Educause Security Discussion mailing list archives
Re: Security vs. Business Process. Does Business Process trump Security Process?
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Fri, 3 Jul 2009 09:03:29 -0500
Stucky, David wrote:
Your comments fall right in line with what I tend to struggle with. I will tell people that security should not interfere with business, but business must be appropriately secure. I stress the fact that we must work together to find the right solutions to support business needs in an appropriately secure manner. As a sysadmin/security type it is important to remember you cannot eliminate risk; but you have to work hard to manage and reduce risk.
To bring this back the topic of attachment blocking... The tactic I described earlier, of renaming the file and adding warning to the message, strikes this balance quite well. It mitigates the security problem by forcing the user to rethink the consequences of opening the attachment. It also does not put an unreasonable burden on the business task. Remember Randy's point that you can't prevent the user from doing something if they are determined. It is possible that the user's workaround to a strict security measure will cause them to introduce additional security or privacy threats. As an example, perhaps your users will work around your exe attachment blocking by enabling Windows File Sharing. Jesse -- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thompson () doit wisc edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Security vs. Business Process. Does Business Process trump Security Process? randy marchany (Jul 02)
- <Possible follow-ups>
- Re: Security vs. Business Process. Does Business Process trump Security Process? Joe St Sauver (Jul 02)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Stucky, David (Jul 02)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Gary Dobbins (Jul 02)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Jesse Thompson (Jul 03)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Russell Fulton (Jul 03)