? about policies for security admins.
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: ? about policies for security admins.

  1. #1
    Junior Member
    Join Date
    Sep 2002
    Posts
    12

    Question ? about policies for security admins.

    I work for a financial institution and we are required to maintain policies for everything from Data Encryption standards to Acceptable VPN and Wireless usage. I recently was asked by auditors to provide some sort of evidence that my users had read and accepted every policy that pertains to them. Of course this is going to be a big pain in the butt.

    How do you all handle policy distribution and make sure that everyone that needs to read a certain policy has read, understands and has accepted it? I was thinking about developing an intranet application to help with this, but was wondering if there was already a similar solution available out there?
    Don\'t hate the player... Hate the game!

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Once a year every employee has to sign a "Code of Ethics" document, this document has reference to all applicable policies, by signing the Code of Ethics, you are agreeing that you have read all relevant polices and accept all terms and conditions.


    Cheers:
    DjM

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Yes, there is a marvellous tool out there..................it is called the payroll

    They get a payslip at least once a month? they all have a box for messages? you need to set up an intranet page with a form that they either electronically or print and manually sign.

    The message on the payslip is simple: "sign up by XXXXXXXX or you will not see another one of these"

    You can also provide pop-up reminders when they log on, until they have complied and are taken off the list.

    If they are external auditors then you have no problems if your EVP finance is on your side.....your corporation's fees are more important than your policies........fire them at HR....they are the ones who employ the crooks in your department?

    None of this will prevent another Enron

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Aren't auditors fun?

    We have to maintain similar documents, but we don't have the same level of stress over it as financial institutions. In any case, HR is required to provide the documents, and the time to review them to the new employee. That covers you for the first exposure. However, with updates, changes and new policy, how to get that across to employees and prove that you did it.

    Nihil's idea of payroll/web/intranet tools makes a lot of sense. If an employee of a financial institution isn't paying attention to IT and org policy, then that employee needs to find another job in another industry.

    Just my nickle's worth, as oppose to nihil's tuppence.

    With the exchange, that's about the same.


  5. #5
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949
    mmm... I don't know about anyone else but the major stumbling block we have come across is the fact that it is relatively easy to change records if they are kept electronically. Our company regularly gets inspected by FDA, BSI and a few others - FDA and BSI have insisted that we keep paper copies of our training records (these include agreeing and adhering to relevant company policies) signed by the relevant employees and that they are kept up to date. I would love to have our records kept electronically on a permananent basis (would get rid of so much paper) - I know there are ways to show that a file has not been altered but not all regulatory bodies are quite so quick on the uptake to digital media - I'm wondering if you will face similar problems being as you work for a financial institute.

    Z
    Quis Custodiet Ipsos Custodes

  6. #6
    Member
    Join Date
    Oct 2002
    Posts
    30
    Hi there Slim and the rest of you. We (me and Nihil among others) had a similar discussion a little while back here at AO. The thread is located here if you want to take a look. Who knows, you might find something of interest if you're lucky.
    Laters folks
    [shadow] Nobody\'s perfect, but I\'m damn close...[/shadow]

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Case point for quick fix. This is tough but it worked. I e-mail an acceptable use policy to the entire company. State that wihtout this policy the company, and your user data is at great and terrible risk to hackers. Make it sound sincere and scare them.

    Then state, if I do not have a signed copy printed and mailed back to me within 15 days, network access will be suspended. Of course you have to have a written policy to back it up. Here's some ...

    http://www.sans.org/resources/policies/#template

    or here if you want and entire system already type in native word formats, expensive but worth man hour costs.

    http://www.amazon.com/exec/obidos/tg...24868?v=glance

    OR

    http://www.alexinformation.com/books...store?openform

    Alex has some good stuff but is expensive and their telemarketers will drive you nuts, may get you up to speed fast though...

  8. #8
    Member
    Join Date
    Sep 2001
    Posts
    37
    Following on from the advice above, we too only allow access to the network if employees sign up to our Security Policies document. In the first instance, a username and pasword is not supplied by the SysAdmin until they have received a signed copy of the doc from the employee. Thereafter, they have to re-sign every 6 months. Failure to do so within two weeks results in the suspension of their access to the network until a signed declaration is received. To ease this, we allow electronic copies of the document to be circulated (via either email or intranet), but a paper copy of the declaration (one single a4 sheet) must be signed by the user and returned to the SysAdmin. This keeps the paper down to a minimum while comlying with audit requirements.

    Cheers all.

  9. #9
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    hmm or u can always do what i did. i just wrote up 1 page of contract which preety much covers things in GENERAL, and a booklet which goes things through details. give everyone each a copy, have them sign the contract and they keep the booklet. ofcourse i did the documentation, i guess u can always hire someone to do the documentation but if u are doing the implemetation of the policies, u better do it urself.

  10. #10
    Member
    Join Date
    Dec 2003
    Posts
    59
    In case anyone hasn't taken a look at this book, it is a great investment.

    "Information Securith Policies made Easy"

    Its pretty expensive, around $800, but it'll save your job in the long run..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides