locked
Help me complete security info request .. RRS feed

  • Question

  • Hi,

    I setup a PC for new small business.

    PC Description:

    Two 500GB hard drives in RAID 1 configuration. Genuine Windows XP Pro SP3; setup 2 limted accounts (1 owner/1 employees) and 1 admin account for me. Norton Internet Secuirty 2009. Data Backup using Memeo Backup with encryption enabled to an external water-proof & fire-proof USB hard drive wich I installed above the ceiling upon their request (Bad location in my opinion heat goes up, the roof will be the first thing to go. I told them, still...). I set them up with LogMeIn-Pro for remote desktop and file synchronization with a single work folder; LogMeIn is stup for very restricted access to employees.

    Now they need to complete some form for a registration for a license or permit and they've asked me to help them answer the following questions:

    1)      Describe the security that your organization uses to protect information.

    2)      Who is responsible for security strategy? (the owner)

    3)      How many resources are dedicated to information security?

    4)      Is the strategy successful?

    5)      Is the strategy adequate for the risk

    6)      Has the environment been challenged

     I would really appreciate some help answering this question properly from anyone with more experience in security than I have because it is not clear to me exaclty what they are asking on most of these questions. I would answer yes to 4 and 5 and no to 6 if that short an answer will do, mostly I need help with 1 & 3.

    Thank you in advance for any input.

    Monday, June 1, 2009 3:50 PM

Answers

  • sure that would be great....lets go one at a time....i would try to explain this with my experience on linux security from 3-4 years...

    1)      Describe the security that your organization uses to protect information.

    ANS: well when it comes to this question of describing the security following points will be assessed..

      a->Identification
      b->Authentication
      c->Authorization
      d->Risk Assessment
      e->Reconaissance
      f->Surveillance(in other terms how vigilant you are)/Readiness.
         etc...

    you can find more about this at the information security brochure by clicking on the link below:

    http://en.wikipedia.org/wiki/Information_security


    2)     
    Who is responsible for security strategy? (the owner)

    ANS: this questions states if something goes wrong who would be the first guy to catch...??? :))) just kidding....well,it means who would be responsible in designing and implementing all the above stated points in the previous answers..however security is a too big field to be deployed by an individual....howver it precisely means the lead of the security experts in your organisation may be you.....


    3)      How many resources are dedicated to information security?
    ANS: Well this may mean anything from the financial resource to the resource included in establishing your company's security fence...say like a dedicated firewall, a dedicated IDS,a dedicated traffic disinfecting system...etc.....also the number of security experts involved in the process of executing the word "security"....:)

    4)      Is the strategy successful?
    ANS:Well this would be a tough question to answer....you can try yourself banging on your company's servers to do some ethical hacking and if you find any vulnerability lock down the service or plug a patch and show a status report of it to the IT management....etc...however there are many sophisticated ways in which a corporate network may be compromised...for eg..social engineering....etc..

    5)      Is the strategy adequate for the risk
    ANS:Well it again is the same as the above and here the employees of the organisation come into picture...you need to train them carefully so that you can try making the social engineering attack futile...and one more point is that its not enough if you defend your network from the external intruders but also have an eye on the inernal potential users who would be on a higher privilege than the external intruder because he would already be knowing much of the network infrastructure of your company and also may constantly try to punch a hole through it which in turn may be a bliss to the external intruder if he finds any loophole implanted into the systems which will ease his job...:)


    6)      Has the environment been challenged
    ANS:Again this depends upon what type of clients do you support..
    however its advisable to tighten up the bells as there are more aspiring hackers and deadly script kiddies around with stealthy tools...:)

    hope all this should help...if not please do revert back to this thread..




    Regards, KOWSHAL H.M. a.k.a W@R10CK
    Tuesday, June 2, 2009 12:28 AM