RE: The procedural aspects and work valorization of an IT Security Service, Advice needed

["Murda Mcloud" <murdamcloud () bigpond com>]

This sounds like a long term cultural change that you are trying to
initiate. It will be bolstered by having reports etc but also by simply
raising questions on what is important to the company, business-wise and
then possibly pointing out how much financial benefit the company will get
from improving their security posture.

This means you need to have the ear of management/ceo etc.

One of my first things I did at a company I worked at that had NO security
attitude at all, was to start sending out emails raising the awareness of
the needs for not replying to spam or not just opening random attachments.

Then I started to 'evangelise' about security and sent round news reports
about current problems. Also, educating people was helped by having
presentations for senior staff and others highlighting the problems we face
today(Free sweets and lollies help here). This became an ongoing thing and
slowly but surely the security stance changed. 

Good on you for attempting the difficult...

> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > On Behalf Of Mohamed Aymen SAHLI
> > Sent: Sunday, March 01, 2009 10:52 PM
> > To: security-basics () securityfocus com; bugtraq; bs7799 () securityfocus com;
> > bugtraq-french () securityfocus com
> > Subject: The procedural aspects and work valorization of an IT Security
> > Service, Advice needed
> >
> > Hi list,
> >
> > I need pointing on an issue i have with my new job and I hope to find
> > some help hereby.
> >
> > I am occupying an IT Security engineer position within a telecom
> > operator, this position, and the matter of fact the whole security
> > service, is considered to be purely belonging to the operations
> > department having its duties mainly focused on maintaining the
> > day-to-day supervision and administration of equipments and such like.
> >
> > There are two issues I would like to have you advice on:
> >
> > First, due to the fact that maintaining the smooth working of the IT
> > Systems do not have direct appreciable results intelligible by the
> > manager’s board, what mechanisms do you guys  use to valorize you work
> > so it don’t goes overlooked.
> >
> > Secondly, as a direct result of considering the security as plus or
> > minus a hardware administration matter, there is almost no procedures
> > in place relating to security, change management/security issues
> > logging and analysis etc… hence my question, what framework would you
> > use to develop the procedural aspect of security and how would you
> > convince the managers board of its importance. Are there any examples
> > of documents relating to security incidents reporting, security
> > project achievement follow-up etc… I could base my work on? …
> >
> > Looking forward to reading from you. All inputs are appreciated.
> >
> > Best regards.