Security Policy Issues
Featuring 55 Papers as of June 22, 2015
eAUDIT: Designing a generic tool to review entitlements
by Francois Begin - June 22, 2015
In a perfect world, identity and access management would be handled in a fully automated way.
The Integration of Information Security to FDA and GAMP 5 Validation Processes
by Jason Young - February 5, 2015
In reviewing the failures of information security (InfoSec) through the lifecycle management of information systems within the pharmaceutical industry, analysis starts with the governing validation process for the qualification of information systems.
Incident Response: How to Fight Back
by Alissa Torres - August 13, 2014
- Associated Webcasts: Incident Response Part 1: Incident Response Techniques and Processes: Where We Are in the Six-Step Process Incident Response Part 2: Growing and Maturing An IR Capability
- Sponsored By: Intel Security AccessData Corp. Arbor Networks HP Carbon Black AlienVault
A spate of high-profile security breaches and attacks means that security practitioners find themselves thinking a lot about incident response. A new SANS incident response survey explores how practitioners are dealing with these numerous incidents and provides insight into incident response plans, attack histories, where organizations should focus their response efforts, and how to put all of the pieces together.
Using the Department of Defense Architecture Framework to Develop Security Requirements
by James E. A. Richards - February 10, 2014
Integrated architectures embody the discernable parts of a system and their relationships with each other in a single, normalized data repository.
Controlling Vendor Access for Small Businesses
by Chris Cain - September 17, 2013
A vendor access policy is a great way to supplement any security policy.
Corporate vs. Product Security
by Philip Watson - May 22, 2013
When people hear "I deal with security" from any employee, the typical thought is that they are defending the enterprise, the web servers, the corporate email, and corporate secrets.
Information Risks & Risk Management
by John Wurzler - May 1, 2013
In a relatively short period of time, data in the business world has moved from paper files, carbon copies, and filing cabinets to electronic files stored on very powerful computers.
Recovering Security in Program Management
by Howard Thomas - October 3, 2012
Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.
Net Neutrality, Rest in Peace
by James Mosier - October 11, 2011
No one would argue that the Internet has become an instrumental part of society. With broad- band access in a large percentage of homes, WiFi freely available in many places of business, and smart phones connected via mobile service providers, our access to the information portal has become nearly an always-on experience.
Reducing the Risks of Social Media to Your Organization
by Maxwell Chi - September 1, 2011
Social media is "the internet and mobile technology based channels of communication in which people share content with each other. Examples are social networking sites such as Facebook and Twitter." (Financial Times Lexicon, 2011).
Scoping Security Assessments - A Project Management Approach
by Ahmed Abdel-Aziz - June 7, 2011
Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.
Which Disney© Princess are YOU?
by Joshua Brower - March 18, 2010
Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnairesbe it a knock on the door to answer a survey for a census worker, or a harmless quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.
Understanding the Importance of and Implementing Internal Security Measures
by Michael Durgin - September 27, 2007
Many Information Technology professionals concentrate on securing the perimeter of their network, ignoring the possibility of internal attacks. Internal security incidents can be much more costly than an attack from external incidents, and are more likely to succeed due to internal knowledge of the corporation. This paper will focus on the importance of internal security, types of incidents, motives, potential loss, and how to defend against them. It will show how many external incidents are successful due to inside knowledge of the organization, inside help, or are performed by insiders using the anonymity of the Internet.
Risks and Rewards of Instant Messaging in the Banking Sector
by Nicholas Rose - June 13, 2005
This paper seeks to explain these risks and to recommend current best practice for addressing them. This is to block all of these services at the proxy servers using a blocking product and then to selectively allow properly controlled and authorized IM and P2P services to take place through an IM enabling gateway.
Security In An Open Environment Such As A University?
by Carol Templeton - May 5, 2005
This paper will discuss a definition, the needs, and the goals of an open environment like a university; examine a process of developing an authorized framework and team for university information security; present some of the attitudes and perspectives that can help or hinder security implementation, as revealed through personal experience; and identify security resources that can be used for effective information security development and improved security perspectives.
