Follow up to my Small Business Summit presentation on the 5 Rules of the Regulatory Process

In what had to be my worst presentation in YEARS I just finished presenting on the 5 Rules of the Regulatory Process for Microsoft at the Small Business Summit.

I swear I was rambling incoherently at times as I tried to keep LiveMeeting going. *sigh* Sorry about that. I really should have practiced using LiveMeeting before I went and did this in front of an audience of over 300 people.

Not as much a technical problem as trying to keep a Level 100 presentation on track without diving into detail while keeping the slides in sync. I found myself spending more time refraining from using infosec terms in an effort to keep it focused on the BDM (business decision makers) of small business rather than IT professionals who have experience in infosec. And stupid me should have used my own slides instead of worrying about LiveMeeting.

Anyways, I promised I would provide the Q and A on my blog, and to not disappoint... that is what this post is about. Susan was AWESOME in answering much of this as I presented... so you will find her common theme as the SBS diva throughout :) In some places where we didn't get to respond to the question, I hope I am able to do that now. If I missed anything... feel free to leave a comment.

I also promised to provide some more info on some of the standards, and I will do that in a follow up post.

I would have posted the raw QA logs, but a LOT of the questions were really about technical difficulties that attendees were having at the Small Business Summit. Apparently some people were getting HUNDREDS of survey questions via email from previous presentations and felt that my presentation was the time to vent their frustration. Luckily Maryamie (Robert Scoble's wife) was the moderator and took care of all those questions for me! Thanks Maryamie! I'll make sure I bring down a bottle of Gwertztraminer and some applewood smoked cheese when I come down to see you and Robert next time. :)

As promised here are the highlights from the QA session:

Questions >>>

Q: How many have joined the seminar ? I don's see the listing
A: we have about 300 people

Q: Can you cover a little bit about PCI (Payment Card Industry) Compliance and how it affects small businesses?
A: Dana won't be talking quite that specific..but right now Visa and Mastercard have yet to apply PCI down to the small businesses....look for changes in this going forward though.
Dana's Followup: You can check out Martin McKeay's view on how these 5 Rules CAN apply to the PCI Data Security standards.

Q: Would you elaborate on steps to establish a full GLBA compliance program for bank?
A: This web cast won't be going that deep dive inot GLBA compliance steps. Rather this is more of an overview of the regulatory process. I'd recommend that you contact a compliance auditor to assist you in setting up a program.

Q: Is there a site to go to to find out want the rules are for a web business.
A: This webcast is an overview of the kinds of regulations that affect many businesses, not just web sites.

Q: With todays hackers why not have more security than need is more better?
A: There's a balance between security and business that has to take place. You just need to be "secure enough" (answered by a fellow small business person and not Microsoft) Too much security and it gets in the way of business (like Dana just said)
Dana's Followup: Remember that security is about risk mitigation, and not risk avoidance. The goal is to reduce risk to acceptable levels for YOUR business. To make it "secure enough" against the risks you believe exist to your business.

Q: Is Sharepoint a program that works with Microsoft Office? I am trying to set up a document control system in accordance with an aerospace quality standard
A: Sharepoint (which is included in SBS 2003) works the best with Office 2003 but can work with other Office versions.
Dana's Followup: Depending on the regulatory requirements for that industry, Sharepoint may not be enough. You may want to look into Microsoft's Rights Management Services. Note that RMS != DRM, as many people believe. Its worth looking into if you want information protection technology that supports individual rights management.

Q: What medium works best with Shadow Copy? HD? USB-HD? Tape?
A: Volume Shadow copy works best with harddrive but it can also be used on an external USB harddrive. It does not work with tape as it's a live "snap" of the data.

Q: Where could I go to get more info on how to audit using GPO's?
A: Inside the Small Business Server 2003 console is the GPMC, you can export from that the server's group policy settings and review that. I would also recommend checking out MS's scripting site
Dana's Followup: You can check out this TechNet article on how to apply or modify auditing policy settings for an object using Group Policy.

