mailing list archives
List of Questions for InfoSec Business Development (Experts Please Review)
From: "Jon S." <supercool9000 () hotmail com>
Date: Wed, 14 Apr 2004 15:45:24 -0400
Below is a fairly concise "draft" list of questions for business development
purposes. Please excuse any mistakes and review for accuracy. Feel free to
contribute your expertise.
List of Questions for Organizational Information Security
- Who is trying to gain access? (Answer: various types of spies, hackers,
script kiddies, or those involved in corporate espionage. More and more are
skilled enough to avoid being caught or even detected. Some hackers just
want publicity while some try to gain or destroy information. They are using
stealthier techniques every passing day and as a result prosecution is more
- Who's responsible? (Answer: senior management is ultimately responsible
for the entire organization's security. In the court of law, judges will
expect senior management to have taken all reasonable steps within their
power to protect the organization's information/privacy/security. )
- What needs to be done? (Answer: All areas of Architecture, Management,
Operations, and even Physical Security should be considered and protected by
the use of Access Controls, Encryption, Software implementation and
Development Procedures, and Law Enforcement. Maintaining the
confidentiality, integrity, and availability of the sensitive information
and the safety of personnels within the organization is, in general, the
1. Does your organization's computer network contain sensitive or critical
(The federal government declared that even the unclassified 'everyday'
information can actually be sensitive, and needs to be protected. This is
because an intruder can deduce and infer the contents of classified
information by "Inference")
- What needs to be protected? (The answer is all types of information,
ranging from unclassified to classified. )
- Have you recently conducted a thorough assessment of the damage your
organization will incur if an intruder were to gain unauthorized access to
such information? (answer: an organization must be aware of the estimated
value of the information they are trying to safeguard)
2. Do you have an executive responsible for managing the protection of
critical information assets, is this person explicitly trained in
information security, and have you allocated budget and resources for
protection? (Ans: should be yes)
- Do you feel the current allocation and resources for protection are
suffice to maintain normal business operations considering the number of
recent security incidences?
3. Does the Board or Executive Management review the organization's
information security program at least semi-annually? (Ans: If less than
semi annual, it is out of date since the info-sec field is advancing rapidly
and intruders constantly looking for creative ways in)
4. Has your organization documented information security policies consistent
with its business needs, organizational structure, legal obligations,
insurance policies, and risk management processes?
- Do you trust these documents to be up to date in accordance with
current technology .
5. Is all critical and sensitive information explicitly identified as such
and restricted to those having a "need to know?" (Answer should be yes)
- are these restrictions enforced by "separation of duty" and "mandatory
- are there policies to ensure that these policies are enforced?
( Separation of duty means that a person can not perform job functions
without the other's help. Mandatory vacations reduce the chance of fraud
because most people engaging in fraud never take vacations from fear of
being discovered. )
6. Are all employees and contractors provided regular ongoing information
security training, including training in the safe handling of email and in
password selection and protection, and are they held accountable for
violations of security policy? Is there an updated security awareness
program that is enforced on an ongoing basis?
(Answer: They obviously have a awareness program but there are some problems
with it. First, it appears that many employees within a typical large
organization never bother to view the "security presentation" offered by the
agency because their security awareness exam is either too easy to pass or
reuses the same/similar question over and over every year. The end users
are the first line of defense in protecting information, and needs to be
aware that some intrusions are not so obvious. For example, social
engineers, who are intruders who disguise themselves as credible system
administrators, tend to do most of their work using their people skills.)
7. Have you coordinated your information security posture with customers,
suppliers, and other trading partners whose computer systems you access or
who access your computer systems?
8. Does your organization have documented recovery procedures to follow
should a break-in, virus infestation or other security event occur?
(answer should be yes)
- Were these procedures evaluated for their efficiency within the past 6
months? (ans: anything less is no good since intruders use ever better
methods and technologies )
9. Does your organization back-up all workstations and servers at least
weekly, are multiple backups stored off-site, and are back-ups periodically
tested to ensure the ability to restore data if necessary?
- Have you assessed how long your organization can sustain minimal
business operations in the event of a natural and/or man-made disaster?
- Are these operations available via off-site backup centers or from
(ans: having both is ideal but should have off-site)
- Have you conducted any kind of partial or full-scale shutdown test?
(answer: it is critical and crucial for a large organization to have
ready-and-tested off-site backup servers. it is not enough to have a cold
back up site that only has back up media.)
10. Has your organization's system architecture been explicitly designed in
accordance with network security principles and practices, including the use
(ans: large and old organizations may not have ideally-designed system
architecture. A trade off between cost and other factors )
11. Is virus protection software on all servers and workstations and is
someone explicitly responsible for monitoring virus alerts and ensuring that
virus protection is up-to-date?
(answer: regardless of answer, the fact is that there is a wide spread virus
problem globally. There's been reports that people received hundreds of
virus generated spam-emails even from administrator accounts themselves that
were infected. Although anti-virus softwares may certainly be installed, it
is highly likely that the end-users are not updating the virus definitions
frequently enough which indicates an inadequate security awareness program)
12. Is someone explicitly responsible for monitoring security patches and
alerts, and ensuring hardware and software systems are up-to-date and
(Answer: most likely yes, but ask about the ratio of the security team
members to the total size of the organization they are responsible for)
13. Is access to servers, routers, and other network technology physically
restricted to those whose job responsibilities require access? (answer:
should be "yes" since this is considered good practice)
14. Would you know if someone was illegitimately accessing critical
(answer: large organizations can not log every single event due to the
enormous log file size created. An administrator can not sit all day and
night reading log files, therefore many large organizations use 'clipping'
softwares which detect deviations from normal activities.
- Are they comfortable with the type of technology they currently use,
or are they willing to consider trying a different technology?
15. Has your organization had an independent 3rd- party information security
vulnerability assessment or penetration test within the last 12 months?
(ANS: 3rd-party full assessment and frequent penetration tests are crucial
since it gives an organization an non-biased objective view.)
Tax headache? MSN Money provides relief with tax tips, tools, IRS forms and
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
- List of Questions for InfoSec Business Development (Experts Please Review) Jon S. (Apr 14)