All,
First I agree with Jimi, for getting HR and legal department in the entire
security puzzle. Ask for job descriptions/definitions from the HR and
transform them into Access Control Rights. By this, apart from producing
something really valuable you get the HR support in the first place, apart
from raising the security level in this department (in fact, these people
are the ones that will inform you on whether you keep on with your job :-)
). Depending on the corporate functions, ask for the Legal Advisor to
cooperate, either by reviewing your policies or by asking/informing on new
legislation, directives, etc. You know that the Legal Advisor's role in the
entire business function is of major significance. Do not forget that, in
case of a security breach, you may loose your work; members of the board may
go to prison. If senior management does not understand finance or security,
they surely understand legal (tip: do not speak legal, let the legal advisor
do this).
Once in a while, always show your presence - send out an email to a group of
users saying "Thank you for complying with our IT Security Policy". With
this you support the user for keeping on complying with the policy and, on
the other, hand you make it clear that someone is watching.
Of course, do not underestimate proactive measures, but do not underestimate
post-incident procedures as well (like ISO 17799 does). Do form a plan for
getting informed on what the users discover; You get their support again and
you also relieve them from the aching procedure of knowing what to do (in
fact, it's your job). Finally, you let them know that you are here, you show
that you know what to do, you also do what your job indicates.
Senior management is another issue. I've seen -for example- that large,
enterprise-wide SSO projects that would have normally absolutely no luck
(financially speaking), came into reality only for the CEO wanted a "sexy"
RSA usb token in his keyring (next to his Lexus key). Security Marketing is
what normally these people understand. I believe that the traditional
security-financial approaches (we must spend this to prevent from losing
that) are rather outdated. Do work out with some security marketing projects
(e.g. change the log-in screen by using a custom message and re-design the
msgina.dll to include your company's logo (and a reference to the policies)
).
In a rapidly changing security landscape, security projects may arise as
side-IT projects. As an example, remote access is normally treated by VPN
clients, but does anyone integrate client security/access
rights/auditing/accounting, etc? Do get involved with other IT departments
to comment your personal security view. If you find it difficult, ask from
other IT departments to comment on potential security projects you're held
responsible.
When cooperating with partners, vendors, system integrators, etc. do invest
on building your network of interpersonal contacts. Ask them to participate
in forums, technical days, conferences and exhibitions they frequently
organize or publish an article in the journals they issue. In one hand, it
will be useful for them (again marketing) and you will also promote your
organization, in terms of security. Last but not least, you show the people
that you exist, you work hard and you have the capacity to share your
thoughts and present it to the (general) public.
Finally, I also agree about end-user and management training (although
believing management does not participate in training programs). Do not also
forget your personal training, since you need to keep your skills up-to-date
(tip: find free ones.).
All in all, do not work alone in IT Security only.
Yet another 2 ½ cents.
Dimitrios G. Patsos
PhD (Cand.), M.Sc., CME.
Email <mailto:dpat@space.gr> dpat@space.gr
_____
From: Thompson, Jimi [mailto:JimiT@mail.cox.smu.edu]
Sent: Friday, October 03, 2003 8:48 PM
To: security-management@securityfocus.com
Subject: RE: Security Officer Performance Goals
All,
The first place I want to partner with in a new environment is not IT but HR
and Legal. Their buy-in and assistance can be invaluable, should the going
get rough. I think that one of the absolute metrics that you should be able
to produce is x number of attendees to a "Security Awareness" class that
you/your department should be teaching. Periodic attendance should be
mandatory, just like the sexual harassment classes. Security starts with
the end user not doing thinks like putting their password on a sticky note.
There should be a separate class for managers and supervisors which covers
things like legal liability, data retention policies, acceptable uses of the
companies network, etc. It's more management specific and covers areas
where a supervisor might need to counsel or discipline an employee. You
should also be able to show metrics for attendance for this as well. Since
it's conducted in house, most companies will give them a green light.
You should also be producing reports for management on a periodic basis that
detail the current list of vulnerabilities and how they will be addressed.
From the second report on, these reports should show what was fixed
previously and what is left or new. You should also be able to show metrics
on your audits (i.e. number of systems, etc.) . There should also be
periodic external independent security audits. You should be measured
against this as well.
You have to be really careful about releasing information about any kind of
a breach, even the trivial ones. Most highly charged environments don't
want to have information about a breach disclosed even within the company.
You have to have a feel for the company and respect their wish for privacy.
Businesses have been known to go bankrupt simply because of rumors about
them "getting hacked". Few people know or understand the difference between
"getting hacked" by having your web site defaced and "getting hacked" by
having your customer list streamed through a chat room. The first is a
minor annoyance in the over all scheme of things and shouldn't be cause for
serious alarm (as long as the damage is confined to the web server). The
second is serious and usually involves legal requirements for notification
of the customers, etc. and is cause for serious alarm. The news media
doesn't make that distinction since the more sensational it sounds, the
more it sells.
I would also counsel caution on announcing that you aren't "vulnerable" to
anything until you've had the opportunity to test it. The one time you are
wrong will likely blot out the other 50 times you have been right. Once you
can see that all the Blaster traffic is being stopped at the firewall (just
an example) and that all the machines are patched against it, sending out
and email informing everyone that "Blaster" isn't going to be an issue is
certainly appropriate. It calls attention to the "backend" work you've been
doing and it calms people down.
2 ½ cents,
Ms. Jimi Thompson, CISSP
-----Original Message-----
From: Filip Van Laenen [mailto:fvl@computas.com]
Sent: Friday, October 03, 2003 1:51 AM
To: security-management@securityfocus.com
Subject: RE: Security Officer Performance Goals
Clean Clean DocumentEmail MicrosoftInternetExplorer4
Hi,
I have more or less the same problem, but here is something:
We had a security breach not so long ago, and I'm writing a report about it
describing what went wrong, and also describing how much worse it could have
been hadn't we done the things that I said we had to do.
Otherwise I post a message from time to time about some new virus or worm
that's out there, and why we aren't hit by it (when I'm 100% sure we won't
be hit), especially if it's the type of virus that causes a lot of spam or
one that is in the newspapers.
Filip
-----Original Message-----
From: Jeff McLaughlin [mailto:JMclaughlin@springsgov.com]
Sent: 2. oktober 2003 21:08
To: security-management@securityfocus.com
Subject: Security Officer Performance Goals
Hi,
How would you (or do you) describe measurable goals of the Security Officer
position in a corporate setting?
I'm having a bit of trouble defining this since much of my position is
proactive and stopping a threat before it happens. I seem to get greater
visibility when a threat is active and I am able to mitigate or eradicate it
in a more "public" setting.
People/management believes they are immune to security risks since none have
happened. They can't take it a step further to say "perhaps that security
officer had something to do with this". In this world of budget cuts and
downsizing, I feel I need to advertise what the security officer is
accomplishing so I can either keep my job and/or get budget so I can
continue what I'm doing. The only way I think I can really get peoples
attention is to actually have a security breach where real data/systems were
impacted and the people that use them.
I'd be real appreciative if anyone of anyone who would not mind passing
along their goals.
Thanks,
Jeff McLaughlin
From - Mon Jan 1 00:00:00 1965 X-Mozilla-Status: 0000 X-Mozilla-Status2:
00000000 From: "Adrian Peters" To: Subject: RE: Security Officer Performance
Goals Date: Fri, 3 Oct 2003 11:39:55 -0600 MIME-Version: 1.0 Content-Type:
text/html; charset=so-8859-1" Content-Transfer-Encoding: quoted-printable
X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft
MimeOLE V6.00.2900.2869
