Create a Simple Security Regimen

So where do you begin? First, sit down with your customers to understand the risks they face and their security needs. You'll want to identify systems, networks, Internet links and security components already in use, taking inventory of the components that will need regular attention and occasional patches or updates, such as operating systems, firewalls and antivirus software. Don't forget to ask about laptops and work-at-home systems. Next, scan your clients' systems and networks, starting from the periphery and working your way in to internal networks. Document everything you find, particularly results where remediation is required or suggested. Also, note patches, fixes or service packs that need to be applied. Rank them by priority.

Now it's time to create a customer report in which you describe the current state of security and all urgent vulnerabilities. Then provide a remediation plan, which should include a budget to cover related labor, plus any necessary hardware and software costs. If you need to perform a risk assessment to justify expenses, now's the time to do so.

At this point, it's time to move on to regular maintenance and emergency responses. Here's what to do, step-by-step.

• Step One: Sign up for security bulletins, alerts and advisories from all the vendors whose operating systems, software, hardware and security components your customers use. What's more, sign up for as many general security advisories as you have time to read, such as CERT, FedCIRC and NTBugtraq. The idea here is to stay informed about patches, updates and other items that must be installed to keep your customers current.
• Step Two: Whenever security documents are released, examine them carefully for security coverage. Pay particular attention to patches and fixes. Any critical items or vulnerabilities that could lead to major exposure or to loss or harm must be scheduled for emergency response. You'll also want to download the necessary files and tools to a staging server or your laptop so they're readily available.
• Step Three: Perform the updates scheduled by your customers or as contract obligations require you to. Perform emergency responses as needed.
• Step Four: Schedule periodic client consultations. Use these meetings to review big-picture items and plans. A once-a-year general security audit is considered standard practice, as is the opportunity to work with clients as they plan for new platform adoptions, migrations or other large-scale IT infrastructure changes.

In general, providing security is an excellent business for systems builders. It requires regular, frequent meetings with your customers, which can lead to additional work. Make sure you understand your customers' growth and expansion plans, if only to ensure that new additions to their networks and systems meet security requirements.

You may also consider offering your services to help with planned system additions, upgrades and migrations. That makes it much easier for you to keep your inventory and configuration data completely up-to-date. It also ensures that security is an integral part of your clients' processes and activities. And that's good business for the both of you.

Ed Tittel is a consultant who specializes in IT certification and information security.