Security Basics mailing list archives
Re: security not a big priority?
From: Henry Troup <htroup () acm org>
Date: Thu, 15 Feb 2007 17:19:32 -0500
Is there any other risk assessment body anywhere in the administration that you could tie into? Every college or university I know has some form of campus security/police responsible for physical security. If there's a risk assessment process there, maybe someone external could warm your boss up to taking computer security seriously. Otherwise, just wait... a major incident will find you soon enough :-( -- Henry Troup htroup () acm org On Thu Feb 15 11:43 , "Francois Yang" sent: This is a community college, so I've sent an e-mail to my boss everytime there was news about a school being hacked and in every e-mail I've added comments on how they could have prevented being compromised. I even wrote a long letter describing why we need such things as IDS and what could happen if we don't have one. I also included a long list of schools that were hacked into in 2006. apparently that doesn't seem to be affective. I believe a major incident might be the only thing that will wake them up. We've had small ones, and even after catching the person and explaining how they got in and how to prevent it. Guess what...those systems are still up because they choose to leave them so they don't interrupt productivity. So yea that sucks. a system gets hacked into. I catch the cracker, and recommend some fixes and nothing gets done. system gets clean and put right back into production. WTF On 2/15/07, Jim Clark <diegoslice () gmail com> wrote:
As echoed many times on this list in the past, security is about managing risk. So the question becomes, what are the assets that are at risk if they are not secured and what damage would result if they were compromised? In my opinion, your boss needs to be educated about security. Perhaps doing some research about similar organizations that have had security lapses and what it cost them both in terms of dollars, time, and reputation would be a start. If any of the applications or systems were compromised or shut down, how would this affect the daily operations of the college? Perhaps this information would be enough to help prioritize some of the projects you have in mind. I would send the results of your research and conclusions to your boss via email (and cc others as appropriate) to leave a documentation trail. You don't want to become a scapegoat after a security incident occurs - and it's not a question of if but when. If you can prove that you were the lone voice screaming why security was important and what needed to be done in advance, perhaps you can escape the ugly aftermath of finger pointing relatively unscathed. HTH, Jim Francois Yang wrote:So I have a problem and like to know what you guys think. I'm a Security Analyst at an Education institute. A community college to be more precise. So I was brought on board to address security issues and work on making this place a better place. Now the problem is. 1. I'm in the network operation team. no security group. 2. My boss doesn't seem to know much about security. 3. My boss doesn't seem to think highly of security since all my projects seems to be of low priority. 4. I have a long list of things that needs to be done and they are all waiting for the engineers to work on it. But again they have better things to do. So what am I suppose to do? look for another job? :) anyone run into this problem before? I'm at the point where I'm not sure what to do. Thanks.
-- If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier
Current thread:
- Re: security not a big priority?, (continued)
- Re: security not a big priority? Isaac Perez (Feb 16)
- Re: security not a big priority? Aman Raheja (Feb 19)
- Re: security not a big priority? Sandip Wadje-Infosec (Feb 19)
- RE: security not a big priority? Tony UcedaVĂ©lez (Feb 21)
- Re[2]: security not a big priority? Adam Pal (Feb 23)
- Re: Re: security not a big priority? Anonymous (Feb 15)
- Re: security not a big priority? Francois Yang (Feb 15)
- Re: security not a big priority? crazy frog crazy frog (Feb 15)
- RE: security not a big priority? Nhon Yeung (Feb 15)
- RE: security not a big priority? Craig Wright (Feb 15)
- Re: security not a big priority? Henry Troup (Feb 15)
- Re: security not a big priority? saltynetguru (Feb 16)
- Re: Re: security not a big priority? Anonymous (Feb 19)
- Re: Re: security not a big priority? Jax Lion (Feb 19)
- Re: Re: security not a big priority? Alexander Bolante (Feb 20)
- Re: Re: security not a big priority? Jax Lion (Feb 19)
- Re: Re: security not a big priority? cwwoods (Feb 19)
- Re: security not a big priority? steve . dake (Feb 20)
- Re: Re: security not a big priority? mehtaharshal (Feb 21)
- Re: Re: security not a big priority? Jason P. Rusch (Feb 23)
- RE: Re: security not a big priority? David Gillett (Feb 26)
- Re: Re: security not a big priority? Jason P. Rusch (Feb 23)