headers
sikkoor | 28 Jul 2012 22:53
Picon

Mandate for Security forum

Hello,
I have responsibility for security in a medium sized company..
We have recently established an information security management system which is based on ISO 27001. As
part of this work it was decided that we should establish a security forum consisting of employees from
different departments.

I am now responsible for writing a mandate for the Security forum :( Although I have been working on
information security for a while, I honestly do not know where to start from.

Have any of you been out in similar work before? Can anyone give me some tips about how such a mandate should
look like?

I appreciate all your help.

Thanks in advance.

With friendly greetings.

Tore.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL
works, how it benefits your company and how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout,
best practices for set-up are highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
(Continue reading)

Permalink | Reply |
headers
Alan Tatourian | 30 Jul 2012 16:57

RE: Mandate for Security forum

Start with Microsoft SDL:
http://www.microsoft.com/security/sdl/default.aspx.

Alan Tatourian

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] On
Behalf Of sikkoor <at> gmail.com
Sent: Saturday, July 28, 2012 1:53 PM
To: security-basics <at> securityfocus.com
Subject: Mandate for Security forum

Hello,
I have responsibility for security in a medium sized company..
We have recently established an information security management system which
is based on ISO 27001. As part of this work it was decided that we should
establish a security forum consisting of employees from different
departments.

I am now responsible for writing a mandate for the Security forum :(
Although I have been working on information security for a while, I honestly
do not know where to start from.

Have any of you been out in similar work before? Can anyone give me some
tips about how such a mandate should look like?

I appreciate all your help.

Thanks in advance.
(Continue reading)

Permalink | Reply |
headers
Mani Akella | 30 Jul 2012 17:49

Re: Mandate for Security forum

Hi Tore,

One thing I can validate is that each organization has it's own special needs, requirements and
expectations that will make working out of a template an "interesting" task.

In my own experience, the following steps, followed in order, have allowed me to come up with a mandate and
policy space that stay and grow in the organization, instead of dying a shorter-than-average corporate death.

1) (and this needs repetition till everyone is sick of you :)  ) - Invite representatives from all areas of the
business, even those that do not have any seeming relation to the effort.
Have them provide input and understand expectations as well as requirements.

2) Share drafts and have everyone provide written inputs (even if they have nothing to add/subtract, have
them say so in writing/email)

3) Make everyone signatories - or better, owners - of the final draft.

So now, pointers to the mandate:

The business of the team is to 
	a) provide appropriate and relevant guidance on how to reasonably protect the information assets of the organization.
	b) be resourceful and creative in the way they allow authorized users appropriate access while ensuring
no access for everyone else
	c) understand the business of the organization properly so that they can model InfoSec to be effective for
the organization
	d) be owners of the responsibility of InfoSec, so that the rest of the organization can focus on their own
areas of work.

Information Security is always about effective business rules, not the technology or toys. The rules will
provide guidance and direction that will help drive the correct technology choices.
(Continue reading)

Permalink | Reply |
headers
gold flake | 31 Jul 2012 09:26
Picon

Re: Mandate for Security forum

To add to the points given by Mani, the InfoSec Forum also monitors
the implementation of the ISMS and reviews points for action arising
out of periodic audits carried out by the internal team and those
bought out by audits by a third-party.  These terms of reference then
needs to be approved by the management.

And as Mani has brought out, it needs to be staffed by representatives
of all stake holders.

Cheers

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL
works, how it benefits your company and how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout,
best practices for set-up are highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Permalink | Reply |
headers
Vic Vandal | 31 Jul 2012 19:06
Picon

Re: Mandate for Security forum

Tore,

There are obviously different possible flavors for that.  Currently I chair a weekly security meeting
where individuals from the following departments are invitees.
- InfoSec team
- Database team
- Data Center team (includes computer operations)
- Systems administration/engineering team (servers)
- Desktop support team
- Network team

We have a running list of technology projects (with a clear security relationship or function) that we
provide updates on, which are recorded in meeting minutes.  Probably the most important thing we do is
discuss the many vendor product patches that are released weekly/monthly/quarterly - affecting
desktops, servers, databases, network devices, and applications.  The security team ranks the
risks/exposure involved and collectively we determine if we're going to follow our standard/published
patching cycles or put them through an exception process (deploying sooner or later or not at all).  We also
review how we're doing on patch deployments and other risk remediation actions that flow from varied
system security posture assessments.  Meeting attendance amongst the varied group representat
 ives varies from week to week, but overall the process works and provides value.

If you establish a short list of areas you want a security forum to cover that make sense and provide value to
your organization, establish a meeting schedule, establish a list of attendees, and keep records of
those proceedings and action items, that should meet your stated need.

Regarding other flavors, I've worked places where we had representatives from the following teams
(security, network, database, sys-admins, app development, computer operations, and sometimes an end
user rep) to help;
- define security requirements for new applications and application architectures, and/or
- assess risks involved in varied systems (proposed, new, or existing).
(Continue reading)

Permalink | Reply |

Gmane