Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: How to organize a lot of policies?

from [Lalit Gupta] Network Security [Permanent Link]
Subject: RE: How to organize a lot of policies?
Date: Mon, 16 Jan 2006 15:15:43 +0530 
Hi Devdas,

One should not look into these matters with a closed mind. Policies
should be planned for the sake of whole organization, so they should be
planned in a manner which would augment the cause for whole organization
with ease for the implementers and users of the policy.

WHY NOT? IF IT GETS TOO PAINFUL FOR YOU TO DO THIS, DON'T CHANGE
POLICIES THAT OFTEN.

I agree with you that policies should not be changed often. They should
be a standard document. Only procedures may change in due course of
time. Also, I iterate again that User's should not be bothered for
individually signing all the policies, if any change in policies is
there.

AND IF THE ORGANIZATIONAL POLICIES CHANGE TOMORROW, AS AN END USER, I
WANT TO KNOW. SOME POLICIES MAY NOT BE ACCEPTABLE TO ME, AND I SURE
WOULD LIKE TO BE ABLE TO ADD MY COMMENTS ON THOSE (AND OPTIONALLY QUIT).

FAR MORE IMPORTANTLY, IF POLICIES CHANGE AND I AM _NOT_ INFORMED, I CAN
VERY WELL VIOLATE AN ACCEPTABLE POLICY UNKNOWINGLY.

No, as a part of organization and under the agreement, you cannot end-up
denying accepting any organization policies. If you want to be part of
that system, you have to accept and follow all the policies. As such, if
any changes in policies are there, that is communicated to all relevant
users in organization. If you as an individual are not aware of any
changes made and communicated, you as a user are at fault. Every user
must keep him updated of the organization policies and procedures. For
this purpose only Awareness programes are conducted in an organization,
if you opt not to attend these programes, it is not organizations fault
of you not being aware of policies.

BLEH. NOT NECESSARILY A GOOD IDEA. YOU END UP WITH PARROTS.

If the users are of the mind set that policies are just for namesake and
I need not to read or follow them. Or, I should not be aware of the
modifications/changes in policies. That time you require some kind of
steps, which force users to read and follow the policies.

I think, now you would have got the zist of what I was trying to say.

Regards, 

Lalit Gupta

-----Original Message-----
From: Devdas Bhagat [mailto:devdas@dvb.homelinux.org] 
Sent: Friday, January 13, 2006 10:13 PM
To: security-management@securityfocus.com
Subject: Re: How to organize a lot of policies?

On 10/01/06 12:41 +0530, Lalit Gupta wrote:

Hi,

As such there is no need of asking User's to sign individual policies.
Also, if you modify certain policy tomorrow, would you be again going

to

each individual user and get it signed again?


Why not? If it gets too painful for you to do this, don't change
policies that often.


My dear friend, according to me, best is ask them to sign a document
which clearly states that "I would abide by and follow all
organizational policies". May be you would like to add the location of
policies also. This would suffice the job. Later on, if you would have
to modify the policies, you can do that easily.


And if the organisational policies change tomorrow, as an end user, 
I want to know. Some policies may not be acceptable to me, and I sure
would like to be able to add my comments on those (and optionally quit).


Far more importantly, if policies change and I am _not_ informed, I can
very well violate an acceptable policy unknowingly.


Organization of policies would be easy, if you create a master policy
document and add all policies as appendix to that. You can get this
master policy itself signed by your user.


This is a good idea.


For the purpose of your Users to READ your policies, introduce some

kind

of Objective Test based on your policies and make it mandatory to pass
in that test to get through the CONFIRMATION PROCESS in your
organization.


Bleh. Not necessarily a good idea. You end up with parrots.


Regards,

Lalit Gupta, Specialist-Information Security

(: 5219  

 

Great LGSI Great Security

-----Original Message-----
From: Neksus [mailto:neksus@gmail.com] 
Sent: Tuesday, January 10, 2006 2:35 AM
To: security-management@securityfocus.com
Subject: How to organize a lot of policies?

Hello,

I am currently working on rewriting / re-working security policies and
there are a *lot* of policies. I'm thinking it's probably not a good
idea to have users sign them all (especialy if they don't apply to
them). What I would like to do is structure them in an easy to
organize/update scheme.

I have a couple of strategies in mind and would appreciate some input.

1. Have a mother-security policiy which will basically say "be nice",
then point to other specific policies (email use, VPN use,
developper's code of conduit, etc.) for more specific details. This
approach is really a "company wide" approach where 1 signature means
the user agrees to all the policies in place. It's easy but there is
no or very low customization possible.



I would go this way. A small, single policy document which works for
everything. Then additional small documents for specific purposes if
needed. Ideally, you should not need much more.
"I will not divulge information proprietary to the company." is a good
clause.

This make policies more general, smaller and more effective.


2. Have a fair usage policies that is wider than the one above and ask
the user's supervisor to make sure the users signs the right ones. I
guess this could be seen as a role-based. If a user is a developper,
he would have to sign X number of policies that would apply to him. I
think this is hard to track.

One of the major goal is to be able to have specific
policies/standards/procedures that are easily understandable by the
common user and not just a "sign here" type of document. By focusing
on the role of the user, I hope he/she will take the time to read what
applies to himself.


Smaller documents are more likely to be read. Avoid legal language,
avoid documents in ALL CAPS, give real reasons for policies and you will
find happier users who will actually be willing to follow policies.

Devdas Bhagat



#########################################################
THIS EMAIL MESSAGE IS FOR THE SOLE USE OF THE INTENDED
RECIPIENT(S) AND MAY CONTAIN CONFIDENTIAL AND PRIVILEGED
INFORMATION. ANY UNAUTHORIZED REVIEW, USE, DISCLOSURE OR
DISTRIBUTION IS PROHIBITED.BEFORE OPENING ANY ATTACHMENTS
PLEASE CHECK FOR VIRUSES AND DEFECTS.IF YOU ARE NOT THE
INTENDED RECIPIENT, PLEASE NOTIFY US IMMEDIATELY BY REPLY
E-MAIL AND DELETE THE ORIGINAL MESSAGE.
##########################################################
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to organize a lot of policies?, Richard Sullivan
Next by Date:  RE: How to organize a lot of policies?, Rob Harmer
Previous by Thread:  Re: RE: How to organize a lot of policies?, nickpuetz
Next by Thread:  Re: How to organize a lot of policies?, Fred Cohen
Indexes:  [Date] [Thread] [Top] [All Lists]