Re: Corporate Security Status

[Stephen Flanagan <sflanagan () flanagannetworks com>]

Guys / Gals,
I don't think he is asking us about work ethic so to speak... I think he 
is asking for a template in which he can input his specific data. If 
this is the case, you will find that most security scanners have reports 
on what they find. I don't know how big your company is but, I find it 
incredably hard to produce a 1 page report on 1 server!
Not only that but every network being different it is hard to come up 
with a template for an "every situation" type document. So, given that I 
believe the answer to your question is a resounding no.
However you may be able to visit www.nsa.gov and use thier checklists as 
a guide toward a template?
One other site I like to visit that has alot of info is 
http://www.infosyssec.com/
Hope this helps!
Stephen
James Kivisild wrote:

> > > I would like to develop a quarterly security review of
> > > my company I can hand to my boss. Basically, I want to
> > > create a one page high level summary of what we're
> > > doing right and where we are lacking. Does anyone know
> > > of any templates out there?
> > >      
> > You're really opening up something here...basically, a lot of 
> > questions.  I think the biggest question you need to ask 
> > yourself is, what concerns your boss?  After all, don't you 
> > think it would be an incredible waste of effort for you to 
> > put in a great deal of work on something that your boss has 
> > no interest in?
> >    
>
> Respectfully, I must disagree. Your employer's opinion should have
> nothing to do with your security policy, or any reporting of such. You
> need to create a report that is honest and accurate. Your report should
> be as large as necessary. Don't skimp on details just to save space. If
> you think it's important, include it in the report. You are however,
> correct in including a high level summary. This executive summary should
> highlight the important findings and reference the details. If your boss
> wants to read about the specifics, he or she should be able to easily
> find them in the bulk of the report. If your executive summary doesn't
> contain anything that warrants further attention, so be it; keep the
> report for posterity and don't worry about the extra work. Don't do
> yourself and your company a disservice by tainting the truth.
>
> As for a standard template, I think that depends on the nature of your
> business. Make a checklist of the security practices you should follow
> for your industry, and report on how your company deviates from ideal
> conditions. As far as protecting your company from generic Internet
> based vulnerabilities, determine what your servers are susceptible to,
> and report as necessary.
>
> If you don't report something and it bites you in the butt, isn't it
> YOUR job on the line?
>
> Regards,
> James Kivisild
>
>
>
> ---------------------------------------------------------------------------
> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
> Protect your network with the comprehensive security solution that
> integrates six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.astaro.com/php/contact/securityfocus.php
> ----------------------------------------------------------------------------
>
>
>  


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------