[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: survey of isp security practices



On Tue, 9 Nov 2004 09:01:04 -0500, Howard C. Berkowitz <hcb@gettcomm.com> wrote:

> 
> Under section 6, logging, redundancy and physical distribution of log
> storage devices, as well as physical security and other integrity for
> these devices.

Explicitly out of scope:

  o  general purpose hosts that do not transit traffic including
      infrastructure hosts such as name/time/log/AAA servers, etc.,

> 
> Under section 9, policy and procedures, I'd put several issues:
>     Acceptable Use Policies (to include permissible ports)
>     Dealing with the top management problem that auditors like
> security and operations to be separate
>     Announcement/enforcement of user system patch policies
>     Coordination with peers and vendors; legal framework for
> disclosing sensitive information in the interest of mutual problem
> resolution; keeping one's sales force from making inappropriate or
> premature comments.
>     NOC and IRT communications channels, intended for a closed
> community as well as for selected problem notification
>     Coordination with national critical infrastructure bodies,
> including restoration priority for NOC/IRT facilities

As much as I agree that these things should be documented, I think they
are starting to stray out of scope "...a list of capabilities...".    Of course
you're free to disagree, propose mods to the scope or write a draft anyhow...

I agree about the need for a routing section.

Thanks,
---George Jones