Educause Security Discussion mailing list archives
Re: Outsourcing security scanning (internal and external)
From: Greg Francis <francis () GONZAGA EDU>
Date: Fri, 7 Oct 2005 08:32:55 -0700
We don't currently follow any model for information security. Up until now we have had a very loose security policy with most of it being completely undocumented. Our work on security tends to be reactive rather than proactive with any significant changes coming as a result of negative events. Over the years that has created a loose plan but far from being comprehensive and very little of it being organized. Security emphasis has mostly been in those areas that we consider higher risk but there are still many, many gaps to work on. I think that the security scanning part is considered low hanging fruit for us because it can be blanketed across the network with little concern for the device being evaluated. It might help us identify things that are currently on the network that we might not even know are there. Plus, it creates a nice tidy report that makes some upper management people. I wish that wasn't a huge concern but we have a set of trustees on on the technology committee that think they know everything about everything and that has created major pressure on the technology staff to prioritize things in perhaps a less than optimal order. Our work with Nessus has had its ups and downs. It has primarily been a workstudy project. This year's workstudy has already made tremendous strides in the reporting that is coming out of it and I expect to see a lot more improvement over the next month. Myself and one of my other admins are spending a lot of time collecting information together on security policy and models. It's tough though when your life is spent going from one project to the next with security just being one of the many. Fortunately, some progress is being made. I appreciate your willingness to answer questions on this list. No doubt it will prove to be a valuable addition for the information we collect. Thanks, Greg On Fri, 7 Oct 2005, Sarah Stevens wrote:
Dear Greg, Why are you wondering about whether or not your current scanning program is effective? Do you have a model that you follow for information security within your organization? (i.e. NIST 800 Series, COBIT, ISO17799) I would recommend that before you arbitrarily decide to scan once per month, that you conduct a risk assessment to see the extent of your vulnerabilities. NIST provides a great model with questions that will help you determine the risk of each system. (It's meant for government, so there will be some emphasis on classified systems, but if you do not have "classified" information, you generally do not have to worry about those particular controls.) Once you have rated your systems based upon risk and exposure, you can create a plan that includes which systems needs to be scanned at what frequency. I want to be upfront and tell you that I own a company that performs risk assessments and vulnerability scanning. We prepare the system security packages using NIST as described above for many of our clients. However, many of our clients are able to do this analysis for themselves with minimual or no assistance. The model that we use for scanning is not based upon number of systems to scan. Rather, we base it upon a hybrid approach that looks at what particular kinds of systems that you have, as well as a variety of other factors. So, as always, I am willing to help you with any questions that you may have concerning the process. I will help you find the NIST documents that you need if you decide to go that route, or whatever else you need. I consider my time on the boards answering questions my "public service" time and my efforts are focused simply on improving the information security infrastructure of all of our country's information systems. With this being said, I am happy to give you as much free advice as you need. Sincerely, Sarah E Stevens, CISSP, CISM, GCIH President Stevens Technologies, Inc
-- Greg Francis Gonzaga University Sr. System Administrator Spokane Washington francis () gonzaga edu 509-323-6896
Current thread:
- Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- <Possible follow-ups>
- Re: Outsourcing security scanning (internal and external) John Kemp (Oct 07)
- Re: Outsourcing security scanning (internal and external) Sarah Stevens (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 08)