Educause Security Discussion mailing list archives
Re: Security vs. Business Process. Does Business Process trump Security Process?
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Sat, 4 Jul 2009 16:49:35 +1200
On 3/07/2009, at 4:07 AM, randy marchany wrote:
The recent thread on blocking email attachments reminds me of a discussion I had a couple of months ago on how IT sysadmins might be making our overall security posture worse by pursuing the wrong security strategy.
Great stuff Randy! I keep telling anyone who will listen: "Security *must* work for the folk at the coal face". It is all too easy to enact restrictions in the name of security that change the behaviour of people in undesirable ways. The other thing I repeat with out end is "That security is ultimately all about people". Corollary is that unless you have the people stuff right you can throw all the technology you like at the problem to now avail". The classic example of this is frequent changes of complex passwords that result in most users writing them down somewhere easily accessible. You will note my post in the email blocking thread. Before we started blocking email attachments we made sure that there was another way that people could easily transfer files. It also solved another problem, that of huge attachment that gave the mail system constipation.... People soon worked out that they could use the system to distribute a single (possibly large) file to a whole group of people in a reasonably secure manner with a single tiny email. Ah! one wrinkle in our 'blocking' strategy I did not mention is that we actually quarantine files and the users get an email which they can forward to the service desk to get the file released. THe combination of these two tactics to mitigate the adverse affects of our defensive strategy and has meant that we had almost no user reaction to the restrictions. Here is another example of this sort of thing: currently we are looking at technology to control p2p traffic, I am insisting that any solution include a system with a simple web page that *staff* can use to whitelist themselves and specific grad students who they are responsible for. We page would have a link to various policies (including the university's policy on copyright and details of various copyright deals that the university has entered into) and a button labelled "I have read the above policies and undertake to use university resources in keeping with the spirit of the policies" or something like that. What is the point of this? Well, in our case the limiting of p2p traffic is mainly a legal one around the issue of copyright infringements. Our lawyers tell us this effectively shifts any liability on to the staff member involved if the university can show that they breached policy. The reason for buying the technology is mainly to mitigate the legal risk, the web page allows legit use to proceed easily without reducing the effectiveness of the legal cover *and* without involving me in lots of work which the current system does. In short being very clear about exactly what risks you are trying to mitigate really is vital. Russell
Current thread:
- Re: Security vs. Business Process. Does Business Process trump Security Process? randy marchany (Jul 02)
- <Possible follow-ups>
- Re: Security vs. Business Process. Does Business Process trump Security Process? Joe St Sauver (Jul 02)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Stucky, David (Jul 02)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Gary Dobbins (Jul 02)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Jesse Thompson (Jul 03)
- Re: Security vs. Business Process. Does Business Process trump Security Process? Russell Fulton (Jul 03)