Q: What products should we use for authentication?
A: The basic products of desktop and servers give you NTLM authentication whiich works great for small businesses
Dana's Followup: Authentication comes in many means. On top of the native authentication mechanisms available in Windows, I would consider two-factor authentication systems if you are requiring users to access sensitive information remotely. EVEN if you can trust the remote host (which I argue you cannot always do at this point in time), the one time passwords (OTP) will help assure that malware that may obtain passwords is rendered useless. Companies like CryptoCard have products that fit well in the small business space and are much more affordable than their enterprise counterparts.

Q: I use Office Professional, not SBS 2003. Can I still get it?
A: With Sharepoint you need a server. (I'm a small business owner answering this question.. I'd recommend SBS if you want Sharepoint)

Q: Will Office Live provide something like Remote Web Workplace as a way to have secure Information Availability?
A: Office Live gives similar funtions... but there's nothing like Remote Web Workplace to provide secure remote access to data on your desktop and server

Q: What size HD best with Shadow Copy? 200GB+?
A: Whatever size you can afford. Here at my office I have a 160 gig LACIE harddrive for my volume shadow copies ... I snap every hour on the hour

Q: What is Remote Web Workplace?
A: It's a secure web based portal to get back to your server and your desktop that's only in the Small Business Server 2003. Google on Remote Web Workplace and check it out.
Dana's Followup: In my opinion (and many SBSers out there), that this is THE killer app from Microsoft... and is only available in SBS 2003.

Q: Could I operate with SBS 2003 as my only server in a SOHO LAN? Would that be the place to add Active Directory?
A: SBS 2003 is designed to be the perfect first server.. it MUST run active directory...so YES. (a SBS owner here)

Q: Where would I find the risk assessment tool he just mentioned?
A: MSAT and MBSA are available on the web ...google it or see the link in the PDF
Dana's Follow Up: MSAT link=https://www.securityguidance.com/, MBSA link=http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

Q: When is SBS R2 available?
A: "Sometime this summer" is the word from yesterday's webcasts

Q: How can I request to BETA or Community Test the R2?
A: I beleive there will be a notice posted on the SBS R2 site... but I'll post a follow up on my SBS blog (see www.sbsdiva.com)

Q: Is there a site I can go to that will tell me what regulatory practices or laws I should be checking my system against?
A: What industry are you in? There's unfortunately not a 'standard' out there. You have to find what regulations cover you.
Dana's Followup: The attendee was part of a tax firm in California. As such standards like GLBA and SB1386 would come into play here.

Q: Are there overviews of how to be hippa and sox compliant?
A: Again, that's a huge question... Hipaa and sox are 'by design' vague
Dana's Followup: In a followup post, I will link to some good resources you can read that can help you down this path

Q: Does SBS have auto backup capabilities?
A: Yes it does... RUN THE BACKUP WIZARD (sorry yes I'm shouting) and you can backup to tape, harddrive and there's a daily email that confirms the backup

Q: Can you discuss what you know about Law Firm compliance ?
A: Look at the confidentiality of the data. Think in terms of what's the best to keep that data safe.

Q: What kind firewall and anti-virus is the best to use
A: Pick one. And then keep them updated and monitored.
Dana's Followup: Great answer Susan. It's not as important as to WHICH software you use as most of them perform well these days. It's making sure that signatures are up to date and that systems properly use them.

Q: Does Microsoft have a testing site to actively test whether or not encryption/sercuity meets certain standards?
A: Normally software indicates what encryption it is... DES, Triple DES, etc...what does your regulations specify?

Q: Can you back up to other things besides tape?
A: Absolutely. I use USB harddrive here. I don't use tape
Dana's Followup: These days, I recommend AGAINST tape and prefer other data sources like USB harddrives and offsite backup services. Tapes fail WAY to much (some people say over 70% of the time) and are just not managed well for small business.

Q: Is there anyplace to get any good risk assessment templates?
A: MSAT and MBSA are excellent resources.

Q: Is there one list that can be used to find out what regulations apply to an organization or industry?
A: Unfortunately not..when you find it...can you let me know?
Dana's Followup: Me too!

