我的資訊保安工作經驗分享 (二) | My IT Security Experiences (2)

guyverckw (70)in #cn • 7 years ago

上回分享過當年我們當資訊保安工程師時，在公司，或者應該說是我們的工作室時的工作是什麼。接下來就是對外時我們的工作又是如何。雖然已經是十八年前的事，但希望大家不會覺得已經是陳年舊事而不感興趣。

當時我們對外的工作主要有：

替客戶維護他們的資訊保安系統。
安裝新的系統。
為客戶提供資訊保安的顧問工作。

I shared with you what we did internally as IT security engineers in last post. I am going to share more about our external work now. Please bear in mind those were something happened 18 years ago, hope you still feel interested to them.

Our external work were:

Maintain customers' IT security system

Install new IT security system

IT security Consultancy

系統維護 | IT security system maintenance

當年很多公司都沒有自己的IT部門，就算有，人手都定必緊拙的。所以就算有錢安裝資料保安系統，亦不會有預算增加人手去維護那系統。一般的做法是將系統維護的工作外判，由外判商(即我們公司)提供系統維護的服務。視乎合約而定，外判商可能雖然派工程師長註客戶公司，亦可以只接受熱線電話求助, 登記後, 公司再派工程師到場。

Most companies didn't have their own IT department at that time, those which had normally had very tight budget so none of them would have dedicated IT security resources. It was very common that the companies outsource the maintenance works. As their contractor, we fulfilled their needs according to contract terms. Most of the time, we sent engineers onsite after receiving customers' calls. In some rare cases, we appointed dedicated onsite engineers.

我們到達後才開始找問題，跟著解決問題。如果硬件有問題，就更換。軟件問題就着手解決。有些問題是沒辦法即時解決的，我們只能找廠商求助。不過就要立即找一個臨時的代替方案給客戶。不過最常出現的都是一些十分簡單的問題，一般是因為客戶沒有執行某些簡單的系統程序而導致的。例如忘記了定時檢查系統日誌再刪除，因而導致用盡儲存空間，系統不能運行。

When handling customers' calls, we would first identify sources of problems when we got onsite and tried to fix them. If it was a hardware problem, we replaced it. If it was a software problem, we fixed them onsite if we could. Some problem could not be fixed and had to be escalated to manufacturers. Under such circumstances, we had to setup a temporary alternative solution for customers to use before a long term solution was available. Anyway, most of the time customers' problems were simply due to customers forgot to executive some routine housekeeping procedures, such as review daily logfiles and delete to release storage space. Forgot to do so would cause insufficient system storage space and stop the system.

遇著這些情況，我們通常只要花幾分鐘的時間就可攪定。但是我們會花多點時間再檢查系統，一來預防，二來給客戶印象問題並不是那麼容易解決。為什麼要這樣做呢？因為這樣客戶才不會輕視問題，當我們提醒他們要定時做那些步驟去維護系統，他們才會牢牢放在心中。當然亦可以建立我們是非常專業和利害的形象，一石二鳥！

Even thought we were dealing with simple issue, somethings that we could fix within minutes, we would not report to customers right the way. We would spend some time to ensure the system was in proper condition before we close the case. By doing so, we could prevent future system failure and at the same time gave customers a message so that their won't easily forgot those routine procedures later. This could help us to build our professional image, right?

安裝新系統 | New Systems Installations

其實前一篇文章都已經說過關於前期的安排，就是在工作室做測試再約客戶開會討論安裝的安排。除了要討論什麼時候客戶可以關閉原來的IT系統給我們安裝，最重要的是安排客戶的主要用戶群在我們做完安裝之後並在系統要上線之前回來跟我們一起做測試。這點是最困難的。因為我們安裝工作很多時都是在週未進行，而測試則通常在週未晚上，用戶當然是不想那些時間回來工作！所以人事安排是最難解決的事。通常這一關一過，後面真正的安裝就沒有什麼特別。

This was mentioned before, we performed tests in our lab before involving the customers to discuss actual installation arrangement. Most critical task here was to ensure end users of the systems were available to perform final system tests. This was very difficult. As you all know, system installations were arranged over the weekend and final system testing usually happened at mid-night. End users for sure didn't want to involve. As long as the resources were secured, actually installation were quite easy to complete.

