About a decade ago, I was working for a small consulting firm, and trying really hard to fix the computers of my friends and family for free in my spare time. When I realized that was impossible, I needed a way to charge something for my time, and thus formed Friend and Family Tech. At this point, due to my career goals and interests, I don't take new customers at F&F Tech. This site exists mainly for my blogging pleasure.
Currently, I work as the information security officer for a small state authority of 750 computer users or so. I started with the organization as a network administrator, and, with a little help from my SIEM, now know our network better than anyone. While I do have great security support from upper level management, because we're small, I often find myself having to focus on operational problems.
This leaves me in a position of navigating both operational and security issues. In order to make thing more secure AND improve operatons, I focus my energy on security, IT Service Management and IT general controls. From a high altitude view, these three bodies of knowledge are very similar. With that said, I love Tim Proffitt's "Mother Of All Control Lists" (MOACL), and aspire to elaborate on it if I can ever stop fixing my friends' computers: https://www.sans.org/reading-room/whitepapers/compliance/meeting-complia....
If you browse Tim Proffitt's MOACL, it's easy to understand that all control frameworks, security standards, and IT service management methodologies are more similar than they are different. I find three main concepts intrinsic to them all:
- access control
- configuration standards
- change management
Security programs should start with what you already have: Your organization likely already has much of what it needs. Employee policies should make expectations clear, then, optimizing use of standard enterprise tools such as firewalls, group policy (complete with Applocker and LAPS), SCCM, and your antivirus suite will help you win most security battles. Network monitoring and log aggregation are also crucial tools, so you can monitor how you're doing with the three bullet points above. This is how I designed my organization's security program without having to buy all of the whizbang tools and toys that litter the market.
Thanks for reading!