Q: Our company recently had to become PCI compliant to be able to continue to process transactions online, it required a total overhaul of our server to keep up to date and the standards are changing every couple of months. I thought maybe the audience would like a heads up that this does affect the way small business do ecommerce. Yes I mentioned this earlier, I just think that it really can be a surprise for those considering going online with their business.
A: Currently it's my personal opinion (not MS) that the Visa/mastercard PCI standards are too granular and not aware of risk management
Dana's Followup: I tend to agree with Susan on this, but must admit that the PCI standard atleast IS a standard helping to ensure CC transactions are completed safely. There are a LOT of shopping carts on the Net which are not following PCI and will eventually get weeded out over time.

Q: What can you tell us about the new Visa/Mastercard/Discover certification initiative? I understand it would require data incription. What is the MS solution for small businesses?
A: At the present time, Visa and Mastercard do not have PCI standards that have come down to what I consider "small business" ...yet... but it's coming. I personally (again not MS opinion here) think that the current PCI standards are too restrictive and not Small Business aware. As small businesses, we need to try to impact these regulations as best as we can.
Dana's Followup: I understand Susan's point here, and she is right. However, with that said I believe that PCI offers guidance to help ensure that things like strong crypto are used and that servers are locked down. I know when I was having to put my business through PCI so we could host online transactions we went through a security audit for our own online server which requires some changes that I didn't expect... such as ensuring only strong crypto (we used to allow a fall back if the client request it, that we no longer support). I do know this... because we follow the 5 Rules of the regulatory process, we passed quite quickly once we addressed that one crypto issue in the SSL stream.

Q: What products work over a VPN?
A: Can you be more specific? Honestly with SBS, I use RWW and don't use VPN these days.
Dana's Followup: Me too. Actually, by using RWW we never have to worry about configuring VPN clients or letting in IPSec/PPTP tunnels when they are not needed. This also gives us the benefit of a passive connection to the data which doesn't allow for a layer3 connection. In this way, we don't have to deal with network bound attacks, since packets are simply not allowed through... even if the remote host is full of hostile malware.

Q: What type of anti virus do you use on sbs 2003 norton dose not work
A: (Non MS here) I use Trend, but there's CA, Symantec, and Sophos for just some that install and work on SBS boxes

Q: RWW requires a server which I do not have
A: (SBS owner here) buy SBS..you'll get RWW :-)

Q: Does using encryption on your business server mean that all files are encrypted? ..or are only certain folders encrytable with encoders only on your LAN or WLAN?
A: Depends on how you set it up. I personally have it just on folders.

Q: Sounds like multiplicity is the watch-word to data protection? I use USB-HD plus copy to backup HD on desktop, plus use NTI Shadow Backup to backup to other desktop on network. What else would you add (on-site)?
A: I use VSS and hourly 'snaps', I backup to harddrive... the more paranoia the better :-)

Q: How does the BizTalk Server for HIPAA transactions help an organization meet both HIPAA and SOX compliance?
A: Honestly I personally have not used BiZtalk so I can't answer this (I don't see a lot of Biztalks and SBS boxes)
Dana's Followup: Like Susan, I have no experience with BizTalk. However, Microsoft does have some guidance, which you can find here.

Q: I heard that there is a flash-drive based encryption product that basically encrypts your whole hard drive. Have you heard of it? Seems this might be useful to laptops on the road. If you have heard of it, what's your (personal) take?
A: In Vista there is a "bitlocker" that will be available in the Software Assurance version of Vista.. is that what you mean?

Q: Windows Storage Server. Where can I go for the communities and newsgroups?
A: http://www.microsoft.com/communities/newsgroups/default.mspx

Q: Is current version of RMS forward compatible with SBS R2?
A: I know the old RMS works on current SBS... come out to the SBS community for follow up

<<< End Questions

As I went through the question log, I noticed a lot of praise. I do appreciate that. And I apologize it wasn't smoother. Thanks for coming out and listening to my rambling!

Posted by SilverStr at March 16, 2006 01:17 PM | TrackBack