All,
Greg Collins <gcollins @
dqisystems .
com> wrote on Tue Feb 17, 1998:
>
> This is a topic of great interest to me, as I provide networking services to
> my customers. One of the services we have been asked to perform is a
> 'security audit/security review'. When I view "network security" I see
> everything from OS security to how the internal network is configured. Of
> course Internet firewalls and WAN routing also come into play. We have
> performed audits where we tested the physical security of a facility. The
> list of possible security problems is almost endless. I would be most
> interested to hear what you guy and gals? consider important areas of
> security. Here are some of the areas we check during an audit/review.
>
The first thing I review is the Security Policy Manual. That needs two
types of analysis: does it do what it perports?, and, is it "necessary and
sufficient?" The first item includes reviewing other manuals, such as the
System Administrators Procedure Manual. The remaining items on this list
are good, very good, but if they are not covered in the Security Policy,
UGH! and OUCH! That document defines how 'that particular' organization
wants to implement security.
> Security Policies
> Security Policy Enforcement
> Physical Security of systems, communications closets and desktop systems
> OS Security
> Password usage, strength
> Employee Training
> Internal Network Config (LAN and WAN)
> Internet Protection
>
> Greg Collins
Of course, part of the job is to help upgrade the Security Policy to perform
at the level the hiring authority wants to have it. Now, you earn the big
bucks you make ..., right? The technology is the (relatively) easy part.
Automating logging is easy. Getting the Engineers to accept that every call
made will be tracked, and the political fall-out from that, is not so easy.
Everyone understands the need for security, but it is always easier on the
other side of the sub-net.
Comments?
Bob De Witt,
rdew @
el .
nec .
com
The views expressed herein are my own,
and are not attributable to any other
source, be it employer, friend or foe.
ps- I should have included education as part of the distribution of effort:
60% social and education, 25% political, and 15% technological. -rd
pps- The policy book by Charles Wood lists at $495.00, and I have not seen
any discount, nor have I seen a copy to convince me it is worth it. -rd
Ciao ...
|
|