Information Security Policy - A Development Guide for Large and Small Companies
by Sorcha Diver - March 2, 2004
Elements that need to be considered when developing and maintaining information security policy. This SANS whitepaper goes into the design for a suite of information security policy documents and the accompanying development process.
Protecting Your Corporate Network from Your Employee's Home Systems
by Todd Rosenberry - February 9, 2004
In addition to the protection provided by a strong perimeter firewall, implemented by security conscious corporations, the challenge of security becomes much greater when employee home systems are allowed to access the corporate network via a Virtual Private Network (VPN).
Security Process for the implementation of a Companys extranet network
by Kirk Steinklauber - July 14, 2003
This paper explores the development of the security process required to build an effective standard policy to cover a company's network perimeter.
The social approaches to enforcing information security
by Roger Gilhooly - June 27, 2003
This paper focuses on enforcing information security using social approaches in the business environment.
Security considerations with Squid proxy server
by Eric Galarneau - May 23, 2003
This paper will cover various security aspects and recommendations to improve Squid's overall security during its installation time.
Creating an IT Security Awareness Program for Senior Management
by Robert Nellis - May 8, 2003
This paper will present an approach to creating and deploying a security awareness program with senior management as the intended audience.
Guidelines for an Information Sharing Policy
by Chris Gilbert - March 20, 2003
This paper presents a set of guidelines which may be used in the creation of an Information Sharing Policy for small organizational units.
Security Policies: Where to Begin
by Laura Wills - February 8, 2003
The intent of this paper is to guide you through the process and considerations when developing security policies within an organization; however it will not attempt to write the initial policies.
Developing a Security Policy - Overcoming Those Hurdles
by Chris Wan - January 16, 2003
This paper describes the real -life experiences involved in developing a security policy and gaining its endorsement in a medium sized company.
Peer-to-Peer File-Sharing Networks: Security Risks
by William Couch - September 8, 2002
The rise and evolution of the peer-to-peer (P2P) file-sharing networks and some of the reasons for their popularity are introduced in this paper, along with the security implications to users' computers, networks, and information.
Building and Implementing an Information Security Policy
by Martyn Elmy-Liddiard - April 30, 2002
This paper describe a process of building and, implementing an Information Security Policy.
Developing Security Policies: Charting an Obstacle Course
by Rosemary Sumajit - April 4, 2002
This paper discusses the issues faced by those at my educational institution in trying to develop security policies.
Sensitive But Unclassified
by Andrew Helyer - April 3, 2002
In this report, one will learn about the differences between classified and unclassified information and about the many names by which sensitive information may be labeled.
Deception: A Healthy Part of Any Defense in-depth Strategy
by Paul Anderson - March 25, 2002
This paper will define and discuss the major components of a multi-layered defense with special emphasis on security policies and their framework, how it can be used by the defender, deception tools used in a defensive strategy, and it's role in a multi-layered defense.
One Approach to Enterprise Security Architecture
by Nick Arconati - March 14, 2002
This paper discusses an approach to Enterprise Security Architecture, including a security policy, security domains, trust levels, tiered networks, and most importantly the relationships among them.
Defining Policies Using Meta Rules
by Dan McGinn-Combs - March 14, 2002
This paper seeks to initiate a discussion on how to design and implement security policies within a company.
A Preparation Guide to Information Security Policies
by David Jarmon - March 12, 2002
This paper introduces basic concepts, common security threats, and key components necessary to facilitate the process of developing a Security Policy.
The Use of Case Law in Negotiating the Acceptance of Post Secondary Computer Policies
by George Koszegi - March 10, 2002
This author provides a compelling argument to facilitate cooperation and compliance of adopting a policy scheme that will act as the first line of defense for organizations and provides a framework for the development of Acceptable Use Computer Policies.
Security Policies in a Global Organization
by Gerald Long - February 25, 2002
This paper addresses the concept of creating a tiered structure Information Security Policy and a tiered approval structure, whereby some policies apply globally throughout the organization, and other policies apply to specific geographical, or regional entities.
