18

See Server Fault and the original test. In other words what are some good questions that an information security professional should ask of a prospective employer? These questions might also lend themselves to helping to improve an existing work environment and enable an employer to attract the best and brightest in information security.

sdanelson
  • 1,267
  • 10
  • 21
  • 2
    wow, GREAT question! Though I think many are not familiar with this, and should clarify for them: The point of this, is that questions have to yield an immediate YES/NO answer - no complicated results, no going digging to calculate, just a straight answer that everyone should know. – AviD Dec 05 '10 at 08:49
  • I don't think there are many yes/no questions you can ask about security. The 'how' questions would probably be a much better measure of one's skill assessment. But I'm curious to see what people will come up with beyond 'do you have logging' and 'do you roll your own crypto.' – Marcin Dec 07 '10 at 18:38
  • 1
    @Marcin just to clarify this isn't a skills assessment test it is more of a maturity test. As in is a company mature in its practice of information security. – sdanelson Dec 09 '10 at 02:20

5 Answers5

8

One which seems to impact security teams significantly would be:

  • Do you have a CISO or equivalent sponsoring security at board level and development of security skills and expertise

Without it, teams very rapidly become disillusioned at their lack of influence and will move to organisations with a more mature outlook on security.

Also, in order to attract individuals who are looking to secure their long term career

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • +1, but the CISO would have to be both technical enough to understand the threats, and business-savvy enough to translate to risk. Hmm, I guess thats another test... – AviD Dec 05 '10 at 08:44
7
  • Do you have a seperate Application Security team? (as opposed to just network sec running the show)
  • Is the CISO / head of security / whatever you call him - both technical enough to understand the threats, and business-savvy enough to translate to risk
  • Is there a holistic SDL in place, with executive-, managerial-, and developer-buyin?
  • Do all employees must have relevant security training, relevant to their area of work?
  • Does any product/system/application/etc have to get security signoff before deployment, and can security stop it?
  • If/when security does stop a system from going live because of severe vulnerabilities, are they thanked or cursed by the business?
  • Are Board directors bound by corporate security policy? :)
  • Is the security department seen as a technical roadblock, or as an executive aid to managing business risk?
AviD
  • 72,138
  • 22
  • 136
  • 218
6
  • Do you perform regular backups to more than one physical location?
  • Do you regularly test restoring from backup?
  • Do you have a risk management strategy for security issues?
  • Do you regularly educate your employees about security issues that pertain to them?
  • Do you have a security budget?
  • Are there controls, both technical and managerial, in place for sensitive data?
  • Do you stay current on security issues?
  • Do you store passwords in plain text?
  • What software do you use to protect your computers, servers, and data?
  • Do you regularly update critical software to newer versions?
  • Are password changes for all employees mandatory?
VirtuosiMedia
  • 3,142
  • 3
  • 26
  • 32
6

A few to add:

  • Do you use automated log management and analysis tools?
  • Do you segment your network?
  • Do IT Security personnel maintain any production systems? (Is there segregation of duties)
  • Do normal users have administrator rights?
sdanelson
  • 1,267
  • 10
  • 21
0

In addition to those from VirtuosiMedia:

  • What is the security team accountable for and how many people are on it?
  • When were your security policies last updated?
  • Who does the security team report to?
  • What is the oldest application running in your environment?
  • Is the security team part of the compliance program? If so what types of audits are performed annually?
Wayne
  • 274
  • 1
  • 3
  • 2
    while these are of course important details to know, the point of the Joel Test is immediate, simple YES/NO responses. – AviD Dec 05 '10 at 08:50