Re: Mandate for Security forum

[Vic Vandal <vvandal () well com>]

Tore,

There are obviously different possible flavors for that.  Currently I chair a weekly security meeting where individuals 
from the following departments are invitees.
- InfoSec team
- Database team
- Data Center team (includes computer operations)
- Systems administration/engineering team (servers)
- Desktop support team
- Network team

We have a running list of technology projects (with a clear security relationship or function) that we provide updates 
on, which are recorded in meeting minutes.  Probably the most important thing we do is discuss the many vendor product 
patches that are released weekly/monthly/quarterly - affecting desktops, servers, databases, network devices, and 
applications.  The security team ranks the risks/exposure involved and collectively we determine if we're going to 
follow our standard/published patching cycles or put them through an exception process (deploying sooner or later or 
not at all).  We also review how we're doing on patch deployments and other risk remediation actions that flow from 
varied system security posture assessments.  Meeting attendance amongst the varied group representatives varies from 
week to week, but overall the process works and provides value.

If you establish a short list of areas you want a security forum to cover that make sense and provide value to your 
organization, establish a meeting schedule, establish a list of attendees, and keep records of those proceedings and 
action items, that should meet your stated need.

Regarding other flavors, I've worked places where we had representatives from the following teams (security, network, 
database, sys-admins, app development, computer operations, and sometimes an end user rep) to help;
- define security requirements for new applications and application architectures, and/or
- assess risks involved in varied systems (proposed, new, or existing).

But that's more of a risk forum than a security forum, although certainly there's overlap among the two.

When I worked for the U.S. Defense department we had varied documentation requirements and review processes regarding 
new network connections, that I carried to my next brief gig, where I set up and chaired the following.

http://about.usps.com/handbooks/as805d/as805d%20ch2_006.htm

Don't laugh about moving from lofty Defense work to that gig.  The USPS had/has the biggest Intranet with the most 
nodes of any organization, considering that each post office in each city in each of the 50 states including Alaska and 
Hawaii is a satellite office extension.  I only left my Defense job because I wanted to relocate though, and that was 
the first viable offer in the city/state I that wanted to move to.
That digression aside I'm kinda shocked that specific review board still exists.  It was created over a decade ago, and 
finding the example on a quick web search surprised me.  Some person(s) have taken what we started with and have done a 
good job expanding the documentation and putting it all together online.  Anyway clicking around the navigation choices 
to the left on that shared link might provide useful templates for developing your mandate and process descriptions.

Where I currently work we have a few other meeting groups that focus strictly on single technology areas.  For example 
we have one group that reviews proposed Group Policy Objects for Active Directory, to solve a wide variety of systems 
management and systems security initiatives.  I'm part of that group, which only meets every other week or monthly 
depending on requests coming into that queue.

I'll stop there in varying examples.  Like I said, there are lots of different flavors possible.  Just go back to that 
3rd paragraph above, start small, figure out what works and what doesn't as you move along (regarding meeting 
schedules, documented artifacts, group members, topics), and soon enough you'll end up in a comfortable process that 
everyone is familiar with.

Regards,
Vic

----- Original Message -----
From: sikkoor () gmail com
To: security-basics () securityfocus com
Sent: Saturday, July 28, 2012 4:53:13 PM
Subject: Mandate for Security forum

Hello,
I have responsibility for security in a medium sized company..
We have recently established an information security management system which is based on ISO 27001. As part of this 
work it was decided that we should establish a security forum consisting of employees from different departments.

I am now responsible for writing a mandate for the Security forum :( Although I have been working on information 
security for a while, I honestly do not know where to start from.

Have any of you been out in similar work before? Can anyone give me some tips about how such a mandate should look like?

I appreciate all your help.

Thanks in advance.

With friendly greetings.

Tore.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------