Computer Security in the Workplace

[danmpem]

I work as a system administrator for a local company. My boss wants to start implementing a more strict security policy to our network and server. I was wondering if anyone here works, or has worked, in a similar job. I would love to ask some questions about different aspects of the process, if there are any problems in what I'm telling my boss he should do, that sort of thing. PM me if you have any suggestions. Any input would be much appreciated.

Thanks!

 

[Kenneth_Murphy]

I can offer some help with Oracle or SQL server database security or SAP but not so much on the network/server level.

 

[Semper Fidelis]

Information assurance is a specialty all its own in the Network Admin world. I have several folks that perform that task for me but I wouldn't consider myself an expert.

The bottom line with Security, however, is that the decisions cannot be pushed down to the "Security Guy". There needs to be understanding at the management level to inform users of the decisions being made and to ensure that security doesn't destroy usability due to its strictness.

I'll be learning more this Summer as I've got orders to the Marine Corps Network Operations and Security Center.

 

[danmpem]

The bottom line with Security, however, is that the decisions cannot be pushed down to the "Security Guy". There needs to be understanding at the management level to inform users of the decisions being made and to ensure that security doesn't destroy usability due to its strictness.

I agree.

Just as clarification, I'm not looking so much for security from various intrusions, but more so security from within the company. Instead of starting off from scratch and reinventing the wheel at the office, I have to fix a broken system, and I don't have very much experience with servers.

A good example of our situation is that when the company first started, we used the same password for everything. When I arrived, I showed management that this was a serious problem and why (they didn't believe me). We don't use that system anymore, but we don't have the best one in effect right now either. While I would love to have electronic ID cards for every employee, we simply don't have that kind of money, so I am working on finding a nice middle ground on what I would like to see happen with our security vs. what we have available to us. I have a whole checklist of changes I would like to make that are similar to the one above, but I am not entirely sure that my solutions are the best ones available. At work, I am my own department, so I don't have co-workers who come to the office with different ideas for various projects and assignments (that's why I have the PB! )

But seriously, I know what my goals are, and I would like some feedback on my solutions. Are there any books out there that talk about different approaches to this? Do they address the legal aspects of this (as in company confidentiality agreements)?

Thanks!