Details in security operations - Beijing CCClub Conference(转自赵粮博士英文博客)
sunnyzhou1210
professionals, like CISSP,CISA and etc. had a conference in Beijing.
This organization is chartered to build a friendly, fair community for
discussion and knowledge sharing. Check out the agenda of this
conference. Dr.Wang Jie introduced the latest events and trends of
information security in USA. He shared some impressive "Botnet yer
pay" and related industry chain: vulnerability discovery - exploit
development - botnet operation - spaming or attack service. Dr.Wang is
trying to introduce more Made in China security products into USA
market.
In my session, I shared my experience that security managers should
pay more attention to details of operation execution and policy
implemention. No doubt, it's always a virtue of security managers to
"think high". In one old post, I summarized 5 key memory points for a
security manager: plan, communicate, leverage consultancy, resolve Top
3 questions always, develop toolkits. That's written when I was the
principal consultant of CA. However, after newly 8 month experience of
security operations, I think we must pay much attention to details of
execution. Even you have a very good vision and plan, you will
encounter a lot of trouble during the execution if you don't prepare
details well.
As a check list, I recommended 6 items of details to security managers
with the example of desktop security management:
1 Awareness. For most of security projects, awareness is one of the
most important points that security guys should spend time and
resource.
2 VIP support. VIP is those guys that have power to sign the final
scores of your project/program. You should care of the perception of
not only CIO, but also those VIPs from business and support functions
as well.
3 Installation/Managed Rate. It's nonsense to talk pure technologies
or products in desktop projects. Generally speaking, there is not a
big gap among those products from those vendors with global presense.
For example, I don't think Symantec, McAfee and TrendMicro mean much
different to an enterprie. They all may work. They all may not work.
The final effectiveness depends on the real deployment, where you will
find "installation rate" and "managed rate" are two of most important
figures.
4 Penalty. Before you expect your security policy and regulations are
executed perfectly, you'd better think over what's the proper penalty
for those possible violations. The penalty may differ to each country
and GEO. It's enterprise culture related.
5 Roles and responsibilities. Security managers should be aware of
roles and responsibilities in context of each projects and programs so
that they can work out a clear picture who should do what for
security.
6 Technology of technologies. As the security manager, you are not
necessarily experts at security products and technologies. There are
too many products in the market, firewall, IDS/IPS, anti-virus, audit,
SCC/SOC, authentication, forensics, SSO, PKI/CA and etc. In stead you
should be familiar with what kind of technologies can help resolve
your high priority problems.