Kaseya Community

Prospect asking if we have a written policy for handling security breaches

  • We have a small advertising agency prospect with 10 users, 7 in Maryland and 3 in Florida. The prospect's boyfriend is apparently in the government IT world. I was able to answer the first 20 or so techie questions which she/he emailed over regarding our service, tools, and procedures. Sigh.

    However, I am stuck on this one..

    The prospect is asking if we have a written policy or procedure for handling "security breaches" and if so, "Are these procedures available for inspection with sensitive information redacted?"

    I'm afraid I'm going to get flamed here but we don't have such a policy.

    Anybody knwo of any policies out on the net or have any advice?

    Thanks,

    Ray

    Legacy Forum Name: Prospect asking if we have a written policy for handling security breaches,
    Legacy Posted By Username: akus1
  • My first thought is this client would become a PIA client (not worth it). Run forest, run!!!

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: boudj
  • I second that. 10 machines and jumping through hoops before you have them as a client. Imagine when they do become clients. All customers are valuable, i would ask them if they are prepared for the extra cost for the extra software and hardware needed to satisfy their Security needs. If not run fast.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: gdoubinin
  • Thanks guys. Yep, I hear ya. The thing is that it's the prospect's boyfriend, who doesn't work there but is "helping" with the vendor selection. By sending her emails to send to me. Hmmm. I'll call and ask her if there's anything I need to know about their security. Assuming there's nothing out of the ordinary, I'll essentially ask her to trust us, our history, and our referrals.

    Ray

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: akus1
  • wow what a tool. email that guy a link to a site that will get him canned from his super important government job.

    i dislike people that act big.

    (/rant)

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: saybrook
  • I would have to agree with boudj, on top of which you'll probably have this persons boyfriend doint penetration tests on your client with out your express concent and probably theirs too. which could be bad for you.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: thirteentwenty
  • The real question your prospect is asking is "what processes do you have in place to protect my sensitive info once i put it in your hands"...its a question around risk/security

    I'd be forthcoming in saying that you dont have a written policy for dealing with security breaches but also tell them you've never had one (if you havent) and back it up by saying that the nature of your business, being smaller means you would personally deal with something of that nature and that a written procedure would be too broad to cover all scenarios.

    I'd also provide her with a list of things that you are actually doing to protect the info...eg protecting your own network, changing passwords as your staff leave, encrypting all passwords in ssl or other encryption as they're transmitted over networks, protecting all her company data behind passworded systems etc

    Show that you take proactive security steps and the real question is easily answered.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: tbone2345
  • Thanks all. I essentially did what tbone2345 said. We'll see what happens. I like the prospect herself and I know we'd get hem all straightened out. It's ironic that they're a mess now.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: akus1
  • The guy's not necessarily being a tool, that sounds like one of the standard questions in an audit (PCI being one I'm familiar with - Payment Card Industry). If the prospective client has any dealings with credit card numbers being stored anywhere in their system, this is a totally reasonable question, since they'll be asked it themselves eventually.

    And, as an earlier commenter pointed out, it's a good question to ask in this untrusting world... Security measures are only a pain until you've had a breach without them; and breaches happen for any number of reasons, even when they "shouldn't".

    my .02

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: Matthew Bartels
  • Which you already have, just not written down most likely. Basically, when you are alerted to a problem (by monitoring, or client request) you log the incident, assign it an appropriate priority and assign it for work. If they are a compliant industry, or want to be treated like one, quote them a Managed IPS/IDS/Firewall solution w/ 24x7 monitoring and alerting and remeidation. That'll run about $1200 from us each month. After all, if they are concerned w/ security incidences, that must mean they have infrastructure in place to actually protect and alert when there are potential problems.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: tswartzman