Secure Server

[mgerics]

Hey all.

I work for a small manufacturing firm; I am the only person in the IT department.

As of yet, we are simply in the exploratory stage.

We are entertaining the idea of placing bids for government contract work.

One of the requirements for doing so is a separate, secure server for all data pertinent to any jobs we undertake.

I am looking for information on setting up a server to meet these needs.

Specifically, what would/might the government require as proof of a secure system, e.g. hardware, software specifications.

Currently we have a simple windows server system, Symantec AV, Watchguard Firebox - nothing spectacular. I am looking to what would be needed above and beyond this to meet these needs, or any connections/links/sources one would use to investigate ths.

Any insights would be appreciated. Thanks.

[tone007]

Generally the government has a pretty good idea of what they want, and each product in use has specific methods they'll outline for properly securing it, which they'll outline in configuration documents and often security templates you can apply.

Of course, you may not have access to those until you've secured a contract, and those are usually only rules for systems on their networks...

Best you can probably do is prevent unauthorized users from accessing the "secure" server, both physically and via permissions.  That and the standard security measures everyone should be taking (OS patches, antivirus updates) should be enough for systems that won't be interacting with sensitive networks.

[motorollin]

To be blunt, information from a forum won't help you. The nature of the system and its security will depend on the government department, the nature of the contract, the intended purpose of the server, what the server needs to communicate with outside your own network, data protection legislation, and a multitude of other factors.

If you're serious about this, then your company needs project managers and some kind of customer liaison department to identify what the customer actually wants. Information on the requirements will be freely available to potential bidders *before* you secure the contract, since you need to know what you're bidding for (and whether or not you can deliver it).

[Matt_H]

The procurement document for whatever you're bidding on will hopefully specify what the system security specifications are (especially if it's an RFP or Procurement Contract). If not, there might be a Q&A session where you can ask prior to bidding.

You might also try looking at procurement docs that have already been released. Have a look around grants.gov, assuming you're US-based.

An industry peer would probably give you the best answer, such as someone who's already won a similar contract.

[TheMagicM]

Hey all.

I work for a small manufacturing firm; I am the only person in the IT department.

As of yet, we are simply in the exploratory stage.

We are entertaining the idea of placing bids for government contract work.

One of the requirements for doing so is a separate, secure server for all data pertinent to any jobs we undertake.

I am looking for information on setting up a server to meet these needs.

Specifically, what would/might the government require as proof of a secure system, e.g. hardware, software specifications.

Currently we have a simple windows server system, Symantec AV, Watchguard Firebox - nothing spectacular. I am looking to what would be needed above and beyond this to meet these needs, or any connections/links/sources one would use to investigate ths.

Any insights would be appreciated. Thanks.

If its for the govt and they are serious about securing their system, check and see what is an acceptable OS to use.  Solaris is certified, then look up DISA STIG, thats a script I run on our servers every month to check how secure our setup is and to fix any CAT 1,2,3 issues.    

Like the dude above said, you should have specs from the govt on what they are looking for, what software has been "blessed" to use on their network assuming the server will be installed on their network etc.

[odin]

Which government is this for?

[Boudicca]

Which government is this for?

I was kinda curious on that too....The Government....Hmmmm...narrows it down to around 195 possible options. Not to mention is Earth the planet, this question is from. Mr Spock?  

Shaz

PS The answer to your question depending on local laws if applicable, is yes. It is a very good idea to have a secure server if you wishing to bid on government contracts, however the question of holding data especially holding any confidential data maybe often depends on the dataset being held, Programs and demo data is one thing, actual data with identifiable information that may lead to a breach, in this case the security may need to be far higher, e.g no internet connectivity inside a "walled garden" or VPN tunnelling at a minimum of 256bit AES encryption or even No live data at all or even a Citrix/RDP view of the data without any actual data being sent. In my area IG (Information Governance is a whole minefield) and probably best to seek guidance from a Lawyer over data protection when drawing up System Proposals for bidding as you might have the greatest system since sliced bread but if if leaks like a sieve, the chances are you won't get the contract if the IG/Data Protection and Security isn't done right.

[persia]

I just assumed he meant Canberra, since everyone here does when they say "the Government."

I was kinda curious on that too....The Government....Hmmmm...narrows it down to around 195 possible options. Not to mention is Earth the planet, this question is from. Mr Spock?  

Shaz

PS The answer to your question depending on local laws if applicable, is yes. It is a very good idea to have a secure server if you wishing to bid on government contracts, however the question of holding data especially holding any confidential data maybe often depends on the dataset being held, Programs and demo data is one thing, actual data with identifiable information that may lead to a breach, in this case the security may need to be far higher, e.g no internet connectivity inside a "walled garden" or VPN tunnelling at a minimum of 256bit AES encryption or even No live data at all or even a Citrix/RDP view of the data without any actual data being sent. In my area IG (Information Governance is a whole minefield) and probably best to seek guidance from a Lawyer over data protection when drawing up System Proposals for bidding as you might have the greatest system since sliced bread but if if leaks like a sieve, the chances are you won't get the contract if the IG/Data Protection and Security isn't done right.

[adz]

Windows NT 3.1 Advanced Server, security through obsolescence :roflmao:

[mikeymike]

Or maybe they'll insist on Microsoft Word's Ultra-High Security Password-Protected documents!

[the_leander]

Or maybe they'll insist on Microsoft Word's Ultra-High Security Password-Protected documents!

Are those kind of like the PDF's with the redactions on?

[persia]

You might want to contact Macquarie Telecom, they do a lot of work for the Government.

http://www.macquarietelecom.com/