Re: Survey on Survey / Technical Difficulties / Walking the Talk / Managing Risk

[Jim Moore <jhmfa () CIS RIT EDU>]

Hello there.  Impatient me here.  I sent out a survey on Friday, on the
use of security baselines, standards, tools, awareness, and incident
handling.

I figured that it was a good use of what the University InfoSec
Professionals mailing list was for, as well as, the Educause Security
mailing list.

But so far, I have only gotten responses from Univ of Wisconsin
(Madison), Columbia, and one other that asked for strict confidentiality.

This could be for several reasons.

1) There was technical difficulty at our end, with the mailer.  It has
had some problems recently, at the worst times. (Murphy's Law)  During
this survey was one of them.  To address this, I have a different mailer
at our end.  If you mailed a response to me previously, and are not one
of the above 3, please mail it again.  Please use the new address
jhmfa () cis rit edu.

2) You have an aversion to surveys.  I do too.  But this one is
important.  I think that you will see why.  In fact, if someone wants to
work with me to develop this into say, an annual survey, that would be
great.

3) We as information assurance professionals, who talk about
communicating and networking as well as the hackers, don't believe it.
Or our lawyers don't believe it.

>So I add a question, is the reason that you didn't respond to the
> survey because of fear of risks, or liability?

>Are there other risk management concerns that would prevent you from
> participating?

4) You are busy, and haven't gotten around to it.  If so, please do it
within the next week, and reply to this version to take the possibility
of technical difficulties out of the way.

Thanks

Jim

- - - - Original Survey  - - - -

< Confidentiality / Privacy of Information Supplied Questions moved to
the End of the Survey >

I would like to find out the following:

1) Do you have baselines or standards for the configuration of operating
systems security features?

If, Yes, is it a standard or a baseline?
  When did you start your development efforts?

Are you willing to share them (with attribution)?
  A URL?
  (Attachments?)

If, Yes, for which operating systems
Windows 95/98/ME
Windows NT
Windows 2000
Windows XP

Linux
Do you differentiate between versions of Linux?

Redhat
Slackware
Debian
Caldera
Corel

Apple
OS9.x
OS X

Solaris
7
8
9

Other

Do you have other security related standards/baselines?
(URLs if you are willing to share)
Firewalls
IDS
Web server configuation
Mail server/relay configuration
Wireless networking

If you don't have standards or baselines, do you offer configuration
guidelines to your campus?

Do you offer the SANS Step By Step guides?
Windows 2000
Solaris

Do you offer security tools?
Anti-Virus
Personal Firewall
Other

Which of the tools that you supply, do you support?


My last question is not related to configuration but incident handling.
Do you have an incident handling procedure documented?
Is it tied to a policy or standards?
Is it implemented with tools?

- Confidentiality of Survey questions -

Do you want to respond but have the information kept absolutely
confidential?

Do you want survey information de-identified?

If you supply URLs or attachments that are public information, do you
also want those references removed?

Are you willing to have this published in RIT documentation (as references)?

Do you want the summary of this published back to this list?


Thanks for your time!!!

Jim
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950
Cell:      (585)233-3802

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.