LINUX SECURITY --- November 07, 2000
Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters
-----------------------------------------------------------------------
HIGHLIGHTS
* Developing a strong corporate security policy
-----------------------------------------------------------------------
Corporate Security Policies
By Rick Johnson
As your organization grows, the number of security decisions increase
as well. One day, you decide all passwords must be changed at 90-day
intervals; the next, you decide to disable remote access to all
servers. Commendable decisions, but a problem still exists. How are
these changes tracked? Who is responsible for remembering what is
affected? The answer should be no one. Ideally, these changes will be
located in your corporate security policy.
Is a security policy necessary? Is it worth the time and effort
required? If you are even asking yourself these questions, then you
must know the answer is yes! However, the development of a security
policy is no small task. First, you must decide what audiences must be
addressed -- typically, the following groups:
* Customers
* End Users
* Management
* Internal Information Systems/Security
Next, decide the key areas that need coverage. A basic policy will
contain detailed policies in some or all of the following categories.
Of course, all of this can change depending on your business model.
* Software Security
* Network and Communication Security
* Data Integrity and Security
* Physical Security
* Human Resources and Password Security
Once the audience and topics have been chosen, the hard part begins:
defining the specific rules and policies for each section. Keep in
mind, these policies must be kept simple and easy to read lest most
employees will simply skim over the contents without ever fully
comprehending the seriousness of the document. To aid in deciding what
areas to cover, speak with various IS staffers and members of the
management team. They have been dealing with these questions on a
daily basis and can provide valuable insight.
For distribution, avoid paper copies of the policy. A potential
attacker could gain knowledge of the inner workings of the company if a
copy slips into the wrong hands. Instead, check into the possibility of
publishing the policy on the corporate Intranet.
Once the policy has been distributed to the company, the task of
enforcement is as simple as pointing out which rules must be followed.
Most employees have no problem complying with whatever policies are set
forth by management. The confusion usually happens when the policies in
question are verbal and no defined guidelines are present. By
publishing this policy internally, it can only make your job easier.
About the author(s)
----------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
-----------------------------------------------------------------------
ADDITIONAL RESOURCES
Was hack attack Microsoft's own fault?
Observers criticize software giant's attitude towards security
http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,,1_3226,00.h
tml
Interview: The Road from NT to 2000
http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,2848,1_3236,
00.html
IIS Unicode Bug Worst this Year
New exploit attacks database services
http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,,1_3225.html
-----------------------------------------------------------------------
<<attachment: winmail.dat>>