Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Are users right in rejecting security advice?

From: Brad Judy <win-hied () BRADJUDY COM>
Date: Wed, 17 Mar 2010 11:23:13 -0400
I would further argue that any checklist or risk assessment should forego
asking specifics about the firewall and ask something to the effect of: "Is
network ingress limited to only required business needs, and are these needs
evaluated for risk prior to implementation?"

Back to the original question... Yes, individuals are sometimes "right" when
they ignore security advice because they have more current and focused
business information to make a risk decision.  However, I expect most
instances of ignoring security advice is "wrong" because individuals
typically lack a sufficient understanding of information security risks to
make an educated risk decision.  Not a lot of people have sufficient
knowledge of both sides of the equation to make "right" decisions.  We try
to improve the odds of a "right" decision by raising security awareness, but
that only goes so far; and we have to recognize that sometimes the "right"
decision isn't the one that favors information security.

Brad Judy

Emory University

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
Sent: Wednesday, March 17, 2010 10:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?

On Wed, 17 Mar 2010 08:54:47 EDT, "Mclaughlin, Kevin (mclaugkl)" said:

Really?  They are considered best practices, common knowledge, the way
to do things, (pick your semantic here), etc.  because a lot of folks
(smarter than I am, I bet) spent the time to analyze, research and
come up with a best practice and that's how NIST, ISO, COBIT, etc. get

produced.

There's a few actual "best practices" out there.  However, in practice they
tend to be swamped by the wave-a-dead-chicken voodoo security checklists
often seen in the hands of clueless auditors.

There's only a limited number of times you can sit through a security audit
that has "Do you have a firewall?" as a checkbox item but does *not* have
"Is it actually installed/enabled?" and "Has anybody actually configured
it?"
checkboxes before you start screaming "The Stupid, It Burns!".

You say you haven't seen that yet?  Then there's still hope for you. Run and
escape while you still can. :)
Previous By Date Next
Previous By Thread Next

Current thread: