Your security staff should not be the only team that audits your
network security, but trying to prohibit them from doing so doesn't
sound productive. (I once worked for a company that didn't trust
the IT security team to touch the machines of the top-level executives
-- which meant, of course, that those became the least secure machines
in the whole organization, when they were the most sensitive....)
Your intrusion-detection escalation tree should include someone who
is empowered to authorize scans as part of audit processes. Employees
should obtain authorization from that person before performing such
tests, just as outside security consultants would. (Depending on the
scope of testing, it may not be useful to advise every part of the
chain of an upcoming test, so that the escalation procedure also gets
tested.
Authorization should routinely be granted, but exceptions may need to
be made during periods of crucial business activity. When I've had such
authority, I've added the requestor to a list of people I could call on
as additional resources in the event of a security emergency.
David Gillett
-----Original Message-----
From: ericaldrc51@netscape.net [mailto:ericaldrc51@netscape.net]
Sent: Thursday, October 28, 2004 11:05 AM
To: security-basics@securityfocus.com
Subject: Allowing scanning from home
What's the group's consensus on allowing security staff to
scan the company's external interfaces from their home, to
get a true external assessment. I personally don't agree
with this for audit and other reasons. Just looking for some
other professional viewpoints. Thx.
__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at
http://isp.netscape.com/register
Netscape. Just the Net You Need.
New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp
