|
Comments inline. John A. Jones, CISSP Americas Information Security Officer Jones Lang LaSalle, Inc. V: +1-630-455-2787 F: +1-312-601-1782 john.jones@xxxxxxxxxx -----Original Message----- From: rob@xxxxxxxxx [mailto:rob@xxxxxxxxx] Sent: Thursday, December 16, 2004 8:01 AM To: Midrange Systems Technical Discussion Subject: Re: Security Products - Firewall 1 - We don't use Outlook. We use Notes and Domino. If done properly, Outlook & Exchange can be secured "well enough". 2 - We use Cisco routers and firewalls and have sent our technicians off to extensive training on them. We use both PIX & Checkpoint; one at either side of the DMZ. 3 - We have an exit point package, but have written some of our own also. Don't have yet. 4 - We are looking at SSO We do this for some apps and are consolidating others into it. I think you should be cautious about what gets an SSO implementation and also, more importantly, what requires a re-authentication and what takes the existing authentication; i.e. once I'm logged on your PC, can I just hit the browser and go straight to my HR data or do I have to authenticate again? 5 - We have exhaustive documentation on how we believe users should be set up in Windows, Notes and the iSeries. We have roles and all accounts are assigned to the appropriate role for the user. 6 - We have a formal Domino based workflow database for approval of new user requests, request for access to certain areas, etc. Do you have the same for when employee's leave? How about temporary IDs for temps, consultants, etc.? We have a single email box that a manager sends a message to. That single message will trigger the appropriate action on all IT systems from HR to LAN/Active Directory to midrange, etc. 7 - We have made extensive use of Authorization lists, etc to secure each divisions data. However we have not adopted "Application Only Access". We're using the business unit security within JDE. Ditto on the app only access although I would like to get there in 2005. 8 - We have formal documentation of how employees should treat data processing resources. Do employees sign off on this? We make ours sign off at hire and every year. We also do a monthly communication focusing on some task of IT usage like password policies, etc. It's also on our intranet. 9 - We have our email scanned by Sprint's Messaging Labs. And also use Trend Micro's Scan Mail for Lotus Notes. I forget the vendors beyond BrightMail (now part of Symantec) but we're doing 5 layers of email filtering to trap spyware & viruses. We also block certain attachments. 10 - All PC's have virus protection. How are sigs kept current? 11 - We use a pass card on the computer room. Is the authorization list reviewed periodically? Not only for who can access but for who has? 12 - We make use of several of the system values to restrict passwords. Must balance that one with tempting users to write it on a post it note to their computer. Ditto. 13 - We have contracted with IBM to perform benevolent hacking and they are in that process now. and the list goes on. We use FoundStone. As a service provider, we also allow our clients to conduct non-destructive pen tests against the systems & WAN segments their data is on. Do you have a security incident reporting mechanism and an incident response team? This email is for the use of the intended recipient(s) only. If you have received this email in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email without the author's prior permission. We have taken precautions to minimize the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. The information contained in this communication may be confidential and may be subject to the attorney-client privilege. If you are the intended recipient and you do not wish to receive similar electronic messages from us in future then please respond to the sender to this effect.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
