SANS InfoSec Reading Room - Security Policy Issues

<<Reading Room Home
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Secunia_yearly_report

Featuring 50 papers as of Jun 19, 2013
PDF Corporate vs. Product Security
By: Philip Watson (posted on June 3, 2013)
When people hear "I deal with security" from any employee, the typical thought is that they are defending the enterprise, the web servers, the corporate email, and corporate secrets.
PDF Information Risks & Risk Management
By: John Wurzler (posted on May 1, 2013)
In a relatively short period of time, data in the business world has moved from paper files, carbon copies, and filing cabinets to electronic files stored on very powerful computers.
PDF Recovering Security in Program Management
By: Howard Thomas (posted on October 3, 2012)
Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.
PDF Net Neutrality, Rest in Peace
By: James Mosier (posted on October 11, 2011)
No one would argue that the Internet has become an instrumental part of society. With broad- band access in a large percentage of homes, WiFi freely available in many places of business, and smart phones connected via mobile service providers, our access to the information portal has become nearly an always-on experience.
PDF Reducing the Risks of Social Media to Your Organization
By: Maxwell Chi (posted on September 1, 2011)
Social media is "the internet and mobile technology based channels of communication in which people share content with each other. Examples are social networking sites such as Facebook and Twitter." (Financial Times Lexicon, 2011).
PDF Scoping Security Assessments - A Project Management Approach
By: Ahmed Abdel-Aziz (posted on June 7, 2011)
Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.
PDF Which Disney© Princess are YOU?
By: Joshua Brower (posted on March 18, 2010)
Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnaires—be it a knock on the door to answer a survey for a “census” worker, or a “harmless” quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.
PDF Understanding the Importance of and Implementing Internal Security Measures
By: Michael Durgin (posted on September 27, 2007)
PDF Risks and Rewards of Instant Messaging in the Banking Sector
By: Nicholas Rose (posted on June 13, 2005)
This paper seeks to explain these risks and to recommend current best practice for addressing them. This is to block all of these services at the proxy servers using a blocking product and then to selectively allow properly controlled and authorized IM and P2P services to take place through an IM enabling gateway.
PDF Security In An Open Environment Such As A University?
By: Carol Templeton (posted on May 5, 2005)
This paper will discuss a definition, the needs, and the goals of an open environment like a university; examine a process of developing an authorized framework and team for university information security; present some of the attitudes and perspectives that can help or hinder security implementation, as revealed through personal experience; and identify security resources that can be used for effective information security development and improved security perspectives.
PDF Information Security Policy - A Development Guide for Large and Small Companies
By: Sorcha Diver (posted on March 2, 2004)
Elements that need to be considered when developing and maintaining information security policy. This SANS whitepaper goes into the design for a suite of information security policy documents and the accompanying development process.
PDF Protecting Your Corporate Network from Your Employee's Home Systems
By: Todd Rosenberry (posted on February 9, 2004)
In addition to the protection provided by a strong perimeter firewall, implemented by security conscious corporations, the challenge of security becomes much greater when employee home systems are allowed to access the corporate network via a Virtual Private Network (VPN).
PDF Leveraging a Securing Awareness Program from a Security Policy
By: Howard Uhr (posted on October 31, 2003)
This paper addresses the benefits of leveraging both a Security Awareness program and a Security Policy.
PDF Danger Within
By: Dennis Spalding (posted on October 31, 2003)
This paper addresses some technologies and procedures that can minimize the potential damage from internal and external malicious attacks, misconfiguration (vendor or administrator), and user ignorance.
PDF Creating an Information Systems Security Policy
By: Walter F. Patrick (posted on October 31, 2003)
This paper addresses the steps necessary for creating an Information Systems (IS) Security Policy.
PDF An Overview of Corporate Computer User Policy
By: Philip J. Kaleewoun (posted on October 31, 2003)
This paper will discuss what should be covered in a corporate computer user policy that sets the overall tone of an organization's security approach. The intended audience is primarily information technology professionals.
