Security Basics mailing list archives

RE: Help with guidlines


From: "Mark Palmer" <mpalmer () hoovers com>
Date: Fri, 8 Dec 2006 09:25:30 -0600

Chris-

Use some Google-Fu to obtain a plethora of document templates, security
guidelines, etc....  here is one site with some adequate security
policies: http://www.comptechdoc.org/independent/security/policies/ (BTW
I am not endorsing the site nor its contents, it is a site that appears
to provide an adequate *starting* point for security policies). 

But there is something more important to understand; just because you
have written/documented policy/procedures/guidelines there is no patch
for human errors created by the ID10T who thought it would be a good
idea to setup the 50 laptops in that manner.  But enough name calling.  

There are no "one-size fits all" documents for security; policies and
guidelines must be context specific.  There are plenty of models,
frameworks, methodologies, and templates that can be consulted.  Two
important things you need to understand are the needs of the business
and how the business reacts to and manages risk.  

It sounds like the Enterprise IT folks need to enforce a rigorous set of
controls to reduce the risk of this from happening again.  

Getting mutually agreed upon policies & guidelines is challenging and
being "the new guy" it will be a sizeable task to affect the cultural
changes needed to reduce the risk of this happening again.

Mark Palmer
IT Security Compliance

-----

The information contained in this communication is confidential. This
communication is the property of Hoover's, Inc. and is intended only for
the use of the addressee. If you are not the intended recipient, please
notify me promptly and delete the message. Any distribution or copying
of this message without my prior consent is prohibited.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Chris Barber
Sent: Wednesday, December 06, 2006 5:33 PM
To: security-basics () securityfocus com
Subject: Fwd: Help with guidlines

Hi all,

First I would like to apologize if this has been asked and answered on
the list before.

Here is my situation:  I work for a very large organization with
several "IT Departments".  There is the Enterprise IT staff and they
are in charge of all services and functions that are company wide,
E-Mail, Internet Access, Network infrastructure, Network security,
etc.  The other departments then have there own LAN Admin staff that
handle the day to day network activities.  I am relatively new to the
company and have recently learned that the LAN Admin staff for the
different departments all handle things in their own way, not always
following best practices.

The latest disaster was just a few days ago when our sales dept. LAN
admins were setting up 50 new laptops for the sales force.  All 50
laptops were on the network while 3 LAN Admins rotated from unit to
unit installing updates and new software.  Don't ask me why they were
doing this the hard way, but they were.  Now, one of the LAN admins
from Product development came to me with an issue he was having with a
programmers Laptop.  The Programmer brought it in and said that it was
"Acting funny".  When I asked him what he had done so far, his
response was "After connecting it to the network, I looked at the DHCP
settings, then started a defrag, and poked around in the control
panel, Add/remove programs, etc.  I have been working on the PC for
several hours now, and..."

My jaw hit the floor.  Yeah, we now have 50 brand spanking new Laptops
hot off the truck from Dell, all of them infected with... well as it
turns out only 5 different virus/worms.

Enough of my ramblings and to the point of my E-Mail to the group...
Does anyone have a set of written guidelines or whathaveyou that they
would be willing to share with me and/or the group or point me in the
direction of a web site that has something to get me started it would
be most appreciated.

Thanks in advance
(Professionally Frustrated)
Chris.

------------------------------------------------------------------------
---
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec
t
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------


Current thread: