Who rules your IT Policy world?
Posted 02-23-2010 at 04:05 AM by hdawg
I've been working with several customers recently where discussions about IT Policy have come up. Some of the questions that come up are:
What policies should we implement?
Should I require a password?
What about device encryption?
Do you allow people to use the web browser?
Should users access the carrier browser or force all connections through our BES?
For me, these are the easy questions to answer. The same people that decide what your password length has to be on your PC and when those passwords expire should be the ones that are giving you these answers. BES Admins shouldn't be making these decisions, unless of course you're also the security / policy admin.
In the enterprise, my question is "Who has access to assign / change the policies?". Do you let someone on the help desk make this change? Some people say yes, some say absolutely not. My personal opinion is that there needs to be a set of rules for how / who / when these things get changed. For any service desk process to function you need to clearly outline what fits into what bucket and who is responsible for what. The service desk shouldn't be making decisions to who has access to what ... should they?
How do y'all implement IT Policies? Who decides what the policy settings are? Who decides which people get which policy? Who decides when that policy can change?
Take a look at the attached BES 5.0 SP1 Policy Reference Guide. Specifically look at the Examples of security policy goals for when you're trying to figure out what policies to use and how to implement them.
What policies should we implement?
Should I require a password?
What about device encryption?
Do you allow people to use the web browser?
Should users access the carrier browser or force all connections through our BES?
For me, these are the easy questions to answer. The same people that decide what your password length has to be on your PC and when those passwords expire should be the ones that are giving you these answers. BES Admins shouldn't be making these decisions, unless of course you're also the security / policy admin.
In the enterprise, my question is "Who has access to assign / change the policies?". Do you let someone on the help desk make this change? Some people say yes, some say absolutely not. My personal opinion is that there needs to be a set of rules for how / who / when these things get changed. For any service desk process to function you need to clearly outline what fits into what bucket and who is responsible for what. The service desk shouldn't be making decisions to who has access to what ... should they?
How do y'all implement IT Policies? Who decides what the policy settings are? Who decides which people get which policy? Who decides when that policy can change?
Take a look at the attached BES 5.0 SP1 Policy Reference Guide. Specifically look at the Examples of security policy goals for when you're trying to figure out what policies to use and how to implement them.
Total Comments 3
Comments
-
Posted 02-23-2010 at 10:34 PM by Sith_Apprentice
-
Oh the government makes security so black and white
Posted 02-24-2010 at 09:38 AM by hdawg
-
We have an Security & Risk unit who review the recommendations I suggest as the BES Admin. They either agree or disagree & then I set the IT Policies accordingly.
I totally agree with applying the same rules that exist with network user accounts e.g. password complexity, maximum password attempts, security timeout etc.Posted 02-26-2010 at 12:45 AM by devans
