Re: Outsourcing security scanning (internal and external)

[Greg Francis <francis () GONZAGA EDU>]

We don't currently follow any model for information security. Up until now
we have had a very loose security policy with most of it being completely
undocumented. Our work on security tends to be reactive rather than
proactive with any significant changes coming as a result of negative
events. Over the years that has created a loose plan but far from being
comprehensive and very little of it being organized. Security emphasis has
mostly been in those areas that we consider higher risk but there are
still many, many gaps to work on.

I think that the security scanning part is considered low hanging fruit
for us because it can be blanketed across the network with little concern
for the device being evaluated. It might help us identify things that are
currently on the network that we might not even know are there. Plus, it
creates a nice tidy report that makes some upper management people. I wish
that wasn't a huge concern but we have a set of trustees on on the
technology committee that think they know everything about everything and
that has created major pressure on the technology staff to prioritize
things in perhaps a less than optimal order.

Our work with Nessus has had its ups and downs. It has primarily been a
workstudy project. This year's workstudy has already made tremendous
strides in the reporting that is coming out of it and I expect to see a
lot more improvement over the next month.

Myself and one of my other admins are spending a lot of time collecting
information together on security policy and models. It's tough though when
your life is spent going from one project to the next with security just
being one of the many. Fortunately, some progress is being made.

I appreciate your willingness to answer questions on this list. No doubt
it will prove to be a valuable addition for the information we collect.

Thanks,
Greg

On Fri, 7 Oct 2005, Sarah Stevens wrote:

> Dear Greg,
>
> Why are you wondering about whether or not your current scanning
> program is effective?  Do you have a model that you follow for
> information security within your organization?  (i.e. NIST 800 Series,
> COBIT, ISO17799) I would recommend that before you arbitrarily decide
> to scan once per month, that you conduct a risk assessment to see the
> extent of your vulnerabilities.  NIST provides a great model with
> questions that will help you determine the risk of each system.  (It's
> meant for government, so there will be some emphasis on classified
> systems, but if you do not have "classified" information, you
> generally do not have to worry about those particular controls.)  Once
> you have rated your systems based upon risk and exposure, you can
> create a plan that includes which systems needs to be scanned at what
> frequency.
>
> I want to be upfront and tell you that I own a company that performs
> risk assessments and vulnerability scanning.  We prepare the system
> security packages using NIST as described above for many of our
> clients.  However, many of our clients are able to do this analysis
> for themselves with minimual or no assistance.
>
> The model that we use for scanning is not based upon number of systems
> to scan.  Rather, we base it upon a hybrid approach that looks at what
> particular kinds of systems that you have, as well as a variety of
> other factors.
>
> So, as always, I am willing to help you with any questions that you
> may have concerning the process.  I will help you find the NIST
> documents that you need if you decide to go that route, or whatever
> else you need.  I consider my time on the boards answering questions
> my "public service" time and my efforts are focused simply on
> improving the information security infrastructure of all of our
> country's information systems.  With this being said, I am happy to
> give you as much free advice as you need.
>
> Sincerely,
>
> Sarah E Stevens, CISSP, CISM, GCIH
> President
> Stevens Technologies, Inc

--
Greg Francis                                Gonzaga University
Sr. System Administrator                    Spokane Washington
francis () gonzaga edu                         509-323-6896