Security Basics mailing list archives
Re: Mandate for Security forum
From: Vic Vandal <vvandal () well com>
Date: Tue, 31 Jul 2012 10:06:14 -0700 (PDT)
Tore, There are obviously different possible flavors for that. Currently I chair a weekly security meeting where individuals from the following departments are invitees. - InfoSec team - Database team - Data Center team (includes computer operations) - Systems administration/engineering team (servers) - Desktop support team - Network team We have a running list of technology projects (with a clear security relationship or function) that we provide updates on, which are recorded in meeting minutes. Probably the most important thing we do is discuss the many vendor product patches that are released weekly/monthly/quarterly - affecting desktops, servers, databases, network devices, and applications. The security team ranks the risks/exposure involved and collectively we determine if we're going to follow our standard/published patching cycles or put them through an exception process (deploying sooner or later or not at all). We also review how we're doing on patch deployments and other risk remediation actions that flow from varied system security posture assessments. Meeting attendance amongst the varied group representatives varies from week to week, but overall the process works and provides value. If you establish a short list of areas you want a security forum to cover that make sense and provide value to your organization, establish a meeting schedule, establish a list of attendees, and keep records of those proceedings and action items, that should meet your stated need. Regarding other flavors, I've worked places where we had representatives from the following teams (security, network, database, sys-admins, app development, computer operations, and sometimes an end user rep) to help; - define security requirements for new applications and application architectures, and/or - assess risks involved in varied systems (proposed, new, or existing). But that's more of a risk forum than a security forum, although certainly there's overlap among the two. When I worked for the U.S. Defense department we had varied documentation requirements and review processes regarding new network connections, that I carried to my next brief gig, where I set up and chaired the following. http://about.usps.com/handbooks/as805d/as805d%20ch2_006.htm Don't laugh about moving from lofty Defense work to that gig. The USPS had/has the biggest Intranet with the most nodes of any organization, considering that each post office in each city in each of the 50 states including Alaska and Hawaii is a satellite office extension. I only left my Defense job because I wanted to relocate though, and that was the first viable offer in the city/state I that wanted to move to. That digression aside I'm kinda shocked that specific review board still exists. It was created over a decade ago, and finding the example on a quick web search surprised me. Some person(s) have taken what we started with and have done a good job expanding the documentation and putting it all together online. Anyway clicking around the navigation choices to the left on that shared link might provide useful templates for developing your mandate and process descriptions. Where I currently work we have a few other meeting groups that focus strictly on single technology areas. For example we have one group that reviews proposed Group Policy Objects for Active Directory, to solve a wide variety of systems management and systems security initiatives. I'm part of that group, which only meets every other week or monthly depending on requests coming into that queue. I'll stop there in varying examples. Like I said, there are lots of different flavors possible. Just go back to that 3rd paragraph above, start small, figure out what works and what doesn't as you move along (regarding meeting schedules, documented artifacts, group members, topics), and soon enough you'll end up in a comfortable process that everyone is familiar with. Regards, Vic ----- Original Message ----- From: sikkoor () gmail com To: security-basics () securityfocus com Sent: Saturday, July 28, 2012 4:53:13 PM Subject: Mandate for Security forum Hello, I have responsibility for security in a medium sized company.. We have recently established an information security management system which is based on ISO 27001. As part of this work it was decided that we should establish a security forum consisting of employees from different departments. I am now responsible for writing a mandate for the Security forum :( Although I have been working on information security for a while, I honestly do not know where to start from. Have any of you been out in similar work before? Can anyone give me some tips about how such a mandate should look like? I appreciate all your help. Thanks in advance. With friendly greetings. Tore. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Mandate for Security forum sikkoor (Jul 30)
- RE: Mandate for Security forum Alan Tatourian (Jul 30)
- Re: Mandate for Security forum Mani Akella (Jul 30)
- Re: Mandate for Security forum gold flake (Jul 31)
- Re: Mandate for Security forum Vic Vandal (Jul 31)