[VOIPSA Best Practices] Note - ALL levels of expertise are needed for this project to succeed

[dan_york at Mitel.com]

Best Practices list,

In working through a backlog of email, I've noticed a number of private 
inquiries from people asking about whether or not I think they'll really 
be able to help with the Best Practices project given that they have 
limited knowledge in the field.  Some are security professionals just 
moving into VoIP... some are IT staff starting to gain info about both 
VoIP and security.

While I'll answer those inquiries privately, I thought I'd just put a note 
out to the list in case anyone else is questioning whether they'll add 
value.... 

      YES, *all* levels of expertise will be needed to make this project a 
success. 

Obviously, if you don't have a strong background in VoIP security, you 
probably cannot contribute to a detailed discussion of which of the 13 
methods for SRTP key exchange are most appropriate or even whether such a 
thing needs to be discussed in this document (in that particular example, 
it is probably be too fine a detail for what we want to put in here, but 
you get my point), but you can add in these ways:

 - If you are a security professional moving into VoIP, you presumably 
have some experience/expertise in NON-VoIP security areas and can bring 
that to bear if we get going down some rat hole and you can say "Hang on, 
do you know that a similar problem was solved in ______ by doing _______?" 
 We all can be guilty of having silos of knowledge and being able to draw 
from a wider pool of knowledge is a wonderful thing.

- If you are an IT administrator/staffer, you can assist in ensuring that 
any best practices we list are grounded in the *reality* of modern day IT. 
 We do want our Best Practices to really be Best *Common* Practices of 
what are people doing *today* and/or what *can* they do with realistic 
budgets/resources/etc.  Knowing many of the people on this list, I don't 
think we'll get too "pie-in-the-sky" and advocate practices that can only 
be done by buying really expensive widgets with huge budgets... but you 
can help ensure that this doesn't happen.  Will the Best Practices we 
develop work in the current IT infrastructure?  Challenge ideas.  Keep the 
rest of us honest. 

- If you are a student, your input based on what you are learning is 
definitely welcome... and hey, your first post-graduation job may be at 
some company implementing some of the things we're documenting! 

- If you are a non-technical user or business/marketing type, your input 
on the document is also valuable... one of the uses we know will be out 
there for the end document will be to use it to help "sell" the decision 
internally to move to a VoIP system.  We've had people say "I wish there 
was a industry-neutral doc that I could use to convince my CEO that VoIP 
*can* be securely deployed."  That *may* be one of the uses for this 
document (or at least an "Executive Summary" of it).  Are the appropriate 
parts written in the language that works for the CxO set and/or other 
senior managers?  Would it help you sell an internal critic on VoIP?  You 
can help us with those kind of questions.

I could go on, but I think my point should be clear.  At the end of the 
day, we're creating a document with multiple audiences that ideally we 
want to be both accessible and *useful* to people inside and outside of 
VoIP, security, management, IT and even technology.  It's a tall order... 
and we'll see how well we execute on it... but in my mind if we are to 
succeed it will take a lot of different viewpoints taking a look at 
whatever we create.

My 2 cents on a Friday morning,
Dan

-- 
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp.     http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for 
secure communication

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://voipsa.org/pipermail/bestpractices_voipsa.org/attachments/20061215/f00ed00f/attachment.htm>