Reading Room

Security Policy Issues

Featuring 51 Papers as of September 17, 2013

• • Overview
  • Download
  Controlling Vendor Access for Small Businesses Chris Cain - September 17, 2013

  A vendor access policy is a great way to supplement any security policy.

• • Overview
  • Download
  Corporate vs. Product Security Philip Watson - June 3, 2013

  When people hear "I deal with security" from any employee, the typical thought is that they are defending the enterprise, the web servers, the corporate email, and corporate secrets.

• • Overview
  • Download
  Information Risks & Risk Management John Wurzler - May 1, 2013

  In a relatively short period of time, data in the business world has moved from paper files, carbon copies, and filing cabinets to electronic files stored on very powerful computers.

• • Overview
  • Download
  Recovering Security in Program Management Howard Thomas - October 3, 2012

  Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.

• • Overview
  • Download
  Net Neutrality, Rest in Peace James Mosier - October 11, 2011

  No one would argue that the Internet has become an instrumental part of society. With broad- band access in a large percentage of homes, WiFi freely available in many places of business, and smart phones connected via mobile service providers, our access to the information portal has become nearly an always-on experience.

• • Overview
  • Download
  Reducing the Risks of Social Media to Your Organization Maxwell Chi - September 1, 2011

  Social media is "the internet and mobile technology based channels of communication in which people share content with each other. Examples are social networking sites such as Facebook and Twitter." (Financial Times Lexicon, 2011).

• • Overview
  • Download
  Scoping Security Assessments - A Project Management Approach Ahmed Abdel-Aziz - June 7, 2011

  Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.

• • Overview
  • Download
  Which Disney© Princess are YOU? Joshua Brower - March 18, 2010

  Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnairesbe it a knock on the door to answer a survey for a census worker, or a harmless quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.

• • Overview
  • Download
  Understanding the Importance of and Implementing Internal Security Measures Michael Durgin - September 27, 2007

  Many Information Technology professionals concentrate on securing the perimeter of their network, ignoring the possibility of internal attacks. Internal security incidents can be much more costly than an attack from external incidents, and are more likely to succeed due to internal knowledge of the corporation. This paper will focus on the importance of internal security, types of incidents, motives, potential loss, and how to defend against them. It will show how many external incidents are successful due to inside knowledge of the organization, inside help, or are performed by insiders using the anonymity of the Internet.

• • Overview
  • Download
  Risks and Rewards of Instant Messaging in the Banking Sector Nicholas Rose - June 13, 2005

  This paper seeks to explain these risks and to recommend current best practice for addressing them. This is to block all of these services at the proxy servers using a blocking product and then to selectively allow properly controlled and authorized IM and P2P services to take place through an IM enabling gateway.

• • Overview
  • Download
  Security In An Open Environment Such As A University? Carol Templeton - May 5, 2005

  This paper will discuss a definition, the needs, and the goals of an open environment like a university; examine a process of developing an authorized framework and team for university information security; present some of the attitudes and perspectives that can help or hinder security implementation, as revealed through personal experience; and identify security resources that can be used for effective information security development and improved security perspectives.

• • Overview
  • Download
  Information Security Policy - A Development Guide for Large and Small Companies Sorcha Diver - March 2, 2004

  Elements that need to be considered when developing and maintaining information security policy. This SANS whitepaper goes into the design for a suite of information security policy documents and the accompanying development process.

• • Overview
  • Download
  Protecting Your Corporate Network from Your Employee's Home Systems Todd Rosenberry - February 9, 2004

  In addition to the protection provided by a strong perimeter firewall, implemented by security conscious corporations, the challenge of security becomes much greater when employee home systems are allowed to access the corporate network via a Virtual Private Network (VPN).

• • Overview
  • Download
  Leveraging a Securing Awareness Program from a Security Policy Howard Uhr - October 31, 2003

  This paper addresses the benefits of leveraging both a Security Awareness program and a Security Policy.

• • Overview
  • Download
  Danger Within Dennis Spalding - October 31, 2003

  This paper addresses some technologies and procedures that can minimize the potential damage from internal and external malicious attacks, misconfiguration (vendor or administrator), and user ignorance.

