Collaborate Disseminate
ZeroLogon checklist:
August 11, 2020 updates have been deployed on all domain controllers.
February 9, 2021 updates have been deployed on all domain controllers.
All devices are running Windows 10.
All devices are fully updated.
Domain me… Continue reading ZeroLogon possible false positive events 5827? (CVE-2020-1472)
Is there any legitimate reason why Jenkins would ever need to request the memory of c:\windows\system32\lsass.exe (Local Security Authority Subsystem Service)?
The endpoint protection (Carbon Black) on the Jenkins server is denying Jenkins… Continue reading Why would Jenkins want to read the memory of lsass.exe?
I am a software tester, InfoSec is mostly tangential to my job, and people only ask me questions about InfoSec because I am not afraid to use Google or Stack Exchange when I don’t know something. (which is most of the time)
Our US operations manager wants to have a conversation with me to learn more about Information Security. He got an email from a prospect in the financial sector that includes this section:
(a) ACME will ensure its information security program (“Info Security
Program”) is designed and implemented, and during the term of this
Agreement will continue to be designed and implemented, to: (1)
reasonably and adequately mitigate any risks identified by either of
the parties related to the Software and Services, and the protection
of Customer Confidential Information disclosed to ACME or ACME
Personnel, and (2) describe and report on its own risk assessments,
risk management, control, and training of ACME Personnel in compliance
with the Info Security Program, security oversight regarding ACME
Personnel, and the process for the annual certification of the Info
Security Program. ACME will safeguard against the destruction, loss,
alteration, or unauthorized disclosure of or access to Customer
Confidential Information in the possession of ACME Personnel,
including through the use of encryption while transmitted or in
transport, or while being stored, processed or managed on ACME
equipment when such encryption required by Law, is advised by industry
standards for similar products or services, or is required in an
Transaction Document (collectively, the “Data Safeguards”). ACME will
ensure that the Info Security Program is materially equivalent to
Customer’s own information security standards in place from time to
time applicable to the risks presented by the Products or Services
(collectively the “IS Standards”). The parties may redefine the term
“IS Standards” to mean any industry-recognized standard or testing
protocol (e.g., NIST, ISO 27001/27002 or SSAE, AT101), if expressly
set forth in an SOW.
This language is so scary that I first pooped in my pants, and then created a security.stackexchange.com account to ask for advice because I don’t even know where to start. We are a small software company (less than 40 people) that is fortunate enough to have some commercial success, and we’re not careless about security, but we don’t have any formal Information Security Program (yet).
Some questions:
Background information:
This question is not a duplicate of How to communicate how secure your system is to your employer’s clients. That posts is about how to communicate to customers – we already know that because the customer already told us which kind of communication they want – they mentioned a SOC Type 1 Report. It is also not a duplicate of How to get top management support for security projects? because management support is easy in our case: get security certified or miss out on big contracts.
Continue reading How to start with an Information Security Program?