2

I'm looking for some resources and hoping some of you security experts can help.

Quick Background: I recently started my first job out of college working at a small organization as a Web Developer. In addition to my development duties I also provide some basic IT support as needed. As I began providing support I quickly realized there were some Information Security concerns within the company.

My Goal: I have formal education in Information Systems and have a decent understanding of Information Security so I would like to help develop some standards and practices for the organization to implement in order to better protect against future issues.

Question: Can you recommend any resources for me to utilize as I begin to develop Information Security Standards and Practices for a small business/organization?

Current resources: A quick search returned this document - http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf (I am unfamiliar with NIST but it does seem to cover most things at a basic level.)

Joshua Cummings
  • 23
  • 3
  • 1
    Good employee training, making sure they're not stupid. That should be the #1 priority well above any technical solutions. – André Borie Sep 14 '16 at 01:03
  • Fully agree with Andre Borie: proper training. If you are the only IT person do give some training. But also do train yourself in InfoSec issues. Given that you're out of college investing in some formal training for the IT department (which may be just you) would certainly be a benefit for the company. – grochmal Sep 14 '16 at 01:51
  • Once training is complete start sending out fake phishing/malware regularly, and make sure falling for them has major consequences for the employees. If they don't care about security they'll still be careful because they don't want to end up like the guy who got fired last week for opening `list of people to be fired.doc.exe`. – André Borie Sep 14 '16 at 04:35
  • Great suggestions! I will try prioritize training for the staff as possible. Thanks! – Joshua Cummings Sep 14 '16 at 12:38

1 Answers1

2

to start I suggest you to refer to the SANS top 20 critical controls that every year are released and updated. They are about policies, appliances and best practices that must be applied to reduce the risk of possible incoming threats.

Here you can find an intro about them: https://www.sans.org/critical-security-controls

But I strongly suggest to download the posters. Here the one of 2014:

https://www.sans.org/media/critical-security-controls/Poster_Fall_2014_CSCs_WEB.PDF

Once you become familiar with those, you can easily understand the most common standards that are used in industry depending on the country and the scope, like:

  • NIST
  • ISO 27002
  • PCI

SANS actually maps its TOP20CSC to those standard (look for it in the posters)

N111ck
  • 46
  • 2
  • That's a pretty good first post. NIST and SANS are good references. I'd only also include [OWASP](https://www.owasp.org/index.php/Main_Page) since OP is a web developer (which probably means that the company runs websites). – grochmal Sep 14 '16 at 01:56
  • Thank you both. Awesome resources! I think I have more than enough to begin reading through and put together a game plan. – Joshua Cummings Sep 14 '16 at 12:40