One of my clients recently mentioned to me that they are preparing for an annual inspection required by the regulations that govern their industry. One of the issues that they are dealing with is an expanded scope of due diligence with regard to their vendors; they are now being required to formally vet any vendors that have access to the data on their servers and workstations, and one of those vendors is me.
My consultancy is actually one of two vendors that has access to their data, but the other one is a very large company that supplies the vertical market software that my client uses in their industry. This other vendor is easily vetted – it’s a publicly traded company on the NASDAQ exchange, and there is a lot of easily-obtained information about it. On the other hand, my consultancy – which really means me – is difficult to vet. There is little information about me and my small business that is publicly available. I formed my business as a privately held, single member Limited Liability Company, or LLC, which is a “disregarded entity” for federal tax (IRS) purposes, so there are no publicly available tax records. The state (Maryland) maintains a publicly accessible record of my business’ existence, but it only states whether it’s in good standing with respect to my state tax payments.
Almost all of my clients are small, individually owned or family owned businesses, so I work directly with – or at least personally know – the owner. Because of those close relationships that I’ve cultivated over the years, I’ve gained the trust of the business owners for whom I work. This is an important point, because once they provide me with physical access to their systems and a root or administrator password, I have – in a very real sense – the keys to the kingdom. In most cases, I have – with my client’s knowledge and informed consent – set up secure remote access to their networks so that I can do system and network administration after business hours. And in a couple of cases I even have the keys to my client’s physical building as well as the code to disarm the alarm system.
So the more formal vetting required of this particular client started me thinking about how I might show a new or prospective client what I do to protect their data and the security of their network and systems. Why should they trust me with unfettered access to their most valuable data? The remainder of this article describes the approach and tools that I use to keep my clients’ data, networks and systems safe.
Personal Integrity
In today’s society it’s prudent to be somewhat skeptical and circumspect when it comes to trusting a new acquaintance. This is doubly true when it comes to trusting them with the lifeblood of your business. So I try to demonstrate personal integrity in everything that I do. I’m not prone to use coarse or profane language anyway, so it’s easy to not use it around clients. I try to be no more than 5 minutes late for appointments, and if I know I’m going to be late (even only 5 minutes) I call the person I’m meeting to let them know (this is more courtesy than integrity, but both are components of character). I do not knowingly install or maintain pirated software – and my clients know it. I own up to the mistakes I make – if I have to return to a client’s office to correct a configuration error that I made, I don’t charge them for the return trip.
Encrypt Sensitive Data
Sensitive information absolutely, positively must be protected. When thinking about what information is sensitive, passwords, particularly passwords to privileged accounts, generally top the list. After passwords, some people draw a blank; after all, the passwords protect all of the other information, right? Well, no. While protecting passwords is necessary, it’s not sufficient. Other types of information that should be protected include network topology (including the addressing scheme for the internal LAN); the vendor, model numbers, and operating systems of network infrastructure devices (routers, firewalls, IDS/IPS, and switches); the vendor(s) and version(s) of the network or workstation Anti-malware solutions; the vendor(s) and version(s) of any industry-specific software used, as well as the usernames or other account identifiers used by it; and details of any solutions or workarounds for problems with any of the above. I’m sure this is not an exhaustive list, and if you have anything to add, please leave a comment here so that we can all benefit.
I carry all of the above information with me when I visit a client’s site. I used to carry a manila folder with printed versions (some of which had hand-written changes on them), but I now carry an iPad and my Droid X phone instead. So how do I secure the information? I create encrypted PDFs with everything except passwords and then transfer them to the iPad. Then I create entries in the password manager (not saying which one I use) on my Droid X with both the password for the PDFs as well as passwords for the accounts that I use on my client’s computers and network gear. Finally, I store the PDFs and password data files in the cloud, using one of the many secure online storage vendors (again, not saying which one) so that they can be accessed anywhere I need them.
Document Everything
Back in the day when I was still doing a lot of programming, I ran across a quote from some presumably famous coder (don’t recall now who it was) that went something like, “comments in source code are there to explain to other programmers – or to yourself in 6 months – whyyou did what you did.” This also turns out to be applicable to system administration, so I make notes on everything I do with my clients’ networks, servers, workstations, telephones, databases, cabling, and anything else I change. I also make notes on anything that I take the time to decipher and understand. I do this for two reasons.
First, I realize that I’m mortal and that I could die or be totally incapacitated at any moment. It might not be pleasant to think about, but when you are the only person on the planet that knows and understands all of the details of your clients’ IT infrastructure, you owe it to them to make it as easy as possible for someone else to take over if it becomes necessary.
The second reason that I document everything is that I don’t remember every detail of every esoteric piece of hardware or software. So when I make a change, or even when I spend a few minutes – or more than a few minutes – to figure out how something is configured, I make a note so that I don’t have to do it all again if I need to make a change at some distant future time.
