Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Wed, 17 Mar 2010 11:23:13 -0400
I would further argue that any checklist or risk assessment should forego asking specifics about the firewall and ask something to the effect of: "Is network ingress limited to only required business needs, and are these needs evaluated for risk prior to implementation?" Back to the original question... Yes, individuals are sometimes "right" when they ignore security advice because they have more current and focused business information to make a risk decision. However, I expect most instances of ignoring security advice is "wrong" because individuals typically lack a sufficient understanding of information security risks to make an educated risk decision. Not a lot of people have sufficient knowledge of both sides of the equation to make "right" decisions. We try to improve the odds of a "right" decision by raising security awareness, but that only goes so far; and we have to recognize that sometimes the "right" decision isn't the one that favors information security. Brad Judy Emory University -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Wednesday, March 17, 2010 10:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice? On Wed, 17 Mar 2010 08:54:47 EDT, "Mclaughlin, Kevin (mclaugkl)" said:
Really? They are considered best practices, common knowledge, the way to do things, (pick your semantic here), etc. because a lot of folks (smarter than I am, I bet) spent the time to analyze, research and come up with a best practice and that's how NIST, ISO, COBIT, etc. get
produced. There's a few actual "best practices" out there. However, in practice they tend to be swamped by the wave-a-dead-chicken voodoo security checklists often seen in the hands of clueless auditors. There's only a limited number of times you can sit through a security audit that has "Do you have a firewall?" as a checkbox item but does *not* have "Is it actually installed/enabled?" and "Has anybody actually configured it?" checkboxes before you start screaming "The Stupid, It Burns!". You say you haven't seen that yet? Then there's still hope for you. Run and escape while you still can. :)
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 16)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Vik Solem (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Joe St Sauver (Mar 17)
- Re: Are users right in rejecting security advice? Perloff, Jim (Mar 17)
- Re: Are users right in rejecting security advice? Brad Judy (Mar 17)
- Re: Are users right in rejecting security advice? David Escalante (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Michael Van Norman (Mar 17)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
(Thread continues...)