Security Basics mailing list archives
RE: Corporate Security Status
From: "Cronican, John" <JCronican () sempra com>
Date: Tue, 10 Feb 2004 10:54:30 -0800
Au contraire! I must take a small but MAJOR exception to the e-mail below. All of James' suggestions are correct except I disagree with this sentence. : "Your employer's opinion should have nothing to do with your security policy, or any reporting of such." There are two reasons I take exception with this statement. 1. From a management perspective, you work for your boss and therefore every thing you do must consider his/her opinion. Your job as an employee is to inform and influence your employer. 2. From a Security perspective, your quarterly security review should be based on security policy and associated security requirements. Security policy and associated security requirements should be explicitly approved by the highest management levels of your employer. Perform your quarterly security review with respect to the approved security policy and associated security requirements. Then your employer's opinion, especially with respect to risk decisions are germane and paramount. Remember, to document your employer's opinions. John John G. Cronican, Jr. (B.E.E., M.S.SM, CISSP, IAM) Sr. Infrastructure Technologist iProtect Sempra Energy Sempra Energy Corporate Center & Sempra Energy Utilities 10949 Technology Place San Diego, CA 92127 (858) 613-5738 (Desk) (619) 787-1906 (Cell) (619) 978-2493 (Pager) JCronican () sempra com -----Original Message----- From: James Kivisild [mailto:james () kivisild com] Sent: Monday, February 09, 2004 7:30 PM To: security-basics () securityfocus com Subject: RE: Corporate Security Status
I would like to develop a quarterly security review of my company I can hand to my boss. Basically, I want to create a one page high level summary of what we're doing right and where we are lacking. Does anyone know of any templates out there?You're really opening up something here...basically, a lot of questions. I think the biggest question you need to ask yourself is, what concerns your boss? After all, don't you think it would be an incredible waste of effort for you to put in a great deal of work on something that your boss has no interest in?
Respectfully, I must disagree. Your employer's opinion should have nothing to do with your security policy, or any reporting of such. You need to create a report that is honest and accurate. Your report should be as large as necessary. Don't skimp on details just to save space. If you think it's important, include it in the report. You are however, correct in including a high level summary. This executive summary should highlight the important findings and reference the details. If your boss wants to read about the specifics, he or she should be able to easily find them in the bulk of the report. If your executive summary doesn't contain anything that warrants further attention, so be it; keep the report for posterity and don't worry about the extra work. Don't do yourself and your company a disservice by tainting the truth. As for a standard template, I think that depends on the nature of your business. Make a checklist of the security practices you should follow for your industry, and report on how your company deviates from ideal conditions. As far as protecting your company from generic Internet based vulnerabilities, determine what your servers are susceptible to, and report as necessary. If you don't report something and it bites you in the butt, isn't it YOUR job on the line? Regards, James Kivisild ------------------------------------------------------------------------ --- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Re: Corporate Security Status, (continued)
- Re: Corporate Security Status Meritt James (Feb 09)
- Re: Corporate Security Status Steve (Feb 09)
- Security presentation Nagy Gergely (Feb 10)
- Re: Security presentation Kelly Martin (Feb 10)
- Re: Security presentation Hollis Johnson (Feb 10)
- RE: Security presentation Nagy Gergely (Feb 11)
- Security presentation Nagy Gergely (Feb 10)
- Re: Corporate Security Status H Carvey (Feb 09)
- RE: Corporate Security Status James Kivisild (Feb 10)
- Re: Corporate Security Status Stephen Flanagan (Feb 10)
- RE: Corporate Security Status James Kivisild (Feb 10)
- Re: Corporate Security Status Parisi, Robert (Feb 09)
- RE: Corporate Security Status Cronican, John (Feb 10)