SME's can have Hipaa, can have GLB, can have various State laws
affecting them. I don't think I can point to a one encompassing 'this
is what they need to follow" ruleset as most of the security guidance is
this 'vague' best practices but no black and white details.
Quite honestly it depends a lot on if the network contains data that
could result in a breach of identity data. If the network doesn't
contain sensitive data.... the risk is lowered. I'm assuming your
questionaire starts with this?
Brad Bemis wrote:
There are a few options available to you, but considering the
technical level of detail you are looking to go into - try taking a
look at http://www.cert.org/security-improvement/index.html. You may
also want to look at the OCTAVE framework that they sponsor, but it
may be a bit more involved than what you need -
http://www.cert.org/octave/.
These should help get you started...
-Brad Bemis, CISSP, CISA
-----Original Message-----
From: sukh.gill1@btinternet.com [mailto:sukh.gill1@btinternet.com]
Sent: Sunday, January 08, 2006 4:31 AM
To: security-management@securityfocus.com
Subject: Research Help
Hi All,
I'm presently conducting research for my final year dissertation; the
project entails creating a software application to help SME's assess
their network security posture. Using a questionnaire based database
the application will highlight areas of concern and provide a gap
analysis report. Areas that I will touch on include:
Perimeter Firewalls, Router ACL's, TCP wrappers, DMZ objects (SMTP and
Web servers), Virus and Proxy Servers, NOS, WLAN,IDS and DNS servers.
I need the groups help on the following point:
What official network security standards can I use for my gap analysis
report?
Cheers,
S Gill
