Client questions

How would you answer these client questions when you are a small company with no such standards or procedures in place.

1.List and describe your documented security standards and the approval process in place for new standards and modifications to existing standards if they are ever modfied

Who is Participating?
ngravattConnect With a Mentor Commented:
start putting the policies in place.  
You should have a least some security standards or policies, like what are you going to do if you find a computer infected with a virus?  or what procedure to you follow to add rules to the firewall?  How do you distribute you VPN accounts?  Is anyone allowed in your office building, or do you lock the doors at night?

Take SunBow's advice "You do not tell any outsiders your" EXACT "security policies, whether you think they are good or whether you think they are bad. This is at a minimum anyone's policy, and could be the only answer they can give without compromizing their business."

but you should be able to give a brief description with compromizing yours or their business.
Do the same as modern businesses in response to such requests from their government agencies.

The answer, is to not answer.

You do not tell any outsiders your security policies, whether you think they are good or whether you think they are bad. This is at a minimum anyone's policy, and could be the only answer they can give without compromizing their business.
Q> .List and describe your documented security standards
Q> no such standards or procedures in place.

For that specific view, the same applies, since you cannot respond, you do not, not tipping your hand.  Call it "no-tell".
Rich RumbleConnect With a Mentor Security SamuraiCommented:
If you need some quick policies- look at the SANS policy page, it's simple to do find&replace in these docuements, they also happen to be very good templates... they may give you an idea of what your client's may be looking for:
Pick the policies that apply to your environment, and see if you can get them to fit your situations
Acceptable Use, Anti-Virus Process, Audit Vulnerability Scanning Policy, E-mail Policy, Ethics Policy and Password Protection Policy  should be pretty standard policies.

Professionals, and that sometimes leaves the government out, would give them something to go on... and just replacing your name in the policies on the SANS page may look good, it's not enough- you should understand and read the documents in their entirety, and remove what doesn't work, and add more detail if you can. But you can't tell them you don't have any written policies... because you do... in your head, just not on paper- and hopefully these doc's can help organize the policies in your head, and put them on papaer :)
Sounds like you're either responding to a tender, or your client is vetting the security of their supply chain. In either case be honest. But as above, don't necessarily give everything away. Your client will probably know you're a small company, and will appreciate that many SME's don't have the same security standards as big business (but explain it anyway, just in case).

If you think you don't have security standards, just turn the question on its head and look at what processes you already use and how they contribute to security.

For example, you may not have Change Management. But you've probably got a manager somewhere who is responsible for vetting orders and signing them off. This is an anti-fraud measure and, assuming the manager is technically aware, it can also provide *some* change management benefits. For example, the manager would hopefully question someone trying to buy an iPaq if the rest of the company is using Palm OS, as this could pose a threat to availability of data. Which could also be giving you technical standards... and so on.

Security standards for small business could be as simple as a couple of pages of do's and dont's (like using the above process). Then give a very rough summary (couple of lines) to your client.

Things are different in larger businesses, where there are different managers in different locations, who could be approving different things. This is when a full set of policies is most useful.

I've worked for a variety of small business in the past, and the above usually worked out.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.