RE: Corporate Security Status

["Cronican, John" <JCronican () sempra com>]

Au contraire!
I must take a small but MAJOR exception to the e-mail below.  All of
James' suggestions are correct except
I disagree with this sentence.
:
        "Your employer's opinion should have nothing to do with your
security policy, or any reporting of such."

There are two reasons I take exception with this statement.  
1. From a management perspective, you work for your boss and therefore
every thing you do must consider his/her opinion.  Your job as an
employee is to inform and influence your employer.
2. From a Security perspective, your quarterly security review should be
based on security policy and associated security requirements.  Security
policy and associated security requirements should be explicitly
approved by the highest management levels of your employer.  Perform
your quarterly security review with respect to the approved security
policy and associated security requirements.  Then your employer's
opinion, especially with respect to risk decisions are germane and
paramount.
Remember, to document your employer's opinions.
John

John G. Cronican, Jr. (B.E.E., M.S.SM, CISSP, IAM)
Sr. Infrastructure Technologist
iProtect Sempra Energy
Sempra Energy Corporate Center & Sempra Energy Utilities
10949 Technology Place
San Diego, CA  92127
(858) 613-5738 (Desk)
(619) 787-1906 (Cell)
(619) 978-2493 (Pager)
 
JCronican () sempra com


-----Original Message-----
From: James Kivisild [mailto:james () kivisild com]
Sent: Monday, February 09, 2004 7:30 PM
To: security-basics () securityfocus com
Subject: RE: Corporate Security Status


> > I would like to develop a quarterly security review of
> > my company I can hand to my boss. Basically, I want to
> > create a one page high level summary of what we're
> > doing right and where we are lacking. Does anyone know
> > of any templates out there?
>
> You're really opening up something here...basically, a lot of 
> questions.  I think the biggest question you need to ask 
> yourself is, what concerns your boss?  After all, don't you 
> think it would be an incredible waste of effort for you to 
> put in a great deal of work on something that your boss has 
> no interest in?

Respectfully, I must disagree. Your employer's opinion should have
nothing to do with your security policy, or any reporting of such. You
need to create a report that is honest and accurate. Your report should
be as large as necessary. Don't skimp on details just to save space. If
you think it's important, include it in the report. You are however,
correct in including a high level summary. This executive summary should
highlight the important findings and reference the details. If your boss
wants to read about the specifics, he or she should be able to easily
find them in the bulk of the report. If your executive summary doesn't
contain anything that warrants further attention, so be it; keep the
report for posterity and don't worry about the extra work. Don't do
yourself and your company a disservice by tainting the truth.

As for a standard template, I think that depends on the nature of your
business. Make a checklist of the security practices you should follow
for your industry, and report on how your company deviates from ideal
conditions. As far as protecting your company from generic Internet
based vulnerabilities, determine what your servers are susceptible to,
and report as necessary.

If you don't report something and it bites you in the butt, isn't it
YOUR job on the line?

Regards,
James Kivisild



------------------------------------------------------------------------
---
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------