精明的你可能會問：「你不是說會在工作室做好測試才約客戶的嗎？為什麼仍要用戶們再做測試呢？該不是你們在工作室不是真的在做測試吧？」

當然不是！我們之前所做的測試都是建基於客戶所提供的資料去設計的。例如：客戶的會計系統會用這個IP 地址和上面的7777號端口。我們就會根據這些資料去設計測試。但是這些資料的準確程度並沒有保證，所以為了防止出現任何"驚喜",我們一定會要求客戶那邊的真正用戶一起作真實系統上的最後測試。

You may asked :"Why end users had to be involved in testing while you should have done all the testing in your lab?" This was because we could only design our tests based on information provided by customers, like "our accounting software runs on this IP address with port no. 7777". Accuracy of such information was always in doubt. In order to ensure there was no surprises after the installation, we had to insist end users to perform final system tests with us on their production systems.

顧問工作 | Consultancy services

最後就要分享一下資訊保安顧問工作。其實所謂顧問工作是沒有一定的範圍的。只要有關資訊保安而又不可以直接聯繫到產品或者還未被銷售那邊包裝成產品出售的，就會被當作顧問工作。亦即是說，價錢可以很有「彈性」！

Consultancy services covered almost everything. Anything that was not related to a physical products and was not packaged by Sales team as a solution would be classified as Consultancy services. That's why pricing of Consultancy services could be very "flexible".

其中一個由我個人負責的，是為一個政府部門編寫資訊保安守則。那個年代香港基本上沒有任何公司，機構會有這樣的守則。這個政府部門想建立自己的資訊保安守則，在當時來說是很有前瞻性的事。

One of the project handled by myself was to create a IT Security Policy for a government department. It was a very innovative move for the customer as most of the companies in Hong Kong at that time didn't even know what is an IT Security Policy.

真正要做什麼呢？我被指派了這件工作之後，第一件事就是和客戶商量時間表。例如什麼時候可以去跟不同的用戶開會，什麼時候要完成，何時要做匯報，匯報之後有多少時間去修改及最後落實那守則。

I had to confirm project timeline with customer, like meeting schedules, presentation date, deadline of finalization of the Policy, etc.

整個工作大約三個星期，當中只有三，四天是在編寫守則，其他的時間都是在開會，做簡報。我們手上有不少守則的藍本，只需要根據不同客戶公司的環境而修改便可以，不用每次都重新編寫的。所以不用在編寫守則上花太多的時間。最花時間的是寫好之後，跟客戶相討那些守則需要修改，那些完全不能使用，這是一場很費勁的角力。如果完全跟隨客戶的要求去修改，那守則基本上就起不了保障客戶的作用。不修改嗎，客戶又不肯接受。最後要找來雙方的高層來協調，才能解決。

The job lasted for 3 weeks, actual writing of the policy took about 4 days. I only needed to modify existing policy templates based on customers' environments and requirements. Time was spent on meetings and presentation. Most exhausting work was to struggle with customers about what should be and could be modified. That eventually escalated to both parties' senior management.

為什麼不直接按客戶的要求修改守則，讓客戶收貨就了事呢？因為這關係到公司的名譽。上面說過，如果根據客戶的要求去作修改，那守則就會變成一些毫無作用，反而為客戶增加麻煩。這個守則一推出，就會成為我們公司的產品，效果不好的話，外界只會認為是我們公司無能，內裏真正的原因沒有人會知道的。所以我們不能輕易妥協。

We couldn't accept everything customers requested because we had to safeguard our company's reputation. If we gave in to the customers, the policy would become useless on IT security as well as a burden to the customers. Our company's image could be jeopardized by that policy, that's what we didn't want. That's why we had to insist on our own standpoint.

不經不覺已經寫了這麼多。另一個顧問工作：安全審計，就留待下次再分享吧。