's supervisor to make sure the users signs the right ones. I
guess this could be seen as a role-based. If a user is a developper,
he would have to sign X number of policies that would apply to him. I
think this is hard to track.
One of the major goal is to be able to have specific
policies/standards/procedures that are easily understandable by the
common user and not just a "sign here" type of document. By focusing
on the role of the user, I hope he/she will take the time to read what
applies to himself.
Smaller documents are more likely to be read. Avoid legal language,
avoid documents in ALL CAPS, give real reasons for policies and you will
find happier users who will actually be willing to follow policies.
Devdas Bhagat
