[olug] Computer Security Policy

[Dan Anderson]

Hi,

+1 on the SANS suggestion...  That's a good place to get a policy for
an assignment like this.  You aren't likely to get too many actual
corporate policies - these are generally considered confidential to
one degree or another.

For this assignment, I'd probably select a "policy" like an Internet
usage policy or acceptable use policy.  This is likely what they
expect and will be pretty easy to write about/discuss.

That said, the rest of this is less about those two examples of "policies."

> - Have you seen security policies work to keep information and the networks
> of your employer safe?

Absolutely, a proper security policy framework is essential for
security.  Like a foundation, you can build a great security program
on top of properly designed policies - but like a foundation is not a
complete building - a security policy is also not a comprehensive
security program by itself.

> - What is needed in a security policy to make it strong and thorough?

1.  Management support from the highest levels.
2.  See #1  :)
3.  Policies should be high-level and relatively constant over time -
more fluid standards should be derived from the application of the
high-level policy as it relates to specific technology and process
needs - specific detailed operational procedures can be developed that
ensure compliance with the standards, etc.
4.  Some degree of risk analysis (formal or informal depending on the
environment) should (read: MUST) be undertaken prior to the creation
of policy. (I suspect SANS also has some useful info related to this
activity)
5.  Policy exists to support the business - not the other way around.

> - Do you have any examples of a security policy being effective and
> ineffective?

Not specifically, but huge successes and spectacular failures usually,
IMO, directly relate to the things mentioned above.

Good luck on your project!
Dan