Practical Information Security

http://isc.sans.org/diary.html?storyid=6253 A couple interesting points from John Bambeck at SANS regarding a talk he is preparing on data leakage prevention and what controls have been established as "reasonable security" to protect trade secrets and/or non-public information. I like John's list of what he considers to be some of the general requirements (based on previous Federal Trade Commission actions mostly). Use of encryption with data at rest and in transit, both within and outside the organization Limiting access to wireless networks Use of strong passwords (and multiple passwords) for administrators to access systems and networks Limit access of internal systems to the internet Employ measures to detect and prevent unauthorized access Conduct security investigations, as appropriate Patching and Updating of anti-virus Requiring periodic changes to passwords Locking accounts after too many failed attempts at logging in Storing credentials in insecure formats (i.e.

So I saw this come across one of the mail lists I watch today: "Hi All, Can anyone provide the references on the internet for best practices for forming IT and Security Team Structure?" And it stuck me as a good topic to go in to some depth on, and it's not nearly as easy to answer as you'd expect. To take a step or three back... Some questions and ideas to get your thoughts flowing. What problem are you trying to solve? What resources or support do you have? What limitations or constraints do you have? Also consider the scope of what you are trying to accomplish, and the requirements (if any) provided by your management or company for success (hopefully you can define these to more accurately match what you intend to create). Let's work on each of these questions a bit. What problem are you trying to solve? This seems simple, but to be successful you need to phrase this in a way that identifies a need (preferably a business need) and how you intend to improve th