IT-Security in a nutshell
Through my long career as a security professional, i am still annoyed how complex and inefficient IT-Security most of the time is. You have legal requirements, frameworks, lot of regulations and very often you have lot of people involved. Very soon I have the feeling, that we produce lot of paper and meetings, but very little 'security'.
Don't get me wrong, you need some structure and a substantial documentation, but what is the minimum of complexity that you need, to make proper IT-Security?
Some thoughts
- IT-Security is thinking about responsibility, risks and costs.
- IT-Security is risk management.
- NistCSF is a good starting point as a meta framework
- wrap a good story around all
In a nutshell
Work In Progress
The idea is to use a wiki with templates for documentation
and integrate most of the needed tools in a very simple, flexible and easy adaptable form. It should give you an easy start, the necessary knowledge for the modules and the possibility to integrate
your prefered tools when necessary.
What we need:
- a wiki for documentation with easy to access the content (foswiki.org)
- asset management
- roles and responsibility
- configuration management
- IPAM
- DNS
- DHCP
- git
- ansible
- risk analyse / threat modelling
- monitoring
- ids
- logging
optional
- multi language
- firewall management
Form the book "Informationssicherheit und Datenschutz"