• • Overview
  • Download
  Creating an Information Systems Security Policy Walter Patrick - October 31, 2003

  This paper addresses the steps necessary for creating an Information Systems (IS) Security Policy.

• • Overview
  • Download
  An Overview of Corporate Computer User Policy Philip Kaleewoun - October 31, 2003

  This paper will discuss what should be covered in a corporate computer user policy that sets the overall tone of an organization's security approach. The intended audience is primarily information technology professionals.

• • Overview
  • Download
  Security considerations with Squid proxy server Eric Galarneau - October 31, 2003

  This paper will cover various security aspects and recommendations to improve Squid's overall security during its installation time.

• • Overview
  • Download
  The social approaches to enforcing information security Roger Gilhooly - October 31, 2003

  This paper focuses on enforcing information security using social approaches in the business environment.

• • Overview
  • Download
  Security Process for the implementation of a Companys extranet network Kirk Steinklauber - October 31, 2003

  This paper explores the development of the security process required to build an effective standard policy to cover a company's network perimeter.

• • Overview
  • Download
  Acceptable Use Policy Document Raymond Landolo - October 31, 2003

  This paper provides an example of an acceptable use policy for information resources.

• • Overview
  • Download
  Developing a Security Policy - Overcoming Those Hurdles Chris Wan - October 31, 2003

  This paper describes the real -life experiences involved in developing a security policy and gaining its endorsement in a medium sized company.

• • Overview
  • Download
  Guidelines for an Information Sharing Policy Chris Gilbert - October 31, 2003

  This paper presents a set of guidelines which may be used in the creation of an Information Sharing Policy for small organizational units.

• • Overview
  • Download
  Security Policies: Where to Begin Laura Wills - October 31, 2003

  The intent of this paper is to guide you through the process and considerations when developing security policies within an organization; however it will not attempt to write the initial policies.

• • Overview
  • Download
  Creating an IT Security Awareness Program for Senior Management Robert Nellis - October 31, 2003

  This paper will present an approach to creating and deploying a security awareness program with senior management as the intended audience.

• • Overview
  • Download
  Development of an Effective Communications Use Policy Tim Neil - October 31, 2003

  This paper identifies the most common elements of an effective Communications Use Policy, discusses why these elements are necessary and offer guidance in the furtherance of having a successful policy.

• • Overview
  • Download
  Social Engineering - For the Good Guys James Keeling - October 31, 2003

  This paper focuses on the importance of a good security policy, management buy-in, the security team and ways to promote compliance by the practical application of social engineering.

• • Overview
  • Download
  Managing Internet Use: Big Brother or Due Diligence? Steve Greenham - October 31, 2003

  This paper describes the major risks of granting widespread Internet access along with suggestions to mitigate them.

• • Overview
  • Download
  Security Policy: What it is and Why - The Basics Joel Bowden - October 31, 2003

  This paper gives you a better understanding of what a Security Policy is and how important it can be.

• • Overview
  • Download
  Federal Systems Level Guidance for Securing Information Systems James Corrie - October 31, 2003

  This paper describes federal systems level guidance for securing information systems.

• • Overview
  • Download
  Developing Security Policies For Protecting Corporate Assets Jasu Mistry - October 31, 2003

  The paper focuses on some aspects of a security policy with an aim to protect assets from risk.

• • Overview
  • Download
  Developing Effective Information Systems Security Policies Daniel Lee - October 31, 2003

  This paper takes a top-down approach and provides a high-level overview for developing effective information systems policies.

• • Overview
  • Download
  Technical Writing for IT Security Policies in Five Easy Steps Patrick Lindley - October 31, 2003

  This paper points new policy technical writers in the right direction and provides a solid foundation from which to start.

• • Overview
  • Download
  Congratulations to the New Security Manager Nancy Carpenter - October 31, 2003

  The job of a Computer Security Manager is very complex, a role that is evolving as our technology advances and this paper outlines some general requirements, information resources and examples to help you get started.

• • Overview
  • Download
  Security Policy Roadmap - Process for Creating Security Policies Chaiw Kee - October 31, 2003

  This paper presents a systematic approach in developing computer security policies and procedures, along with a discussion on Policy Life Cycle.

