Solved

Client questions

Posted on 2004-08-10
7
160 Views
Last Modified: 2010-04-11
How would you answer these client questions when you are a small company with no such standards or procedures in place.

1.List and describe your documented security standards and the approval process in place for new standards and modifications to existing standards if they are ever modfied


-Z
0
Comment
Question by:ZJay
7 Comments
 
LVL 24

Expert Comment

by:SunBow
ID: 11765342
Do the same as modern businesses in response to such requests from their government agencies.

The answer, is to not answer.

You do not tell any outsiders your security policies, whether you think they are good or whether you think they are bad. This is at a minimum anyone's policy, and could be the only answer they can give without compromizing their business.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 11765375
Q> .List and describe your documented security standards
Q> no such standards or procedures in place.

For that specific view, the same applies, since you cannot respond, you do not, not tipping your hand.  Call it "no-tell".
0
 
LVL 10

Accepted Solution

by:
ngravatt earned 250 total points
ID: 11767541
start putting the policies in place.  
You should have a least some security standards or policies, like what are you going to do if you find a computer infected with a virus?  or what procedure to you follow to add rules to the firewall?  How do you distribute you VPN accounts?  Is anyone allowed in your office building, or do you lock the doors at night?

Take SunBow's advice "You do not tell any outsiders your" EXACT "security policies, whether you think they are good or whether you think they are bad. This is at a minimum anyone's policy, and could be the only answer they can give without compromizing their business."

but you should be able to give a brief description with compromizing yours or their business.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 11769665
If you need some quick policies- look at the SANS policy page, it's simple to do find&replace in these docuements, they also happen to be very good templates... they may give you an idea of what your client's may be looking for:
http://www.sans.org/resources/policies/
Pick the policies that apply to your environment, and see if you can get them to fit your situations
Acceptable Use, Anti-Virus Process, Audit Vulnerability Scanning Policy, E-mail Policy, Ethics Policy and Password Protection Policy  should be pretty standard policies.

Professionals, and that sometimes leaves the government out, would give them something to go on... and just replacing your name in the policies on the SANS page may look good, it's not enough- you should understand and read the documents in their entirety, and remove what doesn't work, and add more detail if you can. But you can't tell them you don't have any written policies... because you do... in your head, just not on paper- and hopefully these doc's can help organize the policies in your head, and put them on papaer :)
-rich
0
 
LVL 3

Expert Comment

by:Beluga
ID: 11773418
Sounds like you're either responding to a tender, or your client is vetting the security of their supply chain. In either case be honest. But as above, don't necessarily give everything away. Your client will probably know you're a small company, and will appreciate that many SME's don't have the same security standards as big business (but explain it anyway, just in case).

If you think you don't have security standards, just turn the question on its head and look at what processes you already use and how they contribute to security.

For example, you may not have Change Management. But you've probably got a manager somewhere who is responsible for vetting orders and signing them off. This is an anti-fraud measure and, assuming the manager is technically aware, it can also provide *some* change management benefits. For example, the manager would hopefully question someone trying to buy an iPaq if the rest of the company is using Palm OS, as this could pose a threat to availability of data. Which could also be giving you technical standards... and so on.

Security standards for small business could be as simple as a couple of pages of do's and dont's (like using the above process). Then give a very rough summary (couple of lines) to your client.

Things are different in larger businesses, where there are different managers in different locations, who could be approving different things. This is when a full set of policies is most useful.

I've worked for a variety of small business in the past, and the above usually worked out.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

827 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question