Once I arrived, he asked me to install a firewall so that his network would be secure. He gave me a curious look and asked — What do I need that for? What a perfect opening for the book covering the means and ways for writing and enforcing security policies within organizations. He has been involved with information security for almost 20 years, nurturing the evolution of systems and their security requirements for commercial organizations and government agencies.
|Published (Last):||6 June 2011|
|PDF File Size:||2.48 Mb|
|ePub File Size:||19.63 Mb|
|Price:||Free* [*Free Regsitration Required]|
Once I arrived, he asked me to install a firewall so that his network would be secure. He gave me a curious look and asked — What do I need that for? What a perfect opening for the book covering the means and ways for writing and enforcing security policies within organizations.
He has been involved with information security for almost 20 years, nurturing the evolution of systems and their security requirements for commercial organizations and government agencies. Since the explosion of the Internet, and prior to joining MITRE, he has focused on various areas of security and policy development for many organizations in the Washington, D. An interview with Scott Barman is available here. Barman divides his book into four parts, describing the vital steps from starting the policy process, over writing the policies to maintaining them.
The last section of the book contains appendixes that present several samples of security policies and guides the reader to both electronic and paper information security resources. Information policies are sets of high-level plans that describe the overall security in general terms. The author notes that altought policies do not discuss how, properly defining what is being protected assures that proper control is implemented.
If talking about insuring your assets via an insurance company, developing new software solutions or trying to make your company environment virus-free, security policies can help a lot as they can focus on every operating segment within your organization. By starting the security policy process you will sure need to identify what assets should be protected and therefore covered within the security policy. Hardware and software objects such as computer equipment, operating systems, applications and source code should be covered.
As the policies must go beyond mentioned categories, any aspect of the technical business process should also get documented. Some maybe unimportant items as blank invoices, letterhead papers and similar inventory, should also get a reference from the security policy as they can be used for impersonating the company.
Basically the important things while determining the policy needs are: identifying what will be protected, from whom it will be protected and how it will be protected. The second part of the book covers the methods and tips for writing the security policies.
This section is divided into seven thematic chapters, each one covering one aspect of the overall security aspect. The chapter on physical security discusses several perspectives of a secure physical installation with a focus on the quality of the working environment, computer location and facility construction and creation of facility access controls. I should note that this part of the book also hosts a collection of very interesting snippets containing paragraphs from example security policies.
They are placed after each subsection, providing the readers in-depth information on the actual security policy structures. The next covered topic are sets of policies regarding authentication and network security. Here the author talks about how to take care of the state of network security, mainly focuses on network addressing, issuing IP addresses while expanding the network and login security.
If you ever wanted to know why someone has an email like u domain. The Internet, as the most used information highway, should also be covered within a productive set of security policies.
Barman notes that Internet security policies can be difficult to write because the technology changes rapidly and because of that writer can approach this kind of policies by dividing the technologies into logical groups. Huge numbers of electronic messages travel through the Internet every second. While the e-mail has lot of bright sides, there are also some negative sides that are more and more influencing organizations.
Spreading of Internet worms, viruses, trojans, sending massive amount of unsolicited commercial e-mails, are just some of the Internet messaging hot topics. Because of that E-mail Security Policies must have a notable section in the family of Internet related policies.
Also noted in this part of the book, are security policies that deal with malware activities already mentioned worms, trojans and viruses , managing digital encryption and taking care of the possible misuse and software development policies as the means of stopping the creation of potential vulnerabilities. After reading the first two parts of the book, you are given a detailed overview of what security policies are and how to approach the job of writing and categorizing them.
This important document should be short and deal with the most important things users could come across. Two page reprint of an actual AUP can be seen in the last, appendixes containing, part of the book.
Also covered in the appendixes are sample policies covering email security, as well as several administrative policies.
What I think of it As I expected from an author experienced in this field, security policies are covered in a way easily readable and understandable for every interested party. Share this.
Writing Information Security Policies
What Information Security Policies Are. About Information Security Policies. Why Policies Are Important. When Policies Should Be Developed.