Re: "It's ok we're behind a firewall"

["Chris Travers" <chris () travelamericas com>]

My own perspective is this---

Internal security is just *different.*  This is one of the reasons for the
firewall.  If a company didn't have a firewall, I am still convinced that
they would be at *far greater* risk to external rather than internal
threats.  But that doesn't address the following issues:

1:  Many companies have sensitive documents that need to be protected--
controlling access to these minimizes the chance of leaks.

2:  Would any executive want everyone in the company to have unlimited
access to sensitive information like corporate bank account numbers, credit
card numbers, etc?

So we can establish the need for internal security.  My own preference is to
divide up areas into security zones and determine how each zone (logically
or preferably physically) is to be secured.  Are ethernet ports in
conference rooms a good idea?  Is the risk that they bring in acceptible?
What about wireless LAN?  What are the business benefits?  What are the
risks?

Also it is extremely important to remember that the entrepreneurs or execs
are the ones responsible for defining acceptable risk.  It never hurts to
keep people thinking about that-- and rather than saying "you have a
security problem."  I usually say "Is this risk acceptible?  How does ___
benefit your business?  Whould ___ work for you as well?"

Anyway, this is my $.02 worth.

Best Wishes,
Chris Travers