Details in security operations – Beijing CCClub Conference
April 18 2007, CCClub, an organization of China security professionals, like CISSP,CISA and etc. had a conference in Beijing. This organization is chartered to build a friendly, fair community for discussion and knowledge sharing. Check out the agenda of this conference. Dr.Wang Jie introduced the latest events and trends of information security in USA. He shared some impressive “Botnet yer pay” and related industry chain: vulnerability discovery – exploit development – botnet operation – spaming or attack service. Dr.Wang is trying to introduce more Made in China security products into USA market.
In my session, I shared my experience that security managers should pay more attention to details of operation execution and policy implemention. No doubt, it’s always a virtue of security managers to “think high”. In one old post, I summarized 5 key memory points for a security manager: plan, communicate, leverage consultancy, resolve Top 3 questions always, develop toolkits. That’s written when I was the principal consultant of CA. However, after newly 8 month experience of security operations, I think we must pay much attention to details of execution. Even you have a very good vision and plan, you will encounter a lot of trouble during the execution if you don’t prepare details well.
As a check list, I recommended 6 items of details to security managers with the example of desktop security management:
- 1 Awareness. For most of security projects, awareness is one of the most important points that security guys should spend time and resource.
- 2 VIP support. VIP is those guys that have power to sign the final scores of your project/program. You should care of the perception of not only CIO, but also those VIPs from business and support functions as well.
- 3 Installation/Managed Rate. It’s nonsense to talk pure technologies or products in desktop projects. Generally speaking, there is not a big gap among those products from those vendors with global presense. For example, I don’t think Symantec, McAfee and TrendMicro mean much different to an enterprie. They all may work. They all may not work. The final effectiveness depends on the real deployment, where you will find “installation rate” and “managed rate” are two of most important figures.
- 4 Penalty. Before you expect your security policy and regulations are executed perfectly, you’d better think over what’s the proper penalty for those possible violations. The penalty may differ to each country and GEO. It’s enterprise culture related.
- 5 Roles and responsibilities. Security managers should be aware of roles and responsibilities in context of each projects and programs so that they can work out a clear picture who should do what for security.
- 6 Technology of technologies. As the security manager, you are not necessarily experts at security products and technologies. There are too many products in the market, firewall, IDS/IPS, anti-virus, audit, SCC/SOC, authentication, forensics, SSO, PKI/CA and etc. In stead you should be familiar with what kind of technologies can help resolve your high priority problems.
Click here to download my slides in Chinese.
Recent Comments