We're taking on a new client, and their standards requirements are a bit beyond anything we've ever encountered.
I just finished going through a nearly-600 line spreadsheet answering questions about our network's physical and logical security controls. It also included questions about our in-place security policies and what was covered by them. Nothing in the questionnaire was a bad idea to have implemented, but the sum total was a bit overwhelming.
We do have a security policy; it's covered in a page or so of the employee handbook. It's implemented, as well, but beyond that, everything has been done according to a relatively "common sense" approach. To remedy this lack of standards, my boss and I are currently going through the SANS Institute's "Security Policy Project", and I've got to say, it's more overwhelming than the original spreadsheet.
We've accumulated about 15 documents that we think apply to our situation, and we're in the middle of revising them and customizing some of the technologies they cover to work for us. After they get drafted and approved, I get to implement them. I can't wait.
The hardest part will be a change in mindset for the users. I can't wait to see how the operations side responds to this. I suppose it's the price you have to play for running with the big dogs, so to speak.
Which brings me to my question. Does your company have a codified security policy? Do you ever do spot checks, or audits? Do you abide by the policy?
As always, I have anonymous comments enabled, so feel free to comment as such if you are worried about revealing too much about your network.
skip to main |
skip to sidebar
A blog for IT Admins who do everything by an IT Admin who does everything
Blogs I frequently don't have time to read
Posts
Blog Archive
-
▼
2008
(184)
-
▼
July
(21)
- Security Policy Best Practices
- Life After Windows?
- Arranging your workspace
- Fascinating behavior from a linux host
- Proper Disclosure of Technology
- Happy Sysadmin Day
- HOWTO: Server Cable Management
- Excellent Linux Command: dmidecode
- More on Admin Responsiblity
- NAT: Unjustly maligned or a soon-to-be anachronism?
- Escape from NJ
- Wednesday Guest Blog
- Monday Guest Blog
- (Short) Story time
- Final Preperations
- Cataloging parts for the move
- Stupid Routing Tricks
- The effects of Slashdot
- Remote Claustrophobia
- Logical Network Diagrams
- DNS Names for internal hosts
-
▼
July
(21)
People following this blog
Other affiliations / blog groups
Calling all guest bloggers
Do you have an idea for a blog entry that you want to write? Do you have a blog entry that you've already written, but don't have a place to publish it? I'm definitely interested!
As I don't make any money on this site, I can't offer to pay you for it, but I will happily link to whatever web presence you'd like. My current subscriber count is right around 500 people, so your article would be viewed by a lot of people.
To get in touch, email me at
standalone.sysadmin@gmail.com
As I don't make any money on this site, I can't offer to pay you for it, but I will happily link to whatever web presence you'd like. My current subscriber count is right around 500 people, so your article would be viewed by a lot of people.
To get in touch, email me at
Twitter / standaloneSA
Automatically Generated Amazon Ads
Labels
- security (14)
- networking (13)
- storage (12)
- vacation (9)
- administrivia (8)
- advice (7)
- guest blog (7)
- server room (6)
- virtualization (6)
- backup (5)
- learning (5)
- monitoring (4)
- nagios (4)
- whining (4)
- asking questions (3)
- blog (3)
- cat5 (3)
- fail (3)
- fiber (3)
- physical infrastructure (3)
- remote management (3)
- troubleshooting (3)
- windows (3)
- CLI (2)
- LVM (2)
- archive (2)
- colocation (2)
- debian (2)
- debugging (2)
- dns (2)
- esxi (2)
- giveaway (2)
- hardware (2)
- howto (2)
- laptop (2)
- lisa (2)
- policy (2)
- preblog (2)
- racks (2)
- redundancy (2)
- tech support (2)
- telecom (2)
- training (2)
- vmware (2)
- vpn (2)
- AoE (1)
- IPv6 (1)
- Level3 (1)
- Linux (1)
- NAS (1)
- QA (1)
- QC (1)
- T1 (1)
- active directory (1)
- article (1)
- automation (1)
- bandwidth (1)
- benchmark (1)
- bgp (1)
- blackberry (1)
- blogiversary (1)
- books (1)
- burnout (1)
- business (1)
- centos redhat ldap bugzilla (1)
- checklists (1)
- cisco (1)
- clusters (1)
- competition (1)
- conference (1)
- convention (1)
- cooling (1)
- database (1)
- documentation (1)
- education (1)
- encryption (1)
- ethernet (1)
- ethics (1)
- fibre channel (1)
- filesystems (1)
- fire (1)
- freebies (1)
- heroics (1)
- high availability (1)
- imaging (1)
- incident response (1)
- installation (1)
- international (1)
- iscsi (1)
- kvm (1)
- ldap (1)
- leasing (1)
- licenses (1)
- link (1)
- load balancing (1)
- marketing (1)
- mobile (1)
- money (1)
- openbsd (1)
- oracle (1)
- osx (1)
- passwords (1)
- patching (1)
- project management (1)
- rack unit (1)
- raid (1)
- recycling (1)
- remote desktop (1)
- resources (1)
- routing (1)
- rss (1)
- safari (1)
- sage (1)
- san (1)
- shortcuts (1)
- slashdot (1)
- small infrastructure (1)
- social networking (1)
- soho (1)
- ssl (1)
- stress (1)
- switches (1)
- systems administration (1)
- technology (1)
- terminal server (1)
- time management (1)
- top list (1)
- toplist (1)
- twitter (1)
- uptime (1)
- usenix (1)
- wireless (1)
- xen (1)