How to Create A Simple Security Regimen for Your Customers

Once such solutions are in place, you can set up a regular security schedule that lets you monitor your customers' current patch and update requirements, run regular security scans, and keep their systems up-to-date. You can also offer "emergency response" services, so that when specific threats or vulnerabilities that require immediate attention crop up, you can help your customers fend them off.

To do this kind of work, you must plan and perform initial security assessments, and sometimes even risk assessments, with your customers. This will lay the groundwork for managed security services. Once a suitable security posture is established, take inventory of the components in place that will need regular attention and occasional patches or updates. These include operating systems, firewalls, common applications, anti-virus software, and so forth. This is the planning part.

Next, by building custom profiles for each client, you can monitor all related pieces and parts for their client base. This is the watching or monitoring function. Next, you can perform regularly scheduled security monitoring,this is the scanning part,and updates, or schedule emergency responses as required,the patching part.

This regimen,plan, scan, patch, and guard,works well for small to medium-sized business clients and creates an ongoing work relationship between you and your clients. Regular interaction also provides a way to keep your relationship going, and to find more opportunities for additional sales and service revenues.

How can you enact this security service regimen? First, by starting with the necessary ingredients and tools. Let's take a look.

INGREDIENTS

For the initial assessment, planning, and security set-up phase, you'll need to acquire and use at least some of the following tools and techniques:

Paper or computer files to document the customer's current configuration, including systems and software, Internet link(s) in use, and current security settings and components (firewalls, spam blockers, adware blockers, and so forth). You also need to document the customer's important information assets and Internet presence, and capture information about the value of these assets.

A security scanning tool for your laptop or an online security scanning service to perform an initial evaluation of their current security posture. Be prepared to scan your customers' systems and networks, but also to scan their Web sites.

A report template to deliver your initial assessment and remediation advice to customers to establish a proper security posture. See Microsoft's security advisory Protect Your PC for key elements in a minimal set of required elements. You can use security-scan reports you'll accumulate during initial assessment scans to structure your customer report, and to provide much of its content.

An inventory form to capture descriptive information about systems, software, and security components either already in use or which you'll propose to establish good security posture. Be sure to capture name, version, updates already applied, and a URL for vendor information or update notification for each such item.

For the subsequent security maintenance work you'll do for clients, the following items may also be necessary:

A calendaring and scheduling program or service to notify you when it's time to perform routine scheduled scans and maintenance. For example, the calendar in Microsoft Outlook is probably sufficient as long as you have fewer than 100 customers.

A documented process or procedure whereby you'll sign up for security alerts, bulletins, and vendor notifications. In this way, you can determine when client updates will be needed. You can also decide whether they require an emergency response visit or can wait until the next scheduled update.

Remote control software lets you access customer systems and networks across the Internet. Examples include Symantec PCAnyWhere and NetOp Remote Control.

Sufficient disk space to maintain a collection of current patches, fixes, updates, and service packs. You'll want at least 2 GB to 3 GB of space available for such stuff; more is better.

Also, as you continue to use your scanning tools, you'll want to keep configuration records, system, software, and security component inventories up-to-date as you make regular and emergency customer visits.

Undoubtedly, as you learn more about your clients and their specific needs and situations, you'll find yourself adding one or more ingredients of your own to this list. The more you can pinpoint specific needs during initial assessment and ongoing maintenance phases, the better you'll be able to help clients keep their systems safe, secure, and running.

Now let's take a look at the steps needed to begin initial assessment and ongoing maintenance.

Getting started

Here's how to handle client needs as you work with them through the initial security-assessment phase

Step 1: Begin with a description of your various services and capabilities. Help your customers understand the value of a proper security posture. Schedule an initial meeting.

Step 2: Visit the client, and use interviews to develop as comprehensive a snapshot of their systems and networks as possible. You'll want to identify systems, networks, Internet links, and security components already in use. Don't forget to ask about laptops or other traveling computers, and about work-at-home systems as well. You'll want to use your inventory forms to capture information about each system, device, or component you'll be scanning or examining later.

Step 3: Scan your client's systems and networks, starting from the periphery and working your way in to internal networks. During the scanning process, document everything you find, particularly results where remediation is required or suggested. Also, identify patches, fixes, or service packs that need to be applied, and then rank them by priority.

Step 4: Once scanning is complete, it's time to inspect, analyze, summarize, and prioritize that data to create a customer report. In this report, describe the current state of security and all urgent vulnerabilities. Then provide a remediation plan. This plan should include a budget to cover related labor, plus any necessary hardware and software costs. If you need to perform a risk assessment to justify expenses, now's the time to do it.

At this point, you're done with the initial assessment and remediation phase. Now it's time to move on to regular maintenance and emergency responses. These will drive your ongoing client relationships once the initial phases are completed. As you read the following steps, remember that they're designed to be repeated on schedule or as-needed. Security is a process that never ends. It's not a "do it once, and it's over" activity.

Establishing a maintenance and emergency routine

Step 1: Sign up for security bulletins, alerts, and advisories from all vendors whose operating systems, software, hardware, and security components your customers use. To complement and augment vendor coverage, sign up for as many general security advisories as you have time to read, such as CERT, FedCIRC, and NTBugTraq. The idea here is to stay informed about patches, updates, and other items that must be installed to keep your customers' security current.

Step 2: Whenever security documents are released, examine them carefully for security coverage. Pay particular attention to patches and fixes. Consider putting off any items that are not critical, or that probably won't lead to major exposure to loss or harm, until the next scheduled security update interval occurs.

On the other hand, any critical items or vulnerabilities that could lead to major exposure to loss or harm must be scheduled for emergency response as soon as possible. You'll also want to download necessary files, tools, and so forth to a staging server or your laptop to make such files readily available. Alternatively, you can compile a list of bulletins or alerts where download links will make them easily and quickly accessible.

Step 3: Perform the scheduled updates as your customer schedules or contract obligations require. Perform emergency responses as needed.

Step 4: Schedule periodic client consultations. Typically, these happen around renewal time for service contracts. Use these meetings to review big-picture items and plans. A once-a-year general security audit is considered standard practice, as is the opportunity to work with clients as they plan for new platform adoptions, migrations, or other large-scale IT infrastructure changes. Your job is to evaluate their needs and plans, and to provide information and advice as it relates to security matters.

In general, providing security is an excellent business for system builders. It requires regular, frequent contact with your customers, and these meetings can lead to other additional work, both inside and outside the security realm. You need to understand your customers' growth and expansion plans, if only to ensure that new additions to their networks and systems meet security requirements and maintain proper security posture.

You may also consider offering your services to help with planned system additions, upgrade, and migrations as a way to remain involved in their environment. That makes it much easier for you to keep your inventory and configuration data completely up-to-date. It also ensures that security is an integral part of your clients' processes and activities, rather than an afterthought. That's good business for both of you.

ED TITTEL is a long-time computer technology writer, trainer, and consultant who specializes in IT certification and information security.