• • Overview
  • Download
  Impact of HIPAA Security Rules on Healthcare Organizations Tim Ferrell - October 31, 2003

  This paper focuses on the impact of the Security rules as mandated by HIPAA regulations for healthcare organizations that transmit or posses protected health information.

• • Overview
  • Download
  No Budget, No Policy: Leading the Bull by the Nose or Thank God for the Cisco IOS Firewall Feature S Richard Haynal - October 31, 2003

  This paper describes how I converted our perimeter router into a stateful firewall.

• • Overview
  • Download
  When Policies that have 'Always Worked', Don't or "The Mask of the Code Rich Parker - October 31, 2003

  This paper outlines a failure of our 'human systems' due to a limitation in our thinking about our procedures that could easily have had catastrophic results.

• • Overview
  • Download
  Systems Maintenance Programs - The Forgotten Foundation and Support of the CIA Triad Farley Howard - October 31, 2003

  A well engineered maintenance program that takes advantage of correlations between maintenance procedures and the CIA Triad will not only assist in operational readiness, but can also provide an invaluable supplement and enhancement to any existing security program.

• • Overview
  • Download
  Security, It's Not Just Technical Kevin Dulany - October 31, 2003

  The goal of this paper is to introduce the need for an adequate information security policy within your respective workplace or organization.

• • Overview
  • Download
  Formulating a National Cryptography Policy: Relevant Issues, Considerations and Implications for Sin Francis Goh - October 31, 2003

  This paper provides insight into the relevant issues, considerations and implications necessary for formulating an effective National Cryptography Policy, taking into account the protection of privacy, intellectual property, business and financial information, as well as the needs for law enforcement and national security.

• • Overview
  • Download
  Security Policies in a Global Organization Gerald Long - October 31, 2003

  This paper addresses the concept of creating a tiered structure Information Security Policy and a tiered approval structure, whereby some policies apply globally throughout the organization, and other policies apply to specific geographical, or regional entities.

• • Overview
  • Download
  The Use of Case Law in Negotiating the Acceptance of Post Secondary Computer Policies George Koszegi - October 31, 2003

  This author provides a compelling argument to facilitate cooperation and compliance of adopting a policy scheme that will act as the first line of defense for organizations and provides a framework for the development of Acceptable Use Computer Policies.

• • Overview
  • Download
  A Preparation Guide to Information Security Policies David Jarmon - October 31, 2003

  This paper introduces basic concepts, common security threats, and key components necessary to facilitate the process of developing a Security Policy.

• • Overview
  • Download
  One Approach to Enterprise Security Architecture Nick Arconati - October 31, 2003

  This paper discusses an approach to Enterprise Security Architecture, including a security policy, security domains, trust levels, tiered networks, and most importantly the relationships among them.

• • Overview
  • Download
  Defining Policies Using Meta Rules Dan McGinn-Combs - October 31, 2003

  This paper seeks to initiate a discussion on how to design and implement security policies within a company.

• • Overview
  • Download
  Deception: A Healthy Part of Any Defense in-depth Strategy Paul Anderson - October 31, 2003

  This paper will define and discuss the major components of a multi-layered defense with special emphasis on security policies and their framework, how it can be used by the defender, deception tools used in a defensive strategy, and it's role in a multi-layered defense.

• • Overview
  • Download
  Sensitive But Unclassified Andrew Helyer - October 31, 2003

  In this report, one will learn about the differences between classified and unclassified information and about the many names by which sensitive information may be labeled.

• • Overview
  • Download
  Developing Security Policies: Charting an Obstacle Course Rosemary Sumajit - October 31, 2003

  This paper discusses the issues faced by those at my educational institution in trying to develop security policies.

• • Overview
  • Download
  Building and Implementing an Information Security Policy Martyn Elmy-Liddiard - October 31, 2003

  This paper describe a process of building and, implementing an Information Security Policy.

• • Overview
  • Download
  Peer-to-Peer File-Sharing Networks: Security Risks William Couch - October 31, 2003

  The rise and evolution of the peer-to-peer (P2P) file-sharing networks and some of the reasons for their popularity are introduced in this paper, along with the security implications to users' computers, networks, and information.

Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.