Security in sixty seconds or less.
Every once in a while I get a request that drives me crazy. It’s usually in the form of, “X group needs to be secure, tell them what to do.”
And you know that “tell them what to do” doesn’t mean “perform an audit, engage a pentester, give them a list of findings, create a security management program for them, and put it all in writing.” It means “put a couple of lines in our contract with them” or “talk to one of their reps for half an hour on the phone.” You can’t tell them to “comply with all our policies,” because then you have to list all of them (including the ones that aren’t written down), and before you know it, you have a book that they don’t want.
So I was thinking: how do YOU sum up “how to be secure” as briefly as possible?
Here’s what I have it boiled down to:
1. Have control over your systems.
2. Check your security frequently.
3. Educate all your people.
Number one expands to maintaining an accurate inventory of your systems; having a process in place to manage and update them consistently; making sure your users aren’t messing them up; making sure nobody is adding unmanaged systems or software; and have policies and processes for access control and system administration.
Number two expands to monitoring, auditing, certification, pentesting, and performing risk assessments against the current trends.
Number three means training users, support people, developers, AND all executives. It includes educating your security people so that they know what they’re supposed to be doing.
I think if you cover these three points, you’ll have a pretty good security program and have most of the bases covered. What do you think?
Posted by shrdlu on Thursday, June 12, 2008(6) Comments • Permalink •
