RE: Law office recommendations?

["Trevor Cushen" <Trevor.Cushen () sysnet ie>]

Hello Tim,

I re-drafted my reply several times on this one.  Firstly I hope it
stays because it is a good topic. Anyway I would say go with the
standards guideline ISO17799
(http://www.certificationeurope.com/isms.htm and other sites) which
gives you a baseline to work with that is internationally recognised.
Also gives you a stand point if challenged.  What am I saying?

"My opinion is you don't want a customer thinking your report is simply
your opinion on what is a secure environment.  Certainly go beyond the
standards where you see fit but have reached a baseline for your
customer.  That way worst case scenerio they challenge your work then
you can refer back to a recognised standard. The risk analysis is easy
this way as you simple look for what controls from the standard they do
not have in place."

One thing I would like to point out is that the ISO17799 standard or the
BS7799/IS17799 certification that can be achieved can be for PART of a
company or a department in a company or even a service the company
provides.  One building even is enough.  You scope the area for
certification it does not have to be the whole building or the whole
company.  Do look further then the ISO7799 guidelines if you are
considering certification, refer to your local certification body such
as Certification Europe (http://www.certificationeurope.com).  In your
case Tim your customer may benefit greatly from achieving the standard
and will be very happy with you for getting them to that level.

I hope this helps and is relevent to you. 


Trevor Cushen
Sysnet Ltd

www.sysnet.ie




-----Original Message-----
From: Tim Heagarty [mailto:tim () heagarty com] 
Sent: 17 February 2003 17:36
To: security-basics () securityfocus com
Subject: Law office recommendations?


Hello,

I wish to pick the collective brain for a moment if I may.

I am working up an initial service quote for a law office of 100+
associates and 45+ attorneys. Do you have any recommendations of areas
to be sure to get into the Risk Analysis? They've already been hit by
Slammer and a script kiddie "pubber". I just want to be on my toes as I
have not worked for attorneys before and all those sharks in the water
makes me want to do this one really well.

Also, if there's a more appropriate list for this I'd be glad to move
this discussion to it.

Thanks everyone,

Tim Heagarty MCSE, MCP+I
"There are only 10 kinds of people in the world, those that understand
binary, and those that don't."
Work: (928) 636-0489
Cell: (928) 533-9690




**************************************************************************************

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

**************************************************************************************