Every once in awhile we're asked to fill out a major technology assessment and security audit form for one of our clients. Normally, these are requested by THEIR clients, who are big league businesses exchanging data with "third parties."
I've wanted to blog about this topic for some time, but I didn't want to violate client confidentiality by releasing the questions involved.
So I went looking for examples of the kinds of questionnaires we've been filling out. Found some great examples with this search:
Google Technology Risk Checklist.
Great resources.
Notice that one resource shows up a lot: The World Bank Technology Risk Checklist from 2004. A bit long in the tooth, but still an excellent resource.
These questionnaires are great for general awareness purposes, but really spectacular when it comes to a thorough security assessment.
I know everyone wants to do everything electronically: Enter an IP address and push a button. Okay, in one of these questionnaires, that will cover about one question. The next question is: Do you address all the problems uncovered in the probe?
An electronic probe cannot reveal whether the ceiling plenum in the computer room is open to the office space next door.
Or
- Whether you have a written security policy
- Whether there's a system in place to measure the success of security objectives
- Whether you have usable documentation of all access points on the network
- and adequate systems for monitoring these access points
- What your procedures are for addressing non-compliance at high, medium, and low threat levels
- Whether there are there ongoing training programs for security policies and procedures
or even the basic elements:
- Is there a current network diagram easily accessible onsite?
- Have you documented the process of retrieving a single file from backup in case of accidental deletion?
- Have you documented the complete process for disabling a user upon termination and dealing with that user's data and email in an appropriate manner?
PLEASE don't just look at one of these documents and be done with it! Each of these documents has hundreds of questions. Some are easy, some are difficult.
Look at several of them and consider the different perspectives each brings to the question of security.
The longest questionnaire we have filled out for a client was 84 pages. Guess what? Small font, too!
Consider creating a template so you can produce a report based on a question/answer format.
Reality Time
Most small businesses don't need this level of assessment or security. But 1) you should expose yourself to it and know how to provide if if asked, and 2) we are constantly bringing a higher level of operation to the SMB space. Consider how much of a "thorough" security audit is useful and justified.
Most of us could benefit greatly from an audit or two like this. Obviously, our clients could as well.
We're pretty good at making sure there's a firewall in place, and spam filtering, and virus scanning. Zenith Infotech takes care of patch management.
But most of us are not doing much with encryption, intrusion detection, manual processes, policies, procedures, risk assessment, documentation, or incident response.
- - - - -
I know you're busy. But print out two or three of these and consider what new service you can offer in the new year.
Hey, you gotta sell something!
:-)
Subscribe to:
Post Comments (Atom)
Karl - great post and incredible timing - we're just tackling this exact issue right now, so appreciate you taking the time to write on it. :-)
ReplyDelete