RE: Small business IT security

["Brian J. Bartlett" <security () navyonline us>]

Jonathan:

While I was serving in the US Navy, this was something we had to deal with
all the time and you can imagine that we were deeply concerned with infosec.
As a field engineer that would require on-site access at the administrative
level, the policy was that I would have a separate administrative account at
whatever level was required with a password known only to me.  When I left
the site, the account would be deactivated.  This worked out to be the best
of all *possible* worlds for we roving field engineers since we knew what
our on-site password was (we shared one) yet it was unknown by site
personnel and the account was only active while we were on-site.  If
off-site access over the internet or dial-up access is required that opens
up other issues which can be discussed.

[Actually, if I was on-site, there wasn't a d--- thing you could do to stop
me from taking your network, but we will ignore that issue for now.  My
toolsets have always been that good.  Remember this dictum, without physical
security, you have no security.]

-Bri
"The most deadly words for an engineer:  'I have an idea.'"
 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of jonathan () gatewaysa com
Sent: Saturday, November 11, 2006 2:30 PM
To: security-basics () securityfocus com
Subject: Small business IT security


Hi

I dont know if this is the correct place to post this. I am doing some work
for a small company with around 80 pc's. They dont have any inhouse IT staff
and use an out side little computer dealer for all their work. These guyse
look after everything from the pc's to the servers to the network. They
obviously have all the admin passwords etc and if somehting needs to be
repaired they take it to their workshop where one of the technicians will
repair it. This It shop also does work for one of the competitors as well as
a few customers.

I know all the security risks but short of hiring someone in house what else
could be done to ensure they Information Security.

Thanks
Jonathan

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------