Formulating a National Cryptography Policy: Relevant Issues, Considerations and Implications for Sin
by Francis Goh - February 11, 2002
This paper provides insight into the relevant issues, considerations and implications necessary for formulating an effective National Cryptography Policy, taking into account the protection of privacy, intellectual property, business and financial information, as well as the needs for law enforcement and national security.
Security, It's Not Just Technical
by Kevin Dulany - January 15, 2002
The goal of this paper is to introduce the need for an adequate information security policy within your respective workplace or organization.
Systems Maintenance Programs - The Forgotten Foundation and Support of the CIA Triad
by Farley Howard - January 10, 2002
A well engineered maintenance program that takes advantage of correlations between maintenance procedures and the CIA Triad will not only assist in operational readiness, but can also provide an invaluable supplement and enhancement to any existing security program.
An Overview of Corporate Computer User Policy
by Philip Kaleewoun - December 27, 2001
This paper will discuss what should be covered in a corporate computer user policy that sets the overall tone of an organization's security approach. The intended audience is primarily information technology professionals.
When Policies that have 'Always Worked', Don't or "The Mask of the Code
by Rich Parker - November 25, 2001
This paper outlines a failure of our 'human systems' due to a limitation in our thinking about our procedures that could easily have had catastrophic results.
No Budget, No Policy: Leading the Bull by the Nose or Thank God for the Cisco IOS Firewall Feature S
by Richard Haynal - November 17, 2001
This paper describes how I converted our perimeter router into a stateful firewall.
Creating an Information Systems Security Policy
by Walter Patrick - October 29, 2001
This paper addresses the steps necessary for creating an Information Systems (IS) Security Policy.
Impact of HIPAA Security Rules on Healthcare Organizations
by Tim Ferrell - October 4, 2001
This paper focuses on the impact of the Security rules as mandated by HIPAA regulations for healthcare organizations that transmit or posses protected health information.
Security Policy Roadmap - Process for Creating Security Policies
by Chaiw Kee - October 2, 2001
This paper presents a systematic approach in developing computer security policies and procedures, along with a discussion on Policy Life Cycle.
Congratulations to the New Security Manager
by Nancy Carpenter - September 24, 2001
The job of a Computer Security Manager is very complex, a role that is evolving as our technology advances and this paper outlines some general requirements, information resources and examples to help you get started.
Technical Writing for IT Security Policies in Five Easy Steps
by Patrick Lindley - September 20, 2001
This paper points new policy technical writers in the right direction and provides a solid foundation from which to start.
Developing Effective Information Systems Security Policies
by Daniel Lee - September 10, 2001
This paper takes a top-down approach and provides a high-level overview for developing effective information systems policies.
Developing Security Policies For Protecting Corporate Assets
by Jasu Mistry - August 31, 2001
The paper focuses on some aspects of a security policy with an aim to protect assets from risk.
by Dennis Spalding - August 28, 2001
This paper addresses some technologies and procedures that can minimize the potential damage from internal and external malicious attacks, misconfiguration (vendor or administrator), and user ignorance.
Federal Systems Level Guidance for Securing Information Systems
by James Corrie - August 16, 2001
This paper describes federal systems level guidance for securing information systems.
Security Policy: What it is and Why - The Basics
by Joel Bowden - August 14, 2001
This paper gives you a better understanding of what a Security Policy is and how important it can be.
Managing Internet Use: Big Brother or Due Diligence?
by Steve Greenham - July 18, 2001
This paper describes the major risks of granting widespread Internet access along with suggestions to mitigate them.
Social Engineering - For the Good Guys
by James Keeling - July 16, 2001
This paper focuses on the importance of a good security policy, management buy-in, the security team and ways to promote compliance by the practical application of social engineering.
Leveraging a Securing Awareness Program from a Security Policy
by Howard Uhr - July 11, 2001
This paper addresses the benefits of leveraging both a Security Awareness program and a Security Policy.
Development of an Effective Communications Use Policy
by Tim Neil - July 2, 2001
This paper identifies the most common elements of an effective Communications Use Policy, discusses why these elements are necessary and offer guidance in the furtherance of having a successful policy.
Acceptable Use Policy Document
by Raymond Landolo - June 12, 2001
This paper provides an example of an acceptable use policy for information resources.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.