Specifically for midrange or in general?
- For midrange, we run penetration tests.  Otherwise (right now at
least) get by with controlled network access, tightened system security
& no 3rd party security apps.  If I can get approval, I'll be adding a
security app in the future.
- For the network and Windows servers, we do intrusion detection,
penetration testing, and log file consolidation from routers &
firewalls.  At network login, AV signatures are auto-updated.
- The above is in addition to multiple levels (5) of anti-spam filtering
for email (with filter updates every 15 minutes), multiple anti-virus
packages (with definitions updated miultiple times per day),
anti-spyware, Windows/Active Directory policies, "reduced" signon (vs.
single signon), employee "in" and "out" processes, DR planning/testing
for every production server including midrange, physical security of the
data centers, insurance against loss/theft/vandalism, redundant network
connectivity through multiple vendors, we review access lists for
sensitive areas, no generic user accounts, etc.


Moving to a higher level...

A good security program has to start with support from your firm's
management.  You won't get anywhere without their backing, not only from
a funding standpoint but you'll need their support when you have to tell
someone they're violating policy.  From there, appropriate security
policies are developed to address your needs (samples can be found at
http://www.sans.org/resources/policies/).  The policies will speak to
regulatory requirements & best practices for your industry, SEC & other
financial requirements for audit & protection (SarbOx, GLB, etc.), and
general concensus on good security practices.  At a high level they
should cover the 10 domains defined by (ISC)2:
https://www.isc2.org/cgi/content.cgi?category=8.  From the policies will
come the recommendations for the necessary procedures to support the
policies.  From there you do staffing & vendor/product selection.

If you have an internal audit team, they can help by providing their
audit criteria.  That criteria will also prove useful in drafting the
policies & procedures as it should at a minimum cover whatever's
necessary for compliance.

You might want to visit the local chapter meeting of ISSA:
http://www.issa.org/ or consider attending an infosec conference (I can
list a few if you're interested).  While not generally geared towards
midrange, the variety of security concerns, practices, and products is
quite interesting and is generally applicable to all computing
environments.


I don't think all companies need a CISSP (see (ISC)2 link above) or SANS
GIAC person on staff, but it might prove valuable to ensure any security
consultants you may use have some recognized vendor-neutral
certification.  

<commercial>
As a certification, CISSP is not tied to any vendor's products nor any
single legislative body (it is international in scope).  It requires
years of job experience in addition to passing a difficult exam to
achieve and has to be maintained by continuing education.  There is also
a specific code of ethics that we're required to adhere to
(https://www.isc2.org/cgi/content.cgi?category=12).
</commercial>

John A. Jones, CISSP
Americas Information Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787  F: +1-312-601-1782
john.jones@xxxxxxxxxx

-----Original Message-----
From: Mike Berman [mailto:mikeba777@xxxxxxxxx] 
Sent: Thursday, December 16, 2004 7:38 AM
To: Midrange Systems Technical Discussion
Subject: Security Products - Firewall


I am looking at our Security issues and needs. What Products if any do
you have installed and use? What are some important measures that you
have or have institued?

Thank you,

M.B.



This email is for the use of the intended recipient(s) only.  If you have 
received this email in error, please notify the sender immediately and then 
delete it.  If you are not the intended recipient, you must not keep, use, 
disclose, copy or distribute this email without the author's prior permission.  
We have taken precautions to minimize the risk of transmitting software 
viruses, but we advise you to carry out your own virus checks on any attachment 
to this message.  We cannot accept liability for any loss or damage caused by 
software viruses.  The information contained in this communication may be 
confidential and may be subject to the attorney-client privilege. If you are 
the intended recipient and you do not wish to receive similar electronic 
messages from us in future then please respond to the sender to this effect.


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.