| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
|
Policy Guides
|
|
Sample Policies
|
|
Computer security means establishing policies Security policies are only part of an effective computer security program, but they are the core on which the rest of the program is built. In this brief article targetted towards the business world, the necessity for an information security policy is presented. Information Security IS policies.
04/17/2004
|
|
The Firewall has been Installed, Now What? Developing a Local Firewall Security Policy Given the responsibility of configuring firewalls for a departmental network, I discovered that a local firewall security policy had not been written. This paper details the process I used to draft a perimeter device security policy for these firewalls. The firewall policy at the end of this document completes the policy draft process. The information gathered to draft a local firewall policy also lead to the creation of a PIX Firewall Security Services and Requirements matrix. This matrix maps HIPAA and local security requirements to the security technology solutions provided by the PIX firewall.
04/05/2004
|
|
Adventures in implementing a strong password policy Password authentication is high in the list of potential security vulnerabilities. In the October 2001 SANS/FBI Top 20 list, absent or inadequate passwords placed second. The revised SANS Top 20 list, first appearing in October 2002, moved password vulnerabilities down to seventh place but they were still a major potential systems risk. This case study relates our experiences in strengthening our password policy. Passwords turned out to be only a starting point. We effectively strengthened our overall policy but we also learned that sometimes strong password policies and practices combining with human factors can interfere not just with convenience, but with actual usability and needed access. This paper explores the issues we had to negotiate in strengthening our passwords, some of the of the special situations which had to be handled as exceptions to the policy, and our planned future directions.
03/28/2004
|
|
Electronic Data Retention Policy Imagine this scenario. During a routine staff meeting, a coworker from the legal department alerts your team to the fact that a sexual harassment case has recently been filed against an employee. Since both the plaintiff and the defendant use electronic systems that you administer, your assistance is required. Therefore, they need all the electronic documents owned or edited by the employees regardless of where that data may be stored. They need everything from the previous twelve months. This includes all forms of electronic information including email messages sent and received. Backup tapes must be checked as well. Since this is an active case, you can no longer delete any electronic information that could potentially be relevant to this case since it may be requested for evidence as well. Consequently, you may no longer be able to recycle backup tapes or clean up disk space until the case is over. Failure to preserve potential evidence could result in sanctions.
03/24/2004
|
|
Inadequate Password Policies Can Lead To Problems Password policies are necessary to protect the confidentiality of information and the integrity of systems by keeping unauthorized users out of computer systems. The fundamental protection of computers and networks (the password) is still in use. However, not all companies yet realize the risks they are taking by having poor password policies. The risks include user confusion, system denial-of-service issues and user education problems if the policy is not communicated clearly to the users.
03/24/2004
|
|
Combating the Lazy User: An Examination of Various Password Policies and Guidelines A variety of password policies and guidelines are publicly available on the Internet. Most of them establish a set of rules which are either required or recommended for the user to follow when creating a password. Such rules include, but are not limited to, specifications for the length of the password, the character set(s) to be used, and whether or not dictionary words are allowed in the password. (A complete password policy also discusses many additional topics, such as how often passwords must be changed, but those additional aspects of password policies are not the subject of this paper.) This paper demonstrates that many published policies and guidelines will allow for the creation of weak passwords by lazy or inexperienced users. Such passwords may provide a relatively easy method of attack using custom dictionaries and readily available password cracking tools. This paper also makes recommendations by which the Security Administrator can improve the strength of the passwords.
03/24/2004
|
|
Acceptable Use: Whose Responsibility Is It? This paper focuses on the Information Technology and Information Security ramifications of acceptable computer use policy and attempts to show how responsibility can be shared with the less technical Human Resources and Legal departments. The goals of the policy are to (1) meet productivity goals of the Human Resources department; (2) meet liability concerns of the Legal department; (3) protect the organization’s information and technical resources; and (4) meet the security goals of the Information Technology and Information Security departments.
03/23/2004
|
|
Introduction to Security Policies, Part Two: Creating a Supportive Environment As we concluded the first article of this series, we pointed out that policies in themselves are ineffective; their effectiveness is directly proportional to the support they receive from the organization. Thus it is crucial that the organization be aware of the importance of security policies and create an environment in which security is given a high priority. The bigger the organization, the more important this support becomes. This article will go over a few of things that can be done to ensure that security policies given the full support of the management of the organization, which will thereby increase the efficacy of the policies.
03/22/2004
|
|
Introduction to Security Policies, Part One: An Overview of Policies This is the first in a series of four articles devoted to discussing about how information security policies can be used as an active part of an organization's efforts to protect its valuable information assets. In a world that is essentially technology driven; where the latest IIS exploit is countered with a mad rush to install the relevant patch and where the number of different operating systems in a network exceeds the number of hairs on the security administrator's head that haven't turned gray, policies give us an opportunity to change the pace, slow things down and play the game on our own terms. Policies allow organizations to set practices and procedures in place that will reduce the likelihood of an attack or an incident and will minimize the damage caused that such an incident can cause, should one occur.
03/22/2004
|
|
Introduction to Security Policies, Part Four: A Sample Policy This is the fourth in a four-part overview of security policies. In the first article, we looked at what policies are and what they can achieve. The second article looked at the organizational support required to implement security policies successfully. The third installment discussed how to develop and structure a security policy. This installment will take a look at a few examples of security policies.
03/22/2004
|
|
Page: 12 3 4 |
