Home page logo
/

basics logo Security Basics mailing list archives

List of Questions for InfoSec Business Development (Experts Please Review)
From: "Jon S." <supercool9000 () hotmail com>
Date: Wed, 14 Apr 2004 15:45:24 -0400

Below is a fairly concise "draft" list of questions for business development purposes. Please excuse any mistakes and review for accuracy. Feel free to contribute your expertise.


====================================================
List of Questions for Organizational Information Security
Business Development
====================================================

Overview:

- Who is trying to gain access? (Answer: various types of spies, hackers, script kiddies, or those involved in corporate espionage. More and more are skilled enough to avoid being caught or even detected. Some hackers just want publicity while some try to gain or destroy information. They are using stealthier techniques every passing day and as a result prosecution is more difficult. )

- Who's responsible? (Answer: senior management is ultimately responsible for the entire organization's security. In the court of law, judges will expect senior management to have taken all reasonable steps within their power to protect the organization's information/privacy/security. )

- What needs to be done? (Answer: All areas of Architecture, Management, Operations, and even Physical Security should be considered and protected by the use of Access Controls, Encryption, Software implementation and Development Procedures, and Law Enforcement. Maintaining the confidentiality, integrity, and availability of the sensitive information and the safety of personnels within the organization is, in general, the main focus.)

Questions:

1. Does your organization's computer network contain sensitive or critical information? (The federal government declared that even the unclassified 'everyday' information can actually be sensitive, and needs to be protected. This is because an intruder can deduce and infer the contents of classified information by "Inference") - What needs to be protected? (The answer is all types of information, ranging from unclassified to classified. ) - Have you recently conducted a thorough assessment of the damage your organization will incur if an intruder were to gain unauthorized access to such information? (answer: an organization must be aware of the estimated value of the information they are trying to safeguard)

2. Do you have an executive responsible for managing the protection of critical information assets, is this person explicitly trained in information security, and have you allocated budget and resources for protection? (Ans: should be yes)

- Do you feel the current allocation and resources for protection are suffice to maintain normal business operations considering the number of recent security incidences?

3. Does the Board or Executive Management review the organization's information security program at least semi-annually? (Ans: If less than semi annual, it is out of date since the info-sec field is advancing rapidly and intruders constantly looking for creative ways in)

4. Has your organization documented information security policies consistent with its business needs, organizational structure, legal obligations, insurance policies, and risk management processes? - Do you trust these documents to be up to date in accordance with current technology .

5. Is all critical and sensitive information explicitly identified as such and restricted to those having a "need to know?" (Answer should be yes)

- are these restrictions enforced by "separation of duty" and "mandatory vacations"?
   - are there policies to ensure that these policies are enforced?
( Separation of duty means that a person can not perform job functions without the other's help. Mandatory vacations reduce the chance of fraud because most people engaging in fraud never take vacations from fear of being discovered. )

6. Are all employees and contractors provided regular ongoing information security training, including training in the safe handling of email and in password selection and protection, and are they held accountable for violations of security policy? Is there an updated security awareness program that is enforced on an ongoing basis?

(Answer: They obviously have a awareness program but there are some problems with it. First, it appears that many employees within a typical large organization never bother to view the "security presentation" offered by the agency because their security awareness exam is either too easy to pass or reuses the same/similar question over and over every year. The end users are the first line of defense in protecting information, and needs to be aware that some intrusions are not so obvious. For example, social engineers, who are intruders who disguise themselves as credible system administrators, tend to do most of their work using their people skills.)

7. Have you coordinated your information security posture with customers, suppliers, and other trading partners whose computer systems you access or who access your computer systems?

8. Does your organization have documented recovery procedures to follow should a break-in, virus infestation or other security event occur? (answer should be yes) - Were these procedures evaluated for their efficiency within the past 6 months? (ans: anything less is no good since intruders use ever better methods and technologies )

9. Does your organization back-up all workstations and servers at least weekly, are multiple backups stored off-site, and are back-ups periodically tested to ensure the ability to restore data if necessary? - Have you assessed how long your organization can sustain minimal business operations in the event of a natural and/or man-made disaster? - Are these operations available via off-site backup centers or from on-site?
        (ans: having both is ideal but should have off-site)
   - Have you conducted any kind of partial or full-scale shutdown test?
(answer: it is critical and crucial for a large organization to have ready-and-tested off-site backup servers. it is not enough to have a cold back up site that only has back up media.)

10. Has your organization's system architecture been explicitly designed in accordance with network security principles and practices, including the use of firewalls? (ans: large and old organizations may not have ideally-designed system architecture. A trade off between cost and other factors )

11. Is virus protection software on all servers and workstations and is someone explicitly responsible for monitoring virus alerts and ensuring that virus protection is up-to-date?

(answer: regardless of answer, the fact is that there is a wide spread virus problem globally. There's been reports that people received hundreds of virus generated spam-emails even from administrator accounts themselves that were infected. Although anti-virus softwares may certainly be installed, it is highly likely that the end-users are not updating the virus definitions frequently enough which indicates an inadequate security awareness program)

12. Is someone explicitly responsible for monitoring security patches and alerts, and ensuring hardware and software systems are up-to-date and properly protected?

(Answer: most likely yes, but ask about the ratio of the security team members to the total size of the organization they are responsible for)

13. Is access to servers, routers, and other network technology physically restricted to those whose job responsibilities require access? (answer: should be "yes" since this is considered good practice)

14. Would you know if someone was illegitimately accessing critical information assets? (answer: large organizations can not log every single event due to the enormous log file size created. An administrator can not sit all day and night reading log files, therefore many large organizations use 'clipping' softwares which detect deviations from normal activities. - Are they comfortable with the type of technology they currently use, or are they willing to consider trying a different technology?

15. Has your organization had an independent 3rd- party information security vulnerability assessment or penetration test within the last 12 months? (ANS: 3rd-party full assessment and frequent penetration tests are crucial since it gives an organization an non-biased objective view.)

_________________________________________________________________
Tax headache? MSN Money provides relief with tax tips, tools, IRS forms and more! http://moneycentral.msn.com/tax/workshop/welcome.asp


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • List of Questions for InfoSec Business Development (Experts Please Review) Jon S. (Apr 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]