NETWORK WORLD NEWSLETTER: DAVE KEARNS ON IDENTITY MANAGEMENT 09/15/04 Today's focus: Mailbag: Use of the words 'Policy' and 'Rules', Part 2
Dear [EMAIL PROTECTED], In this issue: * Of Policies, rules, standards, procedures, groups and roles * Links related to Identity Management * Featured reader resource _______________________________________________________________ This newsletter is sponsored by Cisco IP Communications represents a major opportunity for businesses large and small. By eliminating the need to maintain separate telephone and data infrastructures, extraordinary benefits are often achieved. For information on the union of telephony and data on a single physical network and the security issues involved see the Special Report IP Telephony Security: http://www.fattail.com/redir/redirect.asp?CID=81113 _______________________________________________________________ CHECK OUT NW FUSION'S NEW WHITE PAPER LIBRARY NW Fusion's White Paper Library was recently re-launched with new features and improved capabilities! Sort NW Fusion's library of white papers by Date and Vendor, view white papers by TECHNCIAL CATEGORY, mouse over white paper descriptions and take advantage of our IMPROVED white paper search engine. CLICK HERE: http://www.fattail.com/redir/redirect.asp?CID=81155 _______________________________________________________________ Today's focus: Mailbag: Use of the words 'Policy' and 'Rules', Part 2 By Dave Kearns As long as I keep hearing from you on the topic of defining "policy," "rules," "policy-based management" and "rule-based management" I'll keep presenting your views. Today we'll hear from two more correspondents. First, Azi Cohen, CEO of Eurekify ( <http://www.eurekify.com/> ) weighs in. Note that Eurekify's catch phrase is "Enabling true role-based management." In contrast (although in a different context) to what I quoted reader Jeff Davis as saying in the last issue, Cohen notes that policies are sometimes easier to formulate and modify than rules. Jeff Davis, a director of product architecture at Safestone and our correspondent last issue, laid out a scheme where policies are paper-based and purposely difficult to change (the phrase "engraved in paper" comes to mind). Further, rules enforcing the policies are fairly easy to modify to meet the needs of an organization's various sub-entities (divisions, departments, groups, etc.). Cohen, though, brings up a counter-example. He notes: "In many identity management implementations we find out that while it is easy to set the de-facto policies (i.e. group X of employees that share the same access rights to group of resources Y) it is very difficult to set the deployment rule associated with the groups." This is especially prevalent, according to Cohen, in the fluid corporation - one that is involved in mergers, acquisitions, divestitures and reorganizations (that covers just about all of you, doesn't it?). While the access rules for a particular group are easy to write initially, as others are added to or removed from the group, their attributes - the basis of the rules enforced - differ, sometimes markedly, from what the original deployment guidelines indicated. Consul Risk Management Chief Technologist Kris Lovejoy evidently took the weekend off to pen a novelette for me. She started writing about "policies" but evidently, the document took on a life of its own to encompass "Information Security." I'll be referring back to this document periodically but for right now, we'll look at what Lovejoy has to say about "policy." It is interesting that the word "rule" doesn't occur in her discussion at all. She says: "According to Webster's, a 'Policy' is 'definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions'. Within the realm of information security, a policy sets the course: defining how confidentiality, integrity, and availability of information and technology assets can be achieved and maintained (example, Acceptable Use Policy). "Again, according to Webster's, a 'Standard' is something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality. Within the realm of Information Security, a standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone (example: Windows 2000 Hardening Requirements). "A 'guideline' is typically a collection of system specific or procedural specific 'suggestions' for best practice. They are not requirements to be met, but are strongly recommended (a.k.a., an optional standard). "Generally, security policies refer to standards and guidelines existing within an organization. Of course, the ISO17799 Standard requires implementation of a policy - but who wants to split hairs?" Policies, rules, standards, procedures, groups, roles - where does it end? Maybe, just maybe, in the next issue. Stay tuned! _______________________________________________________________ To contact: Dave Kearns Dave Kearns is a writer and consultant in Silicon Valley. He's written a number of books including the (sadly) now out of print "Peter Norton's Complete Guide to Networks." His musings can be found at Virtual Quill <http://www.vquill.com/>. Kearns is the author of three Network World Newsletters: Windows Networking Tips, Novell NetWare Tips, and Identity Management. Comments about these newsletters should be sent to him at these respective addresses: <mailto:[EMAIL PROTECTED]>, <mailto:[EMAIL PROTECTED]>, <mailto:[EMAIL PROTECTED]>. Kearns provides content services to network vendors: books, manuals, white papers, lectures and seminars, marketing, technical marketing and support documents. Virtual Quill provides "words to sell by..." Find out more by e-mail at <mailto:[EMAIL PROTECTED]> _______________________________________________________________ This newsletter is sponsored by Cisco IP Communications represents a major opportunity for businesses large and small. By eliminating the need to maintain separate telephone and data infrastructures, extraordinary benefits are often achieved. For information on the union of telephony and data on a single physical network and the security issues involved see the Special Report IP Telephony Security: http://www.fattail.com/redir/redirect.asp?CID=81112 _______________________________________________________________ ARCHIVE LINKS Breaking identity management news from Network World, updated daily: http://www.nwfusion.com/topics/directories.html Archive of the Identity Management newsletter: http://www.nwfusion.com/newsletters/dir/index.html _______________________________________________________________ FEATURED READER RESOURCE NETWORK WORLD SPECIAL REPORTS NOW AVAILABLE Focused reports on compelling industry topics, Network World Special Reports are available online at Network World Fusion. Network World Special Reports on IP Telephony Security, the State of Wireless LANs, trends in the networked world and more are currently available. Download any or all of our Special Reports at: <http://www.nwfusion.com/vendorview/specialreports.html> _______________________________________________________________ May We Send You a Free Print Subscription? You've got the technology snapshot of your choice delivered at your fingertips each day. Now, extend your knowledge by receiving 51 FREE issues to our print publication. Apply today at http://www.subscribenw.com/nl2 International subscribers click here: http://nww1.com/go/circ_promo.html _______________________________________________________________ SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World e-mail newsletters, go to: <http://www.nwwsubscribe.com/Changes.aspx> To unsubscribe from promotional e-mail go to: <http://www.nwwsubscribe.com/Preferences.aspx> To change your e-mail address, go to: <http://www.nwwsubscribe.com/ChangeMail.aspx> Subscription questions? Contact Customer Service by replying to this message. This message was sent to: [EMAIL PROTECTED] Please use this address when modifying your subscription. _______________________________________________________________ Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: <mailto:[EMAIL PROTECTED]> Inquiries to: NL Customer Service, Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 For advertising information, write Kevin Normandeau, V.P. of Online Development, at: <mailto:[EMAIL PROTECTED]> Copyright Network World, Inc., 2004 ------------------------ This message was sent to: [EMAIL PROTECTED] ------------------------ Yahoo! Groups Sponsor --------------------~--> $9.95 domain names from Yahoo!. Register anything. http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/BCfwlB/TM --------------------------------------------------------------------~-> <a href=http://English-12948197573.SpamPoison.com>Fight Spam! Click Here!</a> Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/kumpulan/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
