Security Policy Issues
Featuring 52 Papers as of February 10, 2014
Using the Department of Defense Architecture Framework to Develop Security Requirements
James E. A. Richards - February 10, 2014
Integrated architectures embody the discernable parts of a system and their relationships with each other in a single, normalized data repository.
Controlling Vendor Access for Small Businesses Masters
Chris Cain - September 17, 2013
A vendor access policy is a great way to supplement any security policy.
Corporate vs. Product Security
Philip Watson - June 3, 2013
When people hear "I deal with security" from any employee, the typical thought is that they are defending the enterprise, the web servers, the corporate email, and corporate secrets.
Information Risks & Risk Management
John Wurzler - May 1, 2013
In a relatively short period of time, data in the business world has moved from paper files, carbon copies, and filing cabinets to electronic files stored on very powerful computers.
Recovering Security in Program Management
Howard Thomas - October 3, 2012
Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.
Net Neutrality, Rest in Peace Masters
James Mosier - October 11, 2011
No one would argue that the Internet has become an instrumental part of society. With broad- band access in a large percentage of homes, WiFi freely available in many places of business, and smart phones connected via mobile service providers, our access to the information portal has become nearly an always-on experience.
Reducing the Risks of Social Media to Your Organization
Maxwell Chi - September 1, 2011
Social media is "the internet and mobile technology based channels of communication in which people share content with each other. Examples are social networking sites such as Facebook and Twitter." (Financial Times Lexicon, 2011).
Scoping Security Assessments - A Project Management Approach
Ahmed Abdel-Aziz - June 7, 2011
Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.
Which Disney© Princess are YOU?
Joshua Brower - March 18, 2010
Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnairesbe it a knock on the door to answer a survey for a census worker, or a harmless quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.
Understanding the Importance of and Implementing Internal Security Measures
Michael Durgin - September 27, 2007
Many Information Technology professionals concentrate on securing the perimeter of their network, ignoring the possibility of internal attacks. Internal security incidents can be much more costly than an attack from external incidents, and are more likely to succeed due to internal knowledge of the corporation. This paper will focus on the importance of internal security, types of incidents, motives, potential loss, and how to defend against them. It will show how many external incidents are successful due to inside knowledge of the organization, inside help, or are performed by insiders using the anonymity of the Internet.
Risks and Rewards of Instant Messaging in the Banking Sector
Nicholas Rose - June 13, 2005
This paper seeks to explain these risks and to recommend current best practice for addressing them. This is to block all of these services at the proxy servers using a blocking product and then to selectively allow properly controlled and authorized IM and P2P services to take place through an IM enabling gateway.
Security In An Open Environment Such As A University?
Carol Templeton - May 5, 2005
This paper will discuss a definition, the needs, and the goals of an open environment like a university; examine a process of developing an authorized framework and team for university information security; present some of the attitudes and perspectives that can help or hinder security implementation, as revealed through personal experience; and identify security resources that can be used for effective information security development and improved security perspectives.
Information Security Policy - A Development Guide for Large and Small Companies
Sorcha Diver - March 2, 2004
Elements that need to be considered when developing and maintaining information security policy. This SANS whitepaper goes into the design for a suite of information security policy documents and the accompanying development process.
Protecting Your Corporate Network from Your Employee's Home Systems
Todd Rosenberry - February 9, 2004
In addition to the protection provided by a strong perimeter firewall, implemented by security conscious corporations, the challenge of security becomes much greater when employee home systems are allowed to access the corporate network via a Virtual Private Network (VPN).
Leveraging a Securing Awareness Program from a Security Policy
Howard Uhr - October 31, 2003
This paper addresses the benefits of leveraging both a Security Awareness program and a Security Policy.
Dennis Spalding - October 31, 2003
This paper addresses some technologies and procedures that can minimize the potential damage from internal and external malicious attacks, misconfiguration (vendor or administrator), and user ignorance.
Creating an Information Systems Security Policy
Walter Patrick - October 31, 2003
This paper addresses the steps necessary for creating an Information Systems (IS) Security Policy.
An Overview of Corporate Computer User Policy
Philip Kaleewoun - October 31, 2003
This paper will discuss what should be covered in a corporate computer user policy that sets the overall tone of an organization's security approach. The intended audience is primarily information technology professionals.
Security considerations with Squid proxy server
Eric Galarneau - October 31, 2003
This paper will cover various security aspects and recommendations to improve Squid's overall security during its installation time.
The social approaches to enforcing information security
Roger Gilhooly - October 31, 2003
This paper focuses on enforcing information security using social approaches in the business environment.
Security Process for the implementation of a Companys extranet network
Kirk Steinklauber - October 31, 2003
This paper explores the development of the security process required to build an effective standard policy to cover a company's network perimeter.
Acceptable Use Policy Document
Raymond Landolo - October 31, 2003
This paper provides an example of an acceptable use policy for information resources.
Developing a Security Policy - Overcoming Those Hurdles
Chris Wan - October 31, 2003
This paper describes the real -life experiences involved in developing a security policy and gaining its endorsement in a medium sized company.
Guidelines for an Information Sharing Policy
Chris Gilbert - October 31, 2003
This paper presents a set of guidelines which may be used in the creation of an Information Sharing Policy for small organizational units.
Security Policies: Where to Begin
Laura Wills - October 31, 2003
The intent of this paper is to guide you through the process and considerations when developing security policies within an organization; however it will not attempt to write the initial policies.
Creating an IT Security Awareness Program for Senior Management
Robert Nellis - October 31, 2003
This paper will present an approach to creating and deploying a security awareness program with senior management as the intended audience.
