taking a hint from Josh I think the best starting point for a company is to identity key assets, how the company uses them then build rules around their use, then follow best practices on how to enforce those rules (firewall, AV,...). Refer to Chris Nickerson's risk/cost matrix technique (DerbyCon 1.0 keynote) on working out a budget with higher ups. Most important keep the higher ups in the loop.
-Brad On Mon, Dec 3, 2012 at 12:42 PM, Brian Erdelyi <[email protected]>wrote: > I agree with Josh. > > Focus on an existing guide. Help prioritize those recommendations. > > For example, BCP would be nice... maybe you focus on recommending data > backup and recovery. I've seen too many business struggle after a disaster > and eventually close doors. > > A small business will likely be overwhelmed by a large guide. > > Brian > > Sent from my iPhone > > On Dec 3, 2012, at 1:24 PM, Josh More <[email protected]> wrote: > > I really wish I had the time to delve into this discussion. > > However, given everything else I'm juggling, I just want to say that small > business is currently drowning in recommendations and, as a result, is > unable to follow any of them. Look at the work the NSA, NIST, PCI and SANS > have done in this field. Little of it has been embraced by the small > business community. If you truly want to help, an additive process is > unlikely to help. Consider focusing on only three items. I know this > leaves holes, but remember, they're ridden with holes now and despite what > we all want, they're not going to plug them all. > > If this is unsuitable / too hard, consider reworking the concept into a > flow chart infographic. Such as "Do you have a Firewall/UTM/NGFW? If not, > get one. If so, tune it and go to next" -> "Do you have a reliable > anti-malware system? If not, get one. If so, are you tuning it > regularly?" I think that would be far more likely to cause positive change > than yet another dense report full of advice they're not going to take. > > -Josh More > > > > On Mon, Dec 3, 2012 at 9:34 AM, Bradley McMahon <[email protected]>wrote: > >> I would include * BCP - business continuity plan - corruption, fires, >> data theft are indiscriminate. Basically have a meeting and go through all >> the worst case scenarios and figure out a cost effect way to handle it that >> works for the company. Having insurance is a good idea >> >> -Brad >> >> >> >> On Mon, Dec 3, 2012 at 8:06 AM, Herndon Elliott <[email protected]>wrote: >> >>> It was kinda touched on, but not directly mentioned: Incident >>> Response...planning and pre-determined actions, call list etc when it >>> all goes wrong. Also, training was mentioned, but some level of >>> common sense warnings as displayed in this wonderful bank sign: >>> >>> http://krebsonsecurity.com/2012/11/all-banks-should-display-a-warning-like-this/ >>> >>> Herndon Elliott >>> Madison, Al >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
