Client questions

Posted on 2004-08-10
Last Modified: 2010-04-11
How would you answer these client questions when you are a small company with no such standards or procedures in place.

1.List and describe your documented security standards and the approval process in place for new standards and modifications to existing standards if they are ever modfied

Question by:ZJay
LVL 24

Expert Comment

ID: 11765342
Do the same as modern businesses in response to such requests from their government agencies.

The answer, is to not answer.

You do not tell any outsiders your security policies, whether you think they are good or whether you think they are bad. This is at a minimum anyone's policy, and could be the only answer they can give without compromizing their business.
LVL 24

Expert Comment

ID: 11765375
Q> .List and describe your documented security standards
Q> no such standards or procedures in place.

For that specific view, the same applies, since you cannot respond, you do not, not tipping your hand.  Call it "no-tell".
LVL 10

Accepted Solution

ngravatt earned 250 total points
ID: 11767541
start putting the policies in place.  
You should have a least some security standards or policies, like what are you going to do if you find a computer infected with a virus?  or what procedure to you follow to add rules to the firewall?  How do you distribute you VPN accounts?  Is anyone allowed in your office building, or do you lock the doors at night?

Take SunBow's advice "You do not tell any outsiders your" EXACT "security policies, whether you think they are good or whether you think they are bad. This is at a minimum anyone's policy, and could be the only answer they can give without compromizing their business."

but you should be able to give a brief description with compromizing yours or their business.
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 11769665
If you need some quick policies- look at the SANS policy page, it's simple to do find&replace in these docuements, they also happen to be very good templates... they may give you an idea of what your client's may be looking for:
Pick the policies that apply to your environment, and see if you can get them to fit your situations
Acceptable Use, Anti-Virus Process, Audit Vulnerability Scanning Policy, E-mail Policy, Ethics Policy and Password Protection Policy  should be pretty standard policies.

Professionals, and that sometimes leaves the government out, would give them something to go on... and just replacing your name in the policies on the SANS page may look good, it's not enough- you should understand and read the documents in their entirety, and remove what doesn't work, and add more detail if you can. But you can't tell them you don't have any written policies... because you do... in your head, just not on paper- and hopefully these doc's can help organize the policies in your head, and put them on papaer :)

Expert Comment

ID: 11773418
Sounds like you're either responding to a tender, or your client is vetting the security of their supply chain. In either case be honest. But as above, don't necessarily give everything away. Your client will probably know you're a small company, and will appreciate that many SME's don't have the same security standards as big business (but explain it anyway, just in case).

If you think you don't have security standards, just turn the question on its head and look at what processes you already use and how they contribute to security.

For example, you may not have Change Management. But you've probably got a manager somewhere who is responsible for vetting orders and signing them off. This is an anti-fraud measure and, assuming the manager is technically aware, it can also provide *some* change management benefits. For example, the manager would hopefully question someone trying to buy an iPaq if the rest of the company is using Palm OS, as this could pose a threat to availability of data. Which could also be giving you technical standards... and so on.

Security standards for small business could be as simple as a couple of pages of do's and dont's (like using the above process). Then give a very rough summary (couple of lines) to your client.

Things are different in larger businesses, where there are different managers in different locations, who could be approving different things. This is when a full set of policies is most useful.

I've worked for a variety of small business in the past, and the above usually worked out.

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With healthcare moving into the digital age with things like, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter ( that massive stores of data have been leaked by CloudFlare, a company that provide…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question