Development of an Effective Communications Use Policy
Tim Neil - October 31, 2003
This paper identifies the most common elements of an effective Communications Use Policy, discusses why these elements are necessary and offer guidance in the furtherance of having a successful policy.
Social Engineering - For the Good Guys
James Keeling - October 31, 2003
This paper focuses on the importance of a good security policy, management buy-in, the security team and ways to promote compliance by the practical application of social engineering.
Managing Internet Use: Big Brother or Due Diligence?
Steve Greenham - October 31, 2003
This paper describes the major risks of granting widespread Internet access along with suggestions to mitigate them.
Security Policy: What it is and Why - The Basics
Joel Bowden - October 31, 2003
This paper gives you a better understanding of what a Security Policy is and how important it can be.
Federal Systems Level Guidance for Securing Information Systems
James Corrie - October 31, 2003
This paper describes federal systems level guidance for securing information systems.
Developing Security Policies For Protecting Corporate Assets
Jasu Mistry - October 31, 2003
The paper focuses on some aspects of a security policy with an aim to protect assets from risk.
Developing Effective Information Systems Security Policies
Daniel Lee - October 31, 2003
This paper takes a top-down approach and provides a high-level overview for developing effective information systems policies.
Technical Writing for IT Security Policies in Five Easy Steps
Patrick Lindley - October 31, 2003
This paper points new policy technical writers in the right direction and provides a solid foundation from which to start.
Congratulations to the New Security Manager
Nancy Carpenter - October 31, 2003
The job of a Computer Security Manager is very complex, a role that is evolving as our technology advances and this paper outlines some general requirements, information resources and examples to help you get started.
Security Policy Roadmap - Process for Creating Security Policies
Chaiw Kee - October 31, 2003
This paper presents a systematic approach in developing computer security policies and procedures, along with a discussion on Policy Life Cycle.
Impact of HIPAA Security Rules on Healthcare Organizations
Tim Ferrell - October 31, 2003
This paper focuses on the impact of the Security rules as mandated by HIPAA regulations for healthcare organizations that transmit or posses protected health information.
No Budget, No Policy: Leading the Bull by the Nose or Thank God for the Cisco IOS Firewall Feature S
Richard Haynal - October 31, 2003
This paper describes how I converted our perimeter router into a stateful firewall.
When Policies that have 'Always Worked', Don't or "The Mask of the Code
Rich Parker - October 31, 2003
This paper outlines a failure of our 'human systems' due to a limitation in our thinking about our procedures that could easily have had catastrophic results.
Systems Maintenance Programs - The Forgotten Foundation and Support of the CIA Triad
Farley Howard - October 31, 2003
A well engineered maintenance program that takes advantage of correlations between maintenance procedures and the CIA Triad will not only assist in operational readiness, but can also provide an invaluable supplement and enhancement to any existing security program.
Security, It's Not Just Technical
Kevin Dulany - October 31, 2003
The goal of this paper is to introduce the need for an adequate information security policy within your respective workplace or organization.
Formulating a National Cryptography Policy: Relevant Issues, Considerations and Implications for Sin
Francis Goh - October 31, 2003
This paper provides insight into the relevant issues, considerations and implications necessary for formulating an effective National Cryptography Policy, taking into account the protection of privacy, intellectual property, business and financial information, as well as the needs for law enforcement and national security.
Security Policies in a Global Organization
Gerald Long - October 31, 2003
This paper addresses the concept of creating a tiered structure Information Security Policy and a tiered approval structure, whereby some policies apply globally throughout the organization, and other policies apply to specific geographical, or regional entities.
The Use of Case Law in Negotiating the Acceptance of Post Secondary Computer Policies
George Koszegi - October 31, 2003
This author provides a compelling argument to facilitate cooperation and compliance of adopting a policy scheme that will act as the first line of defense for organizations and provides a framework for the development of Acceptable Use Computer Policies.
A Preparation Guide to Information Security Policies
David Jarmon - October 31, 2003
This paper introduces basic concepts, common security threats, and key components necessary to facilitate the process of developing a Security Policy.
One Approach to Enterprise Security Architecture
Nick Arconati - October 31, 2003
This paper discusses an approach to Enterprise Security Architecture, including a security policy, security domains, trust levels, tiered networks, and most importantly the relationships among them.
Defining Policies Using Meta Rules
Dan McGinn-Combs - October 31, 2003
This paper seeks to initiate a discussion on how to design and implement security policies within a company.
Deception: A Healthy Part of Any Defense in-depth Strategy
Paul Anderson - October 31, 2003
This paper will define and discuss the major components of a multi-layered defense with special emphasis on security policies and their framework, how it can be used by the defender, deception tools used in a defensive strategy, and it's role in a multi-layered defense.
Sensitive But Unclassified
Andrew Helyer - October 31, 2003
In this report, one will learn about the differences between classified and unclassified information and about the many names by which sensitive information may be labeled.
Developing Security Policies: Charting an Obstacle Course
Rosemary Sumajit - October 31, 2003
This paper discusses the issues faced by those at my educational institution in trying to develop security policies.
Building and Implementing an Information Security Policy
Martyn Elmy-Liddiard - October 31, 2003
This paper describe a process of building and, implementing an Information Security Policy.
Peer-to-Peer File-Sharing Networks: Security Risks
William Couch - October 31, 2003
The rise and evolution of the peer-to-peer (P2P) file-sharing networks and some of the reasons for their popularity are introduced in this paper, along with the security implications to users' computers, networks, and information.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact email@example.com.
All papers are copyrighted. No re-posting or distribution of papers is permitted.