Educause Security Discussion mailing list archives

Re: Pre Production System Accreditation

From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Wed, 5 Sep 2007 13:05:14 -0600

-----Original Message-----
From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] 
Sent: Wednesday, September 05, 2007 12:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Pre Production System Accreditation

Erm. No.  We don't want a perfectly secure system.  We want an
*appropriately* secure system.  At some point, the costs of better
security outweigh the benefits.    <<JD - Absolutely correct.  Perfectly
secure has no value as value often derives itself from risk. >>

And the sysadmins actually realize it at a gut level, even if they can't
spell it out - that's why they tend to say "here comes the security geek
with a bunch of silly rules and dumb restrictions".  Because quite
often, they *know* that some of the requirements don't make much
difference in *real* security.     <<JD - Sometimes, but more often it
is the grunge and unexciting work that no one wants to do OR the stuff
they would do if they weren't measured along some other performance
line.  The art of evaluating logs (for ex.) has been a bane on security
personnel since the first log was spooled, and even with today's tools
it appears to be a painful, sometimes boring, mostly inexact science to
an outsider like myself.  That does not mean it has no value. I've seen
numerous stupid security requirements leveled by over-zelous security
folks and auditors that do not do the impact assessment and risk
analysis, but I've seen way, way more security tasks avoided simply
because they were too difficult and they stole resources from the
admin's favorite pet project.  Very few really want to do the grunge
work of "true security" as you called it. >>

Of course, deciding what a "sufficiently high" level of security should
be
for a given system is a whole *different* can of worms.. ;)    <<JD -
Double AMEN to that, it is why I have mentioned and asked for the
specific counter arguments, so we can see whether or not the testing
requirements are beyond the norm of reason or if the admins are just
interested in the fun part of their work.  (We auditors rename this
control environment, but I like to call it culture.)  Simple asset
evaluation and threat consideration can't be ignored without negligence
resulting. >>

JD

Current thread:

Re: Pre Production System Accreditation, (continued)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Gary Dobbins (Sep 04)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Shane Bishop (Sep 04)
- Re: Pre Production System Accreditation Jones, Dan (Sep 04)
- Re: Pre Production System Accreditation Jim Dillon (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Chad McDonald (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 06)
- Re: Pre Production System Accreditation Ken Hanna (Sep 06)