Results 1 to 7 of 7

Thread: Advice on New Infosec position

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    224

    Advice on New Infosec position

    My company has finnally decided to creat an infosec department. This group will be headed by a long-term co-worker who has 15+ years experience in networking infrastructure and security. This will be an all new experience for out company however, and a fresh start for a new trail in my career path.
    Usually it's best to start things right, (don't give the puppy a chance to poop in the floor and you will not have to rub his nose in anything) so I was wondering, for all of you guys out there who have experienced a newly developed Infosec group, and considering hindsight:
    1. What should be requested up front.
    a. Test environments
    b. Triple head display cards
    c. Intrusion detection software
    d. etc., etc.,
    2. Should there be segregation from the rest of the IT dept.
    3. What duties should coincide with the infosec dept.
    4. First course of action such as planned projects and immediate tasks.
    5. What responsibilities should fall within the group.

    These are just the questions that I have on my mind at the moment.
    _______________________________________________________
    Since there are a lot of you guys out there that have witnessed an infosec dept. at birth, I was hoping that I could learn from your experiences.

    Thanks Ahead of Time.
    There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.

  2. #2
    Banned
    Join Date
    May 2003
    Posts
    1,004
    First develop some high level policy based around ISO17799/BS7799. I have a structured walkthrough and am working on an automated auditing tool for these standards, PM me if you would like them.
    Pick up the following books:

    IT Governance

    Information Security Policies, Procedures, and Standards

    These should set you on the right path and will let you know what further questions you need to be asking.

    catch

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    The Process of Network Security by Wadlow is another good book that details processes for ITsec.

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    Some quick things off the top of my head.

    1. Most importantly, put a fair bit of time in developing all of your security policies and standards. If you think you need one...write one!

    2. Duties (a bit hard to be accurate without knowing details about your company..but Ill do my best )
    a. Administration..Depending on what your environment is like would depend on your adminstration duties (ie. like firewall admin, router acl's, various password admin/resets,....).
    b. The IT Sec team should be across is all new projects or new initiatives your company is undertaking and identify any security risks/exposures. (Tip. Its is easier to mitigate security risks with projects during their development phase rather than trying and secure them once they are in production!)
    c. Security investigations in case of an incident or breach of security.

    3. Try and educate your employees early regarding the importance of security best practises. ie. disclosing passwords etc...

    4. I think that a good security team needs to interact positively with other IT Departments, so physical segregation may actually work against you. Although, I know that some may have a difference of opinion

    If I think of anything else...I will be sure to post it.

    Good luck!!!
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  5. #5
    Senior Member
    Join Date
    Aug 2003
    Posts
    224
    Catch, Mohaughn and SoggyBottom.
    I thank thee for this knowledge I consider priceless. This is exactly what I was hoping for. Catch, I'll PM you later on this. I've got to work a late one tonight for patching MS03-037......
    Once again,
    Thanks
    There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.

  6. #6

    Some recent experience with this myself...

    Good advise and guidance from Catch and SoggyBottom and I would like to add to that...

    About 1+ yrs ago I started a security office too and here's some thoughts from that experience.

    (Note: no particular order)

    1. Policy Development: Eveyrone else hit on this too; without these you dont have a way of telling your user & admins how to "behave" (re.; what they are allowed to do and not to do) if you will and you wont have anything to enforce.

    2. Profile Your Enviornment: You must know what you have in order to know what to assess and protect. Get network diagrams from network engineers, get list of servers (IPs, platform, what they run apps wise) from systems people, PBX info from telecom people, desktop environment from clients services...you get the idea.

    3. Risk Assessments: Need vulnerability scanners, tools, tools, tools...and hw to run on (re.; servers, desktops, laptops). PM me and I can send you a list of my favorite tools for vulnerability assessments and such.

    4. Money!!! You need some test hardware, vulnerability system(s) (hw, sw) for network, server and client testing, and tools.

    5. Oranizational Issues: In general you need the authority granted to you that's high enough so that people (administrators, users) will listen to you. If you tell them to patch and they dont and they dont report to the security office..what are you gonna do. Some sort of executive sponsorship and/or mandate will help you. Everyone has a different opinion on this but most would probably advise to report outside of IT/IS. This helps with avoid the "fox watching the hen house" syndrome. My office actually reports to IT Director and in same office as the network & systems folks. This reporting relationship helps get the patching done on my terms since I manage both. Looking at the posts SoggyBottom tackled this one pretty well.

    6. Duties: Remember your assessing, advising, and managing risk. The security office assesses and reports on current vulnerabilities in the infrastructure and asseses new ones but in most cases is the not the entity actually carrying out the remediation activities (re.; patching and upgrading the systems). Remediation belongs to the owners. This is the case mostly with small/mid size to large organizations: small businesses usually do both but try to avoid that - you wont have time!

    7. User Education: SoggyBottom covered this and I will reinforce... Users are the weak links, make them the strong ones. Educate on email practices, anti-virus, screen savors/pwd protect, passwords, social engineering, etc etc. We distributed a guide that I can provide you if you PM me.

    As you can see lots to do and I'm sure you already know that.

    Hoped this helped some, good luck!

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    Here is a white paper from Cisco that may help you in addition to the recommendations made by others.

    Network Security Policy: Best Practices White Paper By Cisco
    http://www.cisco.com/warp/public/126/secpol.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •