Peter Chubb wrote:
--- the hardest (and most important) bit is first coming up
with a reasonable security policy, and then working out how to
implement it.
And security policies may be subdivided into:
1. Generic Security Policies - those that pertains to the administration and control of the physical equipments, e.g., location, physical access procedure, equipment, maintenance, who are permitted, etc. This may also include procedures that pertains to the preparation of the computer systems, specifications, configuration, deployment, and maintenance. This may also include policies pertaining to the daily operation and maintenance of the computer systems. I always include 'that which is not required is always removed from the OS'.
2. Specific Security Policies - those that pertains to the specific services that may allowed, pop, imap, smtp, http, ftp, etc. and who or which departments are allowed to have these services. I also include the policy that 'what is not expressly allowed is not permitted'.
O Plameras
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
