What security policy and processes do you use?EvilMonkeySlayer (826044) writes "Recently we had a big multi-billion dollar four letter Japanese company install some very expensive software and hardware on our premises. Unfortunately the engineers who did the installing also brought a virus in and managed to install that onto their very expensive server.
Through processes i'd put in and a bit of luck the server that they installed was the only thing infected. I'd like to say this was the first time this has occurred but this has happened in the past where a third party who installed a piece of hardware has brought in a virus. I've got a decent security in depth set-up so much so that none of our machines has never been infected either through employees or cracking attempts on our public/private servers and workstations. However, it seems once every so often when we have a third party bring in their own server/machine that we've purchased they will inevitably infect said machine.
I have pressed managers in the past at our company to inform any engineers that they must pass any laptops, flash drives etc by me before connecting them up to our network or to another pc. However, they have typically neglected to inform them. Case in point an engineer decided to connect an infected flash drive to one of the workstations which is how I found out about the virus in the first place since the workstation AV blocked the virus and informed me immediately at which point I rushed over and forbid him from using it.
I have been talking to the company MD and he's talking of getting any engineers who come on site to sign a document stating that their computers are virus free etc.
I am wanting to literally make it very much clear to everyone and any third party that if they bring in a computer/flash drive it MUST pass by me first.
Unfortunately I can't always hold the hands of these engineers as I'm the only IT guy in the entire company, so often I may not be available or in a different part of one of our two buildings.
Also, the engineers installed a web server so customers can login remotely for the system. However, the web server is an older version of Apache (2.2.9) running on windows. I have forbidden this machine from having external access until in the words of the account manager for the four letter company "we're waiting to hear back from Japan because the software needs to be updated from them" which doesn't fill me with confidence especially for something that needs to be updated relatively frequently. (contractually wise me updating Apache on this windows server is in a grey area...)
What policy or methods do you guys use to enforce the rules?
I've talked of sending a very clear letter to all the managers from the MD that if they do not inform any third party that they must pass any computers/flash drives through me first that there will be serious consequences. (for example docking of wages, sacking etc)"
Link to Original Source