Client questions

Posted on 2004-08-10
Medium Priority
Last Modified: 2010-04-11
How would you answer these client questions when you are a small company with no such standards or procedures in place.

1.List and describe your documented security standards and the approval process in place for new standards and modifications to existing standards if they are ever modfied

Question by:ZJay
LVL 24

Expert Comment

ID: 11765342
Do the same as modern businesses in response to such requests from their government agencies.

The answer, is to not answer.

You do not tell any outsiders your security policies, whether you think they are good or whether you think they are bad. This is at a minimum anyone's policy, and could be the only answer they can give without compromizing their business.
LVL 24

Expert Comment

ID: 11765375
Q> .List and describe your documented security standards
Q> no such standards or procedures in place.

For that specific view, the same applies, since you cannot respond, you do not, not tipping your hand.  Call it "no-tell".
LVL 10

Accepted Solution

ngravatt earned 1000 total points
ID: 11767541
start putting the policies in place.  
You should have a least some security standards or policies, like what are you going to do if you find a computer infected with a virus?  or what procedure to you follow to add rules to the firewall?  How do you distribute you VPN accounts?  Is anyone allowed in your office building, or do you lock the doors at night?

Take SunBow's advice "You do not tell any outsiders your" EXACT "security policies, whether you think they are good or whether you think they are bad. This is at a minimum anyone's policy, and could be the only answer they can give without compromizing their business."

but you should be able to give a brief description with compromizing yours or their business.
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 11769665
If you need some quick policies- look at the SANS policy page, it's simple to do find&replace in these docuements, they also happen to be very good templates... they may give you an idea of what your client's may be looking for:
Pick the policies that apply to your environment, and see if you can get them to fit your situations
Acceptable Use, Anti-Virus Process, Audit Vulnerability Scanning Policy, E-mail Policy, Ethics Policy and Password Protection Policy  should be pretty standard policies.

Professionals, and that sometimes leaves the government out, would give them something to go on... and just replacing your name in the policies on the SANS page may look good, it's not enough- you should understand and read the documents in their entirety, and remove what doesn't work, and add more detail if you can. But you can't tell them you don't have any written policies... because you do... in your head, just not on paper- and hopefully these doc's can help organize the policies in your head, and put them on papaer :)

Expert Comment

ID: 11773418
Sounds like you're either responding to a tender, or your client is vetting the security of their supply chain. In either case be honest. But as above, don't necessarily give everything away. Your client will probably know you're a small company, and will appreciate that many SME's don't have the same security standards as big business (but explain it anyway, just in case).

If you think you don't have security standards, just turn the question on its head and look at what processes you already use and how they contribute to security.

For example, you may not have Change Management. But you've probably got a manager somewhere who is responsible for vetting orders and signing them off. This is an anti-fraud measure and, assuming the manager is technically aware, it can also provide *some* change management benefits. For example, the manager would hopefully question someone trying to buy an iPaq if the rest of the company is using Palm OS, as this could pose a threat to availability of data. Which could also be giving you technical standards... and so on.

Security standards for small business could be as simple as a couple of pages of do's and dont's (like using the above process). Then give a very rough summary (couple of lines) to your client.

Things are different in larger businesses, where there are different managers in different locations, who could be approving different things. This is when a full set of policies is most useful.

I've worked for a variety of small business in the past, and the above usually worked out.

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
Although free tools can be helpful to a limited extent, it’s better to stick to paid versions for business use.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question