PDF Security considerations with Squid proxy server
By: Eric Galarneau (posted on October 31, 2003)
This paper will cover various security aspects and recommendations to improve Squid's overall security during its installation time.
PDF The social approaches to enforcing information security
By: Roger Gilhooly (posted on October 31, 2003)
This paper focuses on enforcing information security using social approaches in the business environment.
PDF Security Process for the implementation of a Companys extranet network
By: Kirk Steinklauber (posted on October 31, 2003)
This paper explores the development of the security process required to build an effective standard policy to cover a company's network perimeter.
PDF Acceptable Use Policy Document
By: Raymond Landolo (posted on October 31, 2003)
This paper provides an example of an acceptable use policy for information resources.
PDF Developing a Security Policy - Overcoming Those Hurdles
By: Chris Wan (posted on October 31, 2003)
This paper describes the real -life experiences involved in developing a security policy and gaining its endorsement in a medium sized company.
PDF Guidelines for an Information Sharing Policy
By: Chris Gilbert (posted on October 31, 2003)
This paper presents a set of guidelines which may be used in the creation of an Information Sharing Policy for small organizational units.
PDF Security Policies: Where to Begin
By: Laura Wills (posted on October 31, 2003)
The intent of this paper is to guide you through the process and considerations when developing security policies within an organization; however it will not attempt to write the initial policies.
PDF Creating an IT Security Awareness Program for Senior Management
By: Robert Nellis (posted on October 31, 2003)
This paper will present an approach to creating and deploying a security awareness program with senior management as the intended audience.
PDF Development of an Effective Communications Use Policy
By: Tim O' Neil (posted on October 31, 2003)
This paper identifies the most common elements of an effective Communications Use Policy, discusses why these elements are necessary and offer guidance in the furtherance of having a successful policy.
PDF Social Engineering - For the Good Guys
By: James E. Keeling (posted on October 31, 2003)
This paper focuses on the importance of a good security policy, management buy-in, the security team and ways to promote compliance by the practical application of social engineering.
PDF Managing Internet Use: Big Brother or Due Diligence?
By: Steve Greenham (posted on October 31, 2003)
This paper describes the major risks of granting widespread Internet access along with suggestions to mitigate them.
PDF Security Policy: What it is and Why - The Basics
By: Joel S. Bowden (posted on October 31, 2003)
This paper gives you a better understanding of what a Security Policy is and how important it can be.
PDF Federal Systems Level Guidance for Securing Information Systems
By: James Corrie (posted on October 31, 2003)
This paper describes federal systems level guidance for securing information systems.
PDF Developing Security Policies For Protecting Corporate Assets
By: Jasu Mistry (posted on October 31, 2003)
The paper focuses on some aspects of a security policy with an aim to protect assets from risk.
PDF Developing Effective Information Systems Security Policies
By: RDaniel Lee (posted on October 31, 2003)
This paper takes a top-down approach and provides a high-level overview for developing effective information systems policies.
PDF Technical Writing for IT Security Policies in Five Easy Steps
By: J.Patrick Lindley (posted on October 31, 2003)
This paper points new policy technical writers in the right direction and provides a solid foundation from which to start.
PDF Congratulations to the New Security Manager
By: Nancy J. Carpenter (posted on October 31, 2003)
The job of a Computer Security Manager is very complex, a role that is evolving as our technology advances and this paper outlines some general requirements, information resources and examples to help you get started.
PDF Security Policy Roadmap - Process for Creating Security Policies
By: ChaiwKok Kee (posted on October 31, 2003)
This paper presents a systematic approach in developing computer security policies and procedures, along with a discussion on Policy Life Cycle.
PDF Impact of HIPAA Security Rules on Healthcare Organizations
By: Tim Ferrell (posted on October 31, 2003)
This paper focuses on the impact of the Security rules as mandated by HIPAA regulations for healthcare organizations that transmit or posses protected health information.
PDF No Budget, No Policy: Leading the Bull by the Nose or Thank God for the Cisco IOS Firewall Feature S
By: Richard Haynal (posted on October 31, 2003)
This paper describes how I converted our perimeter router into a stateful firewall.
PDF When Policies that have 'Always Worked', Don't or "The Mask of the Code
