Re: A question on security guidelines

Hi Mike,

In a perfect world, the client's written security policy should be 
comprehensive enough to cover all areas of information security, then you 
could simply check each policy rule against their actual practice to make 
sure it's in compliance. However, in the real world that's not usually the 
case. Many companies have been failing Sarbanes-Oxley audits at the policy 
step, which is the first thing the auditors look at. And I'm talking about 
companies you'd think would know better.

The ISO 17799 standard is excellent to use as a guide for verifying every 
aspect of a security program. There are lots of web sites with such 
guidelines posted, but if there's no policy in place, you're just wasting 
your time and theirs.

- Rich



 



Mike Rodriques <miker@otunet.com> 
09/23/2004 12:02 AM
Please respond to
miker@otunet.com


To
security-management@securityfocus.com
cc

Subject
A question on security guidelines








I am wondering if you all can point me in the right direction to find a
template or guide that I can use to evaluate the overall security on a
client network.  I am looking for something along the lines of a
questionnaire or something of that nature.
 
 
Thanks in advance
 

Mike Rodriques
Principal
Open Technologies Unlimited
"We make IT go"
mailto:miker@otunet.com
http://www.otunet.com
(914) 481-6128
(914) 481-6133 Fax
(914) 548-5646 Mobile

OTU information (miker@otunet.com).vcf
Description: Binary data