Re: Outsourcing security scanning (internal and external)

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Fri, 07 Oct 2005 08:32:55 PDT, Greg Francis said:
> We don't currently follow any model for information security. Up until now

(Aha! Now a lot of things from your first note suddenly make a lot more sense,
seen in context....)

> we have had a very loose security policy with most of it being completely
> undocumented. Our work on security tends to be reactive rather than
> proactive with any significant changes coming as a result of negative
> events. Over the years that has created a loose plan but far from being
> comprehensive and very little of it being organized. Security emphasis has
> mostly been in those areas that we consider higher risk but there are
> still many, many gaps to work on.

I suggest to you that perhaps rather than fretting over outsourcing, your
school needs to address the lack of a model.  Among other things, how do you
expect to outsource something when you have no idea of what you need or what
you are outsourcing?  How do you tell if the outsourcer is doing a good job
at what you're paying them for, or even if what you're paying for is actually
going to benefit your site's security?

> currently on the network that we might not even know are there. Plus, it
> creates a nice tidy report that makes some upper management people. I wish
> that wasn't a huge concern but we have a set of trustees on on the
> technology committee that think they know everything about everything and
> that has created major pressure on the technology staff to prioritize
> things in perhaps a less than optimal order.

What I'd do (and probably indicative of why I'm not management material :)

Get a nice tidy report.  About something else.  The 2004 UN statistics on grain
shipments to Africa.  Doesn't matter what, as long as it's irrelevant to your
site's security posture.

When the trustees that think they know everything ask what the heck this means,
put them on the spot:  Ask them *flat out* what a tidy report *on security*
would mean, if there's no policy or model to measure it against.  Then put up a
nice *pretty* overhead slide that says "37 vulnerabilities were found".  No other
explanatory text.  Ask them if they'd rate this as good or bad.  Would they
change their stance if it was 37 major holes found on the payroll server alone?
Or 37 minor problems found in the entire resnet?

Close by saying that tidy reports are just numbers, and without a clear vision
of what numbers your site considers important, it's all just a lot of sound
and fury, signifying nothing....

Attachment: _bin
Description: