<br><font size=2 face="sans-serif">Best Practices list,</font>
<br>
<br><font size=2 face="sans-serif">In working through a backlog of email,
I've noticed a number of private inquiries from people asking about whether
or not I think they'll really be able to help with the Best Practices project
given that they have limited knowledge in the field. Some are security
professionals just moving into VoIP... some are IT staff starting to gain
info about both VoIP and security.</font>
<br>
<br><font size=2 face="sans-serif">While I'll answer those inquiries privately,
I thought I'd just put a note out to the list in case anyone else is questioning
whether they'll add value.... </font>
<br>
<br><font size=2 face="sans-serif"> YES, *all* levels
of expertise will be needed to make this project a success. </font>
<br>
<br><font size=2 face="sans-serif">Obviously, if you don't have a strong
background in VoIP security, you probably cannot contribute to a detailed
discussion of which of the 13 methods for SRTP key exchange are most appropriate
or even whether such a thing needs to be discussed in this document (in
that particular example, it is probably be too fine a detail for what we
want to put in here, but you get my point), but you can add in these ways:</font>
<br>
<br><font size=2 face="sans-serif"> - If you are a security professional
moving into VoIP, you presumably have some experience/expertise in NON-VoIP
security areas and can bring that to bear if we get going down some rat
hole and you can say "Hang on, do you know that a similar problem
was solved in ______ by doing _______?" We all can be guilty
of having silos of knowledge and being able to draw from a wider pool of
knowledge is a wonderful thing.</font>
<br>
<br><font size=2 face="sans-serif">- If you are an IT administrator/staffer,
you can assist in ensuring that any best practices we list are grounded
in the *reality* of modern day IT. We do want our Best Practices
to really be Best *Common* Practices of what are people doing *today* and/or
what *can* they do with realistic budgets/resources/etc. Knowing
many of the people on this list, I don't think we'll get too "pie-in-the-sky"
and advocate practices that can only be done by buying really expensive
widgets with huge budgets... but you can help ensure that this doesn't
happen. Will the Best Practices we develop work in the current IT
infrastructure? Challenge ideas. Keep the rest of us honest.
</font>
<br>
<br><font size=2 face="sans-serif">- If you are a student, your input based
on what you are learning is definitely welcome... and hey, your first post-graduation
job may be at some company implementing some of the things we're documenting!
</font>
<br>
<br><font size=2 face="sans-serif">- If you are a non-technical user or
business/marketing type, your input on the document is also valuable...
one of the uses we know will be out there for the end document will be
to use it to help "sell" the decision internally to move to a
VoIP system. We've had people say "I wish there was a industry-neutral
doc that I could use to convince my CEO that VoIP *can* be securely deployed."
That *may* be one of the uses for this document (or at least an "Executive
Summary" of it). Are the appropriate parts written in the language
that works for the CxO set and/or other senior managers? Would it
help you sell an internal critic on VoIP? You can help us with those
kind of questions.</font>
<br>
<br><font size=2 face="sans-serif">I could go on, but I think my point
should be clear. At the end of the day, we're creating a document
with multiple audiences that ideally we want to be both accessible and
*useful* to people inside and outside of VoIP, security, management, IT
and even technology. It's a tall order... and we'll see how well
we execute on it... but in my mind if we are to succeed it will take a
lot of different viewpoints taking a look at whatever we create.</font>
<br>
<br><font size=2 face="sans-serif">My 2 cents on a Friday morning,<br>
Dan</font>
<br>
<br><font size=2 face="sans-serif">-- <br>
Dan York, CISSP<br>
Dir of IP Technology, Office of the CTO<br>
Mitel Corp. http://www.mitel.com<br>
dan_york@mitel.com +1-613-592-2122<br>
PGP key (F7E3C3B4) available for <br>
secure communication<br>
<br>
</font>