On Thu, Mar 11, 2004 at 12:48:07PM -0800, Hallam-Baker, Phillip wrote:
Hadmut, it is a policy. It is not authorization in this context. The
record is there because someone was authorized to put it there but it
is not authorization data as far as I am concerned.
...
Alan is not entirely consistent with the language that has been
developed by the field but he is a lot closer.
Let's have a look at definitions found with google:
http://www.securityfocus.com/infocus/1193
The nicest definition for 'policy' that I could find is from
the American Heritage Dictionary of the English language. It
reads:
"A plan or course of action, as of a government, political
party, or business, intended to influence and determine
decisions, actions, and other matters"
In practical security terms, I define a policy as a published
document (or set of documents) in which the organization's
philosophy, strategy, policies and practices with regard to
confidentiality, integrity and availability of information and
information systems are laid out.
http://www.counterintrusion.com/images/What%20is%20a%20policy.htm
A policy establishes who is authorized to access different
types of information, and points to standards and guidelines
regarding how much and what kinds of security measures are
necessary. Procedures provide the method for implementing
those standards and guidelines in order to carry out for
implementing those standards and guidelines in order to carry
out the established policy.
http://rusecure.rutgers.edu/sec_plan/pandp.php
A policy is a document that makes a specific statement
requiring that a rule must be met. They are usually
point-specific, covering a single area. Policies should be
general in nature and not have to be updated on a regular
basis.
http://www.tolerantsystems.org/ITS_Ref/Carl_Landwehr.ppt
What is a policy?
A high-level overall plan embracing the general goals and
acceptable procedures of a body (Merriam Webster)
http://www.cap.nsw.edu.au/small_schools_manual/policy_writing.htm
What is a Policy?
A policy consists of a statement of purpose and one or more
broad guidelines as to how the purpose is to be achieved
which, when taken together, provide a framework for the
operation of the school or program. The guidelines specify in
general terms, the kind of action which will or may be taken;
they imply an intention and a pattern for taking action.
http://www.csd.uwo.ca/~kedwards/policy/policydef.html
[lengthy definitions]
http://www.snia.org/apps/group_public/download.php/1632/What_is_Security_Policy.pdf
A set of documents that describes, at a high level,the
security controls that will be implemented in the company.
A set of rules that state which actions are permitted
and which actions are prohibited.
http://www.checkpoint.com/products/smallbusiness/smallbusiness_networkingfaq.html
What is a security policy?
Broadly speaking, a security policy is a collection of
practices and rules (for example, you must change your
password every three months) that help a business ensure that
its electronic information assets remain secure.
A firewall implements the rules from the security policy (for
example, it checks that network users have provided the
correct password) and determines what network communications
are allowed to pass from one network to another.
http://whatis.techtarget.com/definition/0,,sid9_gci887248,00.html
In business, a security policy is a document that states in
writing how a company plans to protect the company's physical
and information technology (IT) assets. A security policy is
often considered to be a "living document", meaning that the
document is never finished, but is continuously updated as
technology and employee requirements change.
http://www.windowsecurity.com/articles/Defining_a_Security_Policy.html
Well, a policy would be some form of documentation that is
created to enforce specific rules or regulations and keep a
structure on procedures. Here, in the context of
\x{FFFD}security\x{FFFD}, is simply a policy based around
procedures revolving around security. Think of any other kind
of policy\x{FFFD} a disaster recovery policy is a set of
procedures, rules and plans revolving around having a disaster
and how to recover from it. Security polices are much the
same.
http://www.digitaldefence.ca/Professional_Policy_FAQs.htm
An Information Security policy is a high-level statement of
an organization's beliefs, goals and objectives, and the
general direction for their attainment as it pertains to
protecting corporate data and the infrastructure used for
handling it. A policy is brief and never states
\x{2018}how' to accomplish the objectives; instead, it
delivers a strategy that is consistent over time and is
capable of addressing organizational, procedural, and
technical changes. Overall the policy must define the place
that information security plays in supporting the mission and
goals of the institution.
http://www.hudsonbusiness.net/security/security_policy.html
A security policy is: a document that contains management's
directives that define the role of security in an
organization. It determines how an organization will setup and
administer their security program. It dictates security goals
and objectives, assigns roles and responsibilities, it defines
the value of the security program, and details how the
security policy will be implemented and enforced.
http://www.hkcert.org/faq/security_pb.html#q5
Security policy sets the basic mandatory rules and principles
on information security. It should be observed throughout an
organization and should be in accordance with your security
requirements and organization's business objectives and
goals.
http://www.cs.purdue.edu/homes/clifton/cs526/policy.ppt
What is a security policy?
Defines what it means for a system to be secure
So I still stick to my definition:
Identity Sending MTA's IP address
Authentication Verifying the Identity (TCP sequence numbers)
Authorization Domain owner's statement
Policy Receiving MTA's way to treat messages with or
without Signature, LMAP authorization, or from
domains without LMAP record, or DNS server down
regards
Hadmut