Information Security

["Geoff Choo" <geoff.choo () zonnet nl>]

Hi Charles,

I agree with the previous advice already provided to you. Securing the IT
environment will require a defense-in-depth approach that doesn't just
depend on a software tool, but that applied appropriate people, process and
technology controls to manage your information risks.

I would propose the following highly-simplified steps to get you up and
running in securing your IT environment:

1. If necessary, strengthen your IT security knowledge. I would recommend
reading the 60 minute network security guide from the NSA (The 60 Minute
Network Security Guide) as a start then I would recommend attending the SANS
Security essentials workshop.

2. Understand your IT environment and key assets by performing a business
impact assessment. (You can use the document 800-30 risk management guide
from NIST csrc.nist.gov/publications/PubsSPs.html)

3. Identify the key threats to and vulnerabilities in your IT environment
and key security issues by performing a risk assessment (You can use the
document 800-30 risk management guide from NIST
csrc.nist.gov/publications/PubsSPs.html) (e.g. using a vulnerability
assessment tool such and GFI languard or Nessus can be useful, but please be
careful when using these tools on a production environment!)

4. Once you have identified and prioritized your key risks, you figure out a
strategy to address these risks by using a security control framework (You
might want to check out ISO 27002 or the Standard of Good Practice from the
Information Security Forum, or use the guides provided by NIST and the NSA)

5. Implement the necessary security controls identified in 4. (e.g. network
security controls, protection against malicious code, access control,
separation of duties, security awareness training, communications security,
change management, and so on)

6. Monitor and audit your security posture

7. Repeat from 2.

Geoff

-----Original Message-----
> From: 
> Sent: Dec 13, 2007 8:03 PM
> To: security-basics () securityfocus com
> Cc: pen-test () securityfocus com, wifisec () securityfocus com
> Subject: Information Security

> A few months ago I joined a medium sized company as a systems admin.
> The company's prior IT team did little in the forms of maintenance and 
> nothing in the form of security. I come from an administration 
> background but only common sense when it comes to decent security.
> There are shared domain admin passwords, shared user logons and many 
> users have local admin on their pcs. I know best practice is to 
> separate the admins from the security team but this company views IT as

> a necessary evil, ie theres 4 IT techs for 7 sites and around 500 pc 
> users spread across the sites, all techs being at corporate. These 
> issues are being addressed but what I would like to know from the 
> community is the following:
>
> Id like to assemble a toolkit both for gaining security control and 
> then maintaining it. Also pointers as to best practices and the like 
> would be most appreciated.