Following on from last week's post on security policy writing, below is a proposed XML template for IT security policies. It is designed to standardise policy production ensuring that no information is missed and that policies are easily located. A policy written in this framework would be stored on an intranet with different users given different levels of access. A simple set of rules applied by an XSLT parser would create automated numbering, links between policy, procedure and implementation, and the production of formatted documentation ready to print at the level of detail required, for the period required.
The XML is designed to be used for the bulk of the actual policies, but for documentation purposes these need to be bookended with administrative information at the front (such as scope descriptions and change control information) and appendicies at the back (containing forms, training documentation and other related documents). Full versions of the XML without comments are available at the end of the post.
Monday, 19 October 2009
Monday, 12 October 2009
Structuring a Security Policy - Part 1
Rather than giving guidance on the production of an individual policy, this post is designed to describe a generic process for the production of security policies.
Writing a security policy can sometimes seem like an exercise in minutiae. Starting with a clear concept of the purpose and audience of the security policy will speed up the drafting process and result in a more concise, readable document. There are two competing tensions in all work policies, they must assist workers to make sound, sensible, legal decisions and they must describe the consequences for employees who fail to abide by the requirements. Any new security policy should aim to be a combination of both of these, putting the carrot and the stick into one document. IT security is a complex subject that is baffling to outsiders, some of whom will need guidance and some of whom will not follow any advice unless it comes with a threat.
Writing a security policy can sometimes seem like an exercise in minutiae. Starting with a clear concept of the purpose and audience of the security policy will speed up the drafting process and result in a more concise, readable document. There are two competing tensions in all work policies, they must assist workers to make sound, sensible, legal decisions and they must describe the consequences for employees who fail to abide by the requirements. Any new security policy should aim to be a combination of both of these, putting the carrot and the stick into one document. IT security is a complex subject that is baffling to outsiders, some of whom will need guidance and some of whom will not follow any advice unless it comes with a threat.
Monday, 5 October 2009
What Is Wrong With The Internet
The Anti-Phishing Working Group (APWG) has just released their Phishing Activity Trends Report (pdf) for the first half of 2009, and as expected it shows a marked increase in the number of malware instances. In particular the APWG notes a massive increase in the variety and quantity of rogue anti-malware programs (unwittingly installed software which offers to remove non-existent malware infections). Luis Corrons, PandaLabs Technical Director states in the report that the second quarter of 2009 showed "the emergence of four times as many samples as in all of 2008." The report also shows a doubling of the varieties of banking malware, increases in the number of compromised websites and all round bad news. Is the internet broken?
Subscribe to:
Posts (Atom)
