Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What security policy and processes do you use?

EvilMonkeySlayer (826044) writes | more than 4 years ago

Security 1

EvilMonkeySlayer (826044) writes "Recently we had a big multi-billion dollar four letter Japanese company install some very expensive software and hardware on our premises. Unfortunately the engineers who did the installing also brought a virus in and managed to install that onto their very expensive server.

Through processes i'd put in and a bit of luck the server that they installed was the only thing infected. I'd like to say this was the first time this has occurred but this has happened in the past where a third party who installed a piece of hardware has brought in a virus. I've got a decent security in depth set-up so much so that none of our machines has never been infected either through employees or cracking attempts on our public/private servers and workstations. However, it seems once every so often when we have a third party bring in their own server/machine that we've purchased they will inevitably infect said machine.

I have pressed managers in the past at our company to inform any engineers that they must pass any laptops, flash drives etc by me before connecting them up to our network or to another pc. However, they have typically neglected to inform them. Case in point an engineer decided to connect an infected flash drive to one of the workstations which is how I found out about the virus in the first place since the workstation AV blocked the virus and informed me immediately at which point I rushed over and forbid him from using it.

I have been talking to the company MD and he's talking of getting any engineers who come on site to sign a document stating that their computers are virus free etc.

I am wanting to literally make it very much clear to everyone and any third party that if they bring in a computer/flash drive it MUST pass by me first.

Unfortunately I can't always hold the hands of these engineers as I'm the only IT guy in the entire company, so often I may not be available or in a different part of one of our two buildings.

Also, the engineers installed a web server so customers can login remotely for the system. However, the web server is an older version of Apache (2.2.9) running on windows. I have forbidden this machine from having external access until in the words of the account manager for the four letter company "we're waiting to hear back from Japan because the software needs to be updated from them" which doesn't fill me with confidence especially for something that needs to be updated relatively frequently. (contractually wise me updating Apache on this windows server is in a grey area...)

What policy or methods do you guys use to enforce the rules?

I've talked of sending a very clear letter to all the managers from the MD that if they do not inform any third party that they must pass any computers/flash drives through me first that there will be serious consequences. (for example docking of wages, sacking etc)"

Link to Original Source

cancel ×

1 comment

Sounds like... (1)

garg0yle (208225) | more than 4 years ago | (#31450590)

...you're already ahead of the game - you've got some decent mechanisms in place, which is more than many places have.

Generally, to get management buy-in for policies like you're discussing, you'll need to bend the ear of the top-most management and show them the financial costs versus benefits of what you are proposing - and be able to do so in a three-minute pitch, in "plain English".

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...