Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Policies - Need them, sure, how do we get them approved?

As I was reading Deb's article yesterday about our need for policies, my first thought was yes, of course we need policies!  We are able to write all the policies we want, but how do we get them approved?  Do we break the policies down into smaller sections for faster approval?  Or do we publish one "Acceptable Use Policy" and hope that covers us with our employees?  Do we ask for volunteers for a policy committee?  Do we forget about setting standards and just get general network usage policies approved?

Policies, procedures and standards are necessary for multiple reasons.  One of the key reasons is to set the record straight for the users of our systems and our system administrators setting up the systems.  We need to set the limits on what they can and cannot do.  Do you even know where you stand?  Do you know what is "acceptable risk" for your organization?  Would you have the budget to put behind the policy if it were approved?

Remember to utilize your legal department and internal audit department (if you have them) as assistance in getting justification. We all know that being able to provide proper documentation plays a key role during litigation, outside attack or insider related. These people will help you get the ball rolling in the right direction, if you need help.

If and when you get your policy approved, how often should you revisit and revise?  Did you set these time tables into the policy or just thank the digital stars that you finally got sign off?  We would like to hear your policy battle stories.  Please send any lessons learned from your policy process to us here.  I'm looking forward to learning some new techniques.

Fair Winds,




Mari Nichols

76 Posts
Nov 24th 2007

Sign Up for Free or Log In to start participating in the conversation!