InfoSecMinds

For like-minded people

Archive for category Information Security

Vulnerability Management Program

Oct 10

Posted by Praveen Reddy in Information Security | 2 Comments

Introduction

It is quite obvious that, every organization want to serve its clients with out any interruptions. If not handled properly, sometimes, presence of a small vulnerability in a system or in the network may lead to interruption of the services offerings to clients. This may result in losing the trust of clients or loss of revenue.

Vulnerability assessment is a simple process of identifying and reporting vulnerabilities.

It provides a way to detect and resolve security problems before someone or something can exploit them. By conducting periodic vulnerability assessments, management could validate the security measures they have deployed.

Read the rest of this entry »

Tags: , , , , , , ,

Risks of Providing Local Admin Privileges to Users

Sep 17

Posted by Praveen Reddy in Information Security | 2 Comments

As an InfoSec consultant I had confronted and I am sure that many of you might have faced the question from your clients or within your organization that “‘to provide’ or ‘not to provide’ Local Admin privileges to users”.

Indeed, it is a tough question to answer and even tougher to convince anyone to take a certain approach in this regard. Reason being, I feel, it is impossible to get away with any one approach. Again in my view, if given a chance, I would prefer to go with the approach of not providing administrative privileges, unless I have been provided with enough personnel, technology and time to handle the mess created by this action.

Read the rest of this entry »

Tags: , , ,

Post Certification Activities

Apr 21

Posted by Vinod Puthuseeri in Information Security | 2 Comments

The first and foremost task to do after your certification process is to mitigate all non-conformities/non–compliances that were identified during your certification audit. This must be completed before your surveillance audit is due. Auditors will not be happy to see any of their findings to re-appear again in the following audits. If any of your policy or procedure documents require to be updated, ensure that you document these changes (version control within the documnet), get these document reviewed, approved by management and circulated to authoirzed people.

Read the rest of this entry »

Tags: ,

Password Management

Apr 7

Posted by Vinod Puthuseeri in Information Security | No Comments

Let me narrate a small story here to show you how a server administrator and an Information Security Officer (ISO) of an organization struggle to protect organization assets.

ISO of the organization has the password policy written and it says that the user password should be

• minimum of 8 characters long
• password lock-out at 3 failed attempts
• expires once in every 45 days
• Should be a combination of uppercase, alpha-numeric and special characters

Policy handed over to the server administrator and it has been implemented across the organization.

Read the rest of this entry »

Tags:

Reasons to avoid change

Apr 4

Posted by Vinod Puthuseeri in Information Security | 1 Comment

Some reasons that is commonly given by organization members to avoid change in the process.

1. Nothing has happened for the past X years. What is going to happen now and why do you want all these security

2. How is the organization benefited out of implementing information security practices…??? How much will be the profit…???

Read the rest of this entry »

Tags: ,