As a rule of thumb, I put everything through an initial lens before
making such a list. You might start with your corporate policy, ISO
17799, or (my favorite) the Governance Guidebook. The reason I do
this is because I find that as I do that I come up with many more
specifics, and of course even if I don't I will have a list that is
reasonably comprehensive. For example, today I was going through a
process of creating some metrics for measuring programs surrounding
data retention and disposition. I notice that these issues are
largely ignored in your list - so add all of them in. And of course I
don't see any controls for integrity in there. But I am getting away
from the systematic approach. So I would suggest that you download a
free copy of a tool I have (and use) that cross-lists various
standards and - even if it didn't - has the general topic areas
listed. With it you can get the lists any time you want, drill into
various issues, etc. I am thinking of selling the full blown tool
which has all the embedded content accessible as well, but because it
has ISO and other things in it, I would have to deal with all of the
fees for licensing, etc. So it would probably be too expensive to be
worth selling. Still ... it sure makes the consulting practice more
efficient. Here is a pointer:
http://www.manalytic.com/
=> Software
=> Maps
FC
On Oct 26, 2006, at 5:24 PM, Saqib Ali wrote:
> Hello All,
>
> I am looking for some ideas on what to consider when defining a laptop
> security strategy. I am looking the security from both the process and
> technology point of view. Currently we are concerned with only "Data @
> Rest".
>
> So far I have:
> - Awareness
> - Training
> - Encryption (Encrypted Vaults, File/Folder encryption, full disk
> encryption)
> - Data Recovery in case of the loss of the encryption key / Secure
> Backup
> - Device recovery in case of theft or lost
> - Data classificiation
> - Centralized management
> - Encryption key recovery
> - Spyware control
> - US Crypto Export laws
>
> Any ideas? I would especially like to hear from people who have
> defined strategy for multi-national companies, and the US export laws.
>
> --
> Saqib Ali, CISSP, ISSAP
> http://www.full-disk-encryption.net
>
-- This communication is confidential to the parties it is intended
to serve --
Fred Cohen & Associates tel/fax: 925-454-0171
http://all.net/ 572 Leona Drive Livermore, CA
94550
making such a list. You might start with your corporate policy, ISO
17799, or (my favorite) the Governance Guidebook. The reason I do
this is because I find that as I do that I come up with many more
specifics, and of course even if I don't I will have a list that is
reasonably comprehensive. For example, today I was going through a
process of creating some metrics for measuring programs surrounding
data retention and disposition. I notice that these issues are
largely ignored in your list - so add all of them in. And of course I
don't see any controls for integrity in there. But I am getting away
from the systematic approach. So I would suggest that you download a
free copy of a tool I have (and use) that cross-lists various
standards and - even if it didn't - has the general topic areas
listed. With it you can get the lists any time you want, drill into
various issues, etc. I am thinking of selling the full blown tool
which has all the embedded content accessible as well, but because it
has ISO and other things in it, I would have to deal with all of the
fees for licensing, etc. So it would probably be too expensive to be
worth selling. Still ... it sure makes the consulting practice more
efficient. Here is a pointer:
http://www.manalytic.com/
=> Software
=> Maps
FC
On Oct 26, 2006, at 5:24 PM, Saqib Ali wrote:
> Hello All,
>
> I am looking for some ideas on what to consider when defining a laptop
> security strategy. I am looking the security from both the process and
> technology point of view. Currently we are concerned with only "Data @
> Rest".
>
> So far I have:
> - Awareness
> - Training
> - Encryption (Encrypted Vaults, File/Folder encryption, full disk
> encryption)
> - Data Recovery in case of the loss of the encryption key / Secure
> Backup
> - Device recovery in case of theft or lost
> - Data classificiation
> - Centralized management
> - Encryption key recovery
> - Spyware control
> - US Crypto Export laws
>
> Any ideas? I would especially like to hear from people who have
> defined strategy for multi-national companies, and the US export laws.
>
> --
> Saqib Ali, CISSP, ISSAP
> http://www.full-disk-encryption.net
>
-- This communication is confidential to the parties it is intended
to serve --
Fred Cohen & Associates tel/fax: 925-454-0171
http://all.net/ 572 Leona Drive Livermore, CA
94550
[ reply ]