Security Basics mailing list archives
RE: in-to-out security
From: "Joe George" <j.george () conservation org>
Date: Wed, 29 Mar 2006 10:54:30 -0500
Great! Thanks for all your feedback. I think I have enough information from the security community to get something going. The risk assessment suggestion would probably prove to be the best place to begin. I think his managers need to know in a language they understand as to the dangers of not having at least some policy in place. Just like Kenton mentioned, it is a starting point toward a security plan. Take care, Joe -----Original Message----- From: Kenton Smith [mailto:listsks () yahoo ca] Sent: Tuesday, March 28, 2006 6:00 PM To: Joe George; security-basics () securityfocus com Subject: Re: in-to-out security --- Joe George <j.george () conservation org> wrote: <snip>
1. Was I right to suggest this rather than help my colleague look for an app/training solution?
Yes, I would never agree to secure someone's network without there being applicable policies in place first. If there is no policy you have no starting point from which to come up with a security plan.
2. How would you convince an obviously passive CTO to do the right thing?
Check the law. I know you've asked this further on but this may be the only way to get through to this guy. The only other thing I can think of is that if they expect their employees to trust and respect management, then management has to do the same thing in return. Tell them what you're doing up front. The people who are really against it might quit, but the ones left behind are probably the ones who are already using the company's resource properly.
3. If such an application/training exists, can you suggest something?
There are many companies that offer both software and training programs in user awareness. I don't know any off-hand but Google will find a bunch.
4. Is it legal to implement user-monitoring without informing the staff? This is where I think policy
This would be something that he'd have to investigate. I am not a lawyer and the laws vary from state-to-state. I'd be very surprised though if there isn't a precident saying that you at least have to tell people you're monitoring them. Kenton __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- in-to-out security Joe George (Mar 28)
- Re: in-to-out security ilaiy (Mar 29)
- RE: in-to-out security David Gillett (Mar 29)
- Re: in-to-out security Kenton Smith (Mar 29)
- <Possible follow-ups>
- RE: in-to-out security Jordan.Dallas (Mar 29)
- RE: in-to-out security Beauford, Jason (Mar 29)
- RE: in-to-out security Joe George (Mar 29)