Security Manager's Journal: Making the most of time between trips

Computerworld - My company has undertaken so many mergers and acquisitions lately that I'm in danger of doing M&A amelioration full time. My practice is to visit all of the acquired companies' operations. At each site, I ask lots of questions, review architecture diagrams and firewalls, and conduct assessments of the infrastructure.

Many of these sites are overseas, so I spend a lot of time flying to Europe and Asia. And when I get home, I have to spend hours creating assessment reports and remediation plans.

But I can't let my other initiatives shrivel from neglect. I have to make sure I keep all of them on track in between my trips. Here's what I've been up to lately.

First is the never-ending policy project. I've written all the new policies now, so I'm just trying to get my CIO to ratify them. Then I'll be able to upload them to the company intranet and get the word out about them. The policy ratification process has been slow, but I think I've figured out how to move it along.

Instead of overwhelming the CIO with 25 new policies, I've scheduled a series of monthly one-hour meetings. At each session, I present him with three to five policies, with summaries on a separate sheet that highlight the main tenets of each policy and any changes from what we currently have in place. He glances at the full policies, we discuss each one, and I usually end up making some minor changes.

After I am finished, the policies are ready for his signature. Besides sparing the CIO a grueling marathon session to go over all the policies at once, this approach fits in better with my current M&A schedule.

Also well under way is the secure FTP project. We're replacing an archaic FTP server that runs WU-FTP on an old version of Solaris with Tumbleweed Secure Transport for transferring information among employees, vendors, customers and partners. Besides increased security, we're gaining things like the ability to resume file transfer after a connection has been lost and notification features for uploads and downloads. Because technicians will be immediately notified when a customer uploads a maintenance file from one of our products, we will have a competitive advantage. In addition, the Web-based interface can be customized with our logo, giving it a professional look. I'll also be able to streamline FTP site provisioning by creating a Web-based form for that process that not only will have proper management authorization, but will also bill the proper cost center in order to manage the license fees.

I've received the report for the vulnerability assessment of our VMware deployment. Fortunately, no critical issues were found, but some fairly serious shortcomings will need to be remediated. We are going to have to harden the VMware ESX Server and VirtualCenter. The ESX Server is a Linux server responsible for managing server, memory, storage and networking resources as they relate to multiple virtual machines. VirtualCenter, which we'll be using to centrally manage our virtual machines, runs on a Windows server. If it were compromised, someone would have control of more than 250 critical servers at their fingertips.

I've scheduled a meeting with the virtualization team. I'll invite the consultant who performed the assessment as well, so the expert will be on hand to defend his findings should the deployment team push back on the remediation tasks.

I've got about a week before I hit the road again. In the meantime, I hope to make some headway on these tasks and continue to attend to my many other infosec duties.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join in. To join in the discussions about security, go to computerworld.com/blogs/security.

Read more about Security in Computerworld's Security Topic Center.