Re: Skype use obligation - Security x Productivity

[M.B.Jr. <marcio.barbado () gmail com>]

Well,
thank you all.
I really appreciate your attention and your suggestions as well.

See, when I stated:
"Risk their efforts in obtaining the mentioned ISO certifications?"
I meant they are struggling to obtain it in order to conform to
another big partner's prerequisites (yes, ironic). They do not have
the certifications yet and the voip application use obligation may
constitute one big barrier.
It all starts like that. Like:
"yes sir, voip's great!"
Then:
"sir, why don't we provide our workforce with some voip enhanced mobile devices?
check out this nice colored folder explaining it."

That's one main concern for network security. Voip always brings some
AP's along with it.
We try hard to keep wi-fi technologies far from our customers' networks.

Another point raised:
Why posting this issue in here? What is its relationship with pentesting?
Well, network assessments are our company's cornerstone and all of our
efforts in strengthening a client's infrastructure is conducted
through a layer-by-layer perspective.

We are about to schedule a meeting with our customer's CIO
(they do not have sth like a CSO, that's our company's role) and one
of their board members.
Be sure that most of what was said here is going to be taken in account then.

Thank you again.
Yours sincerely

On 7/18/07, Pretorius, Wynand (ZA - Johannesburg)
<wpretorius () deloitte co za> wrote:
> Good Morning
>
> For the 7799 certification you need to show evidence that the business
> decided on using a particular technology that falls within acceptable
> levels of risk. Remember the business defines the risk levels. Risks
> must be identified, mitigated, accepted or transferred with supporting
> evidence.
>
> You cannot fail a company because of their choice of technology. In fact
> is not even about the technology but more the management of the risk. My
> advise to you is that if the business chose skype, ensure that the
> supporting processes, secure configuration standards and acceptable use
> policy in place. This will show that the technology is managed and the
> risks identified. Also consider a readiness audit before you go for
> certification.
>
> Regards
>
> Wynand Pretorius
> CISSP CISA CISM ISO 27001 Lead Auditor
> Manager
> Enterprise Risk Services
> Deloitte & Touche
> Tel switchboard +27 (0)11 806 5000
> Email: wpretorius () deloitte co za
>
> World Wide Web http://www.deloitte.com
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Javier O. Augusto
> Sent: 17 July 2007 03:34 AM
> To: pen-test () securityfocus com
> Subject: Re: Skype use obligation - Security x Productivity
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> M.B.Jr. wrote:
> > [..] What to do? Risk their efforts in obtaining ISO certification?
> >  Guess we need to hear some other professionals.
> >
> > Thank you, any comment will be extremmely useful.
> >
> Greetings,
>
> You're better off sending this question to "bs7799 () securityfocus com"
> Anyway, remeber that ISO 17799 guidelines says measurements are not
> mandatory...
>
> HTH.
>
> Jay_of_Today
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
>
> iD8DBQFGnByBdzPeqPICKQkRAq2bAJkB4Ew5A4vpofU6b08NhnM421Y3AgCgjusw
> buPeMOm5jkURv7t+K8LGz9E=
> =ZOuq
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Swap Out your SPI or Watchfire app sec solution for Cenzic's robust,
> accurate risk assessment and management solution FREE - limited Time
> Offer
>
> http://www.cenzic.com/c/wf-spi
> ------------------------------------------------------------------------
>
> Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") 
> that must be accessed and read by visiting our website and viewing the webpage at the following address: 
> http://www.deloitte.com/za/disclaimer.  The Disclaimer is deemed to form part of the content of this email in terms of Section 11 
> of the Electronic Communications and Transactions Act, 25 of 2002.  If you cannot access the Disclaimer, please obtain a copy 
> thereof from us by sending an email to ClientServiceCentre () Deloitte co za.
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Swap Out your SPI or Watchfire app sec solution for
> Cenzic's robust, accurate risk assessment and management
> solution FREE - limited Time Offer
>
> http://www.cenzic.com/c/wf-spi
> ------------------------------------------------------------------------



--
Marcio Barbado, Jr.
==============
==============

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------