Solved

Client questions

Posted on 2004-08-10
7
157 Views
Last Modified: 2010-04-11
How would you answer these client questions when you are a small company with no such standards or procedures in place.

1.List and describe your documented security standards and the approval process in place for new standards and modifications to existing standards if they are ever modfied


-Z
0
Comment
Question by:ZJay
7 Comments
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
Do the same as modern businesses in response to such requests from their government agencies.

The answer, is to not answer.

You do not tell any outsiders your security policies, whether you think they are good or whether you think they are bad. This is at a minimum anyone's policy, and could be the only answer they can give without compromizing their business.
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
Q> .List and describe your documented security standards
Q> no such standards or procedures in place.

For that specific view, the same applies, since you cannot respond, you do not, not tipping your hand.  Call it "no-tell".
0
 
LVL 10

Accepted Solution

by:
ngravatt earned 250 total points
Comment Utility
start putting the policies in place.  
You should have a least some security standards or policies, like what are you going to do if you find a computer infected with a virus?  or what procedure to you follow to add rules to the firewall?  How do you distribute you VPN accounts?  Is anyone allowed in your office building, or do you lock the doors at night?

Take SunBow's advice "You do not tell any outsiders your" EXACT "security policies, whether you think they are good or whether you think they are bad. This is at a minimum anyone's policy, and could be the only answer they can give without compromizing their business."

but you should be able to give a brief description with compromizing yours or their business.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
Comment Utility
If you need some quick policies- look at the SANS policy page, it's simple to do find&replace in these docuements, they also happen to be very good templates... they may give you an idea of what your client's may be looking for:
http://www.sans.org/resources/policies/
Pick the policies that apply to your environment, and see if you can get them to fit your situations
Acceptable Use, Anti-Virus Process, Audit Vulnerability Scanning Policy, E-mail Policy, Ethics Policy and Password Protection Policy  should be pretty standard policies.

Professionals, and that sometimes leaves the government out, would give them something to go on... and just replacing your name in the policies on the SANS page may look good, it's not enough- you should understand and read the documents in their entirety, and remove what doesn't work, and add more detail if you can. But you can't tell them you don't have any written policies... because you do... in your head, just not on paper- and hopefully these doc's can help organize the policies in your head, and put them on papaer :)
-rich
0
 
LVL 3

Expert Comment

by:Beluga
Comment Utility
Sounds like you're either responding to a tender, or your client is vetting the security of their supply chain. In either case be honest. But as above, don't necessarily give everything away. Your client will probably know you're a small company, and will appreciate that many SME's don't have the same security standards as big business (but explain it anyway, just in case).

If you think you don't have security standards, just turn the question on its head and look at what processes you already use and how they contribute to security.

For example, you may not have Change Management. But you've probably got a manager somewhere who is responsible for vetting orders and signing them off. This is an anti-fraud measure and, assuming the manager is technically aware, it can also provide *some* change management benefits. For example, the manager would hopefully question someone trying to buy an iPaq if the rest of the company is using Palm OS, as this could pose a threat to availability of data. Which could also be giving you technical standards... and so on.

Security standards for small business could be as simple as a couple of pages of do's and dont's (like using the above process). Then give a very rough summary (couple of lines) to your client.

Things are different in larger businesses, where there are different managers in different locations, who could be approving different things. This is when a full set of policies is most useful.

I've worked for a variety of small business in the past, and the above usually worked out.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now