Jan 112011

I have listed the best 12 questions that you the CIO can ask your team, security architect, security engineer, partners, vendors, manufacturers when discussing security and client integrity.

Utilize the reference architecture I developed so that you know where Client Integrity fits into the bigger picture of security architecture and design for you. Let me know your thoughts. Bill – billm@cioes.org

Layer 1 – Client Integrity: Users accessing corporate services via WAN, LAN, Internet (work at home, conference, consultant, partner, travel), & mobile devices
Sample Technologies: Smartphones (Droid, iPhone, Blackberry, etc.), PC firewalls, USB Mgmt, Laptop Mgmt, data encryption, device wipe.

CLASS of Users (We are assuming that all users have class!)

  • Internal Employees
  • External Employees: From the home, Other office, Kiosks, Hotels, Starbucks, etc.
  • Partners remote
  • Partners LAN
  • Consultants remote
  • Consultants on the LAN
  • kiosks

The goal of Layer 1 Questions is to determine the security direction and philosophy regarding device management: PCs, Laptops, and Smart Devices (Phones, iPads, etc.).

  • Antivirus
  • Anti-spyware
  • Patches
  • Version Updates
  • Upgrades
  • Backups
  • Firewalls
  • USB
  1. Can we trust the individual?
    1. How is trust enforced to the user groups listed above? e.g. Biometrics, Two Factor, Certificates, etc.
    2. Is comprehensive USB protection in place now? Yes/No/Only at Corporate
    3. Can you remotely ‘wipe’ data from a laptop or smart device? Yes/ No/ Only Certain Devices
  2. Wireless Access
    1. Is this managed centrally at corporate?
    2. Is it managed at remote offices? How?
    3. Is wireless managed on the firewall or through another management device?
  3. Can I trust machines remotely accessing my network?
    1. Do remote access devices have Anti–Spyware? … protection from Key loggers, malware, Trojans, etc.
    2. Are they running Antivirus Protection?
    3. Are there personal firewalls on client machines? Do I care?
    4. Is their operating system up to date? (Patches, versions, upgrades, etc)
    5. What is the process of remediation when a user tries to attach to the network and is not compliant?

4. Do I have Centralized Security Management? Edge Sites, PCs, Virus, Spyware, Malware, Personal firewalls

5. What are my plans to consolidate end point security into one centralized management console?

6. Contractors – How do I know if a contractor meets security policy when attaching to the network?

7. How does my team distribute patches for: Microsoft, Third party, Adobe, Java

8. How does my team distribute application version level updates handled?

9. How is cache clean-up from un-trusted public access points at a conference for example?

10. How is an un-trusted LAN user’s machine checked before accessing the network?

11. Are your Client Integrity devices Active Directory aware?

12. Is a consolidated and centralized USB strategy in place now? At corporate only? Remote Sites? If not, then when?

13. Bonus Question – What is the airspeed velocity of a swallow? See video below Monty Python’s Bridge of Death

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>