By: Rich Parker (posted on October 31, 2003)
This paper outlines a failure of our 'human systems' due to a limitation in our thinking about our procedures that could easily have had catastrophic results.
PDF Systems Maintenance Programs - The Forgotten Foundation and Support of the CIA Triad
By: C.Farley Howard (posted on October 31, 2003)
A well engineered maintenance program that takes advantage of correlations between maintenance procedures and the CIA Triad will not only assist in operational readiness, but can also provide an invaluable supplement and enhancement to any existing security program.
PDF Security, It's Not Just Technical
By: Kevin M. Dulany (posted on October 31, 2003)
The goal of this paper is to introduce the need for an adequate information security policy within your respective workplace or organization.
PDF Formulating a National Cryptography Policy: Relevant Issues, Considerations and Implications for Sin
By: Francis Chong Heng Goh (posted on October 31, 2003)
This paper provides insight into the relevant issues, considerations and implications necessary for formulating an effective National Cryptography Policy, taking into account the protection of privacy, intellectual property, business and financial information, as well as the needs for law enforcement and national security.
PDF Security Policies in a Global Organization
By: Gerald P. Long (posted on October 31, 2003)
This paper addresses the concept of creating a tiered structure Information Security Policy and a tiered approval structure, whereby some policies apply globally throughout the organization, and other policies apply to specific geographical, or regional entities.
PDF The Use of Case Law in Negotiating the Acceptance of Post Secondary Computer Policies
By: George B. Koszegi (posted on October 31, 2003)
This author provides a compelling argument to facilitate cooperation and compliance of adopting a policy scheme that will act as the first line of defense for organizations and provides a framework for the development of Acceptable Use Computer Policies.
PDF A Preparation Guide to Information Security Policies
By: David Jarmon (posted on October 31, 2003)
This paper introduces basic concepts, common security threats, and key components necessary to facilitate the process of developing a Security Policy.
PDF One Approach to Enterprise Security Architecture
By: Nick Arconati (posted on October 31, 2003)
This paper discusses an approach to Enterprise Security Architecture, including a security policy, security domains, trust levels, tiered networks, and most importantly the relationships among them.
PDF Defining Policies Using Meta Rules
By: Dan McGinn-Combs (posted on October 31, 2003)
This paper seeks to initiate a discussion on how to design and implement security policies within a company.
PDF Deception: A Healthy Part of Any Defense in-depth Strategy
By: Paul Anderson (posted on October 31, 2003)
This paper will define and discuss the major components of a multi-layered defense with special emphasis on security policies and their framework, how it can be used by the defender, deception tools used in a defensive strategy, and it's role in a multi-layered defense.
PDF Sensitive But Unclassified
By: Andrew Helyer (posted on October 31, 2003)
In this report, one will learn about the differences between classified and unclassified information and about the many names by which sensitive information may be labeled.
PDF Developing Security Policies: Charting an Obstacle Course
By: Rosemary Sumajit (posted on October 31, 2003)
This paper discusses the issues faced by those at my educational institution in trying to develop security policies.
PDF Building and Implementing an Information Security Policy
By: Martyn Elmy-Liddiard (posted on October 31, 2003)
This paper describe a process of building and, implementing an Information Security Policy.
PDF Peer-to-Peer File-Sharing Networks: Security Risks
By: William Couch (posted on October 31, 2003)
The rise and evolution of the peer-to-peer (P2P) file-sharing networks and some of the reasons for their popularity are introduced in this paper, along with the security implications to users' computers, networks, and information.
SANS Reading Room

The perfect balance of theory and hands on experience.
-James d. Perry II, University of Tennessee

Forensics 526

Latest Whitepapers

Web Application Injection Vulnerabilities: A Web App&#039;s Security Nemesis?
By Erik Couture

Electronic Medical Records: Success Requires an Information Security Culture
By Thomas Roberts

Analyzing Polycom&reg; Video Conference Traffic
By Chris Cain

Latest Tweets

#windowssecurity "Windows Security Course: Las Vegas in Sept [...]
June 7, 2013 - 5:47 AM

New Blog Post: Windows Memory Analysis In-Depth - Discount C [...]
June 7, 2013 - 12:37 AM

Save $500 through 6/12 on important cybersecurity courses at [...]
June 6, 2013 - 10:05 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP