Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   Security policy (http://www.linux-archive.org/debian-user/437733-security-policy.html)

Paweł Ch. 10-09-2010 07:34 PM

Security policy
 
Hi,
I must create security policy for my company.
Can someone send me example security policy? Especially with division to user, administrator and boss.

Thanks

Andrew Reid 10-09-2010 08:42 PM

Security policy
 
On Saturday 09 October 2010 15:34:58 Paweł Ch. wrote:
> Hi,
> I must create security policy for my company.
> Can someone send me example security policy? Especially with division to
> user, administrator and boss.

There are a number of free public resources available from the
US National Institute of Standards and Technology. A former
employer of mine used Special Publication 800-53 as a baseline
for a security policy.

Besides providing a list of recommendations, it also has a
pretty good discussions of the "whys" behind them, and the
cost-benefit trade-offs that must be made.

A list of NIST security division's publications is here:
<http://csrc.nist.gov/publications/PubsFL.html>

SP 800-53 itself is here, in PDF format:

<http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf>

-- A.
--
Andrew Reid / reidac@bellatlantic.net


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201010091642.51833.reidac@bellatlantic.net">http://lists.debian.org/201010091642.51833.reidac@bellatlantic.net

Camaleón 10-10-2010 01:04 PM

Security policy
 
On Sat, 09 Oct 2010 16:42:51 -0400, Andrew Reid wrote:

> On Saturday 09 October 2010 15:34:58 Paweł Ch. wrote:

>> I must create security policy for my company. Can someone send me
>> example security policy? Especially with division to user,
>> administrator and boss.
>
> There are a number of free public resources available from the
> US National Institute of Standards and Technology. A former employer of
> mine used Special Publication 800-53 as a baseline for a security
> policy.
>
> Besides providing a list of recommendations, it also has a
> pretty good discussions of the "whys" behind them, and the cost-benefit
> trade-offs that must be made.
>
> A list of NIST security division's publications is here:
> <http://csrc.nist.gov/publications/PubsFL.html>
>
> SP 800-53 itself is here, in PDF format:
>
> <http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-
final_updated-errata_05-01-2010.pdf>

I'm adding to the list the SANS Institute guidelines, which provides
sample templates for many purposes:

http://www.sans.org/security-resources/policies/

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.10.10.13.04.13@gmail.com">http://lists.debian.org/pan.2010.10.10.13.04.13@gmail.com

"B. Alexander" 10-10-2010 04:58 PM

Security policy
 
On Sat, Oct 9, 2010 at 3:34 PM, Paweł Ch. <pch0317@gmail.com> wrote:

Hi,
I must create security policy for my company.
Can someone send me example security policy? Especially with division to user, administrator and boss.

Thanks


Yeah, as the other posters have said, you should focus on guidelines. Each security policy is as different as a fingerprint, even between two divisions of the same company.

Since you appear to be in Europe, if you are looking for standards-compliance, you might check ISO27001 and the SANS documents.


If you are in the US, those, plus the NIST Special Publication 800 series or the DoD's docs (which I haven't worked much with). Then there is PCI, FFIEC, etc for the banking industry. Gives new meaning to "The great thing about standards is that there are so many to choose from..."


HTH,
--b


All times are GMT. The time now is 09:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.