Objective:We are beginning this blog to address the issues and concerns of non-technology business executives and managers charged with developing and implementing a practical, cost effective information security infrastructure.

Target Audience: Small/Medium sized companies and professional firms with 25-250 employees and revenues ranging from $2 million-$25 million. Individuals targeted include non-technology decision makers (CEO, CFO, Managing Director, Controller, Office Manager)

The Challenge: Many small organizations rely solely upon a firewall with a default configuration to provide information security. These organizations are significantly constrained by existing resources in their efforts to consider their information security needs. Our goal is to work with the small organization to gain a better understanding of information security management in order to set limited but clearly defined objectives that can be effectively implemented and continuously monitored (as opposed to fuitless attempts to mimic the comprehensive efforts of much larger organizations - efforts that are certain to be ignored or abandoned in a short period of time).

These organizations, limited as they are, must make clear decisions regarding what is and what is not feasible with regard to information security. In 99.9% of the cases such things as Intrusion Detection, Pen-Testing and Honeypots are clearly out of the question. But budget and bix boxes are not all there is to information security. A great deal can be accomplished through attention to initial planning (solid firewall ruleset, hardened systems etc.) and carefully considered policies and procedures (promote solid and consistent habits by administrators and users).