Security Basics mailing list archives

RE: Security Simplification

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 21 Feb 2007 16:01:39 -0800

  Security is a trade-off, money/effort against risk.  Reading
between the lines, your VP is saying that *his perception of* 
the current stance is that the money/effort is too great and 
he believes that it can be reduced without increasing risk 
past acceptable levels.
  All of your current security measures SHOULD be aimed at
mitigating some risk to the business.  (Obviously, the first 
place to look for cuts is any measures that are not having 
this effect....)  So you need to identify places where the
mitigation being achieved is small, and confirm with him that
the risk associated with discontinuing those measures is 
acceptable.
  If you're lucky, you may find cases where some single measure 
can provide equivalent mitigation to what two or three measures
are currently achieving.  But it won't be an exact trade-off,
because such gains in *efficiency* usually sacrifice *depth*.

  It would help to know what part of the current security
arrangements he finds too complex.  There may be opportunities 
to shift some of the complexity between different constituencies,
such as between users and sysadmins.  What part of the picture
is he most focussed on?

David Gillett

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of 
oligarchicalrule () gmail com
Sent: Wednesday, February 21, 2007 11:51 AM
To: security-basics () securityfocus com
Subject: Security Simplification

If you were told by a VP to simplify security for your 
organization, what you think would be a starting point?  It's 
seems vague.  We run Windows servers/desktops that are built 
on the same images.  We use Cisco switches/routers/etc.  I'm 
not really sure where to start.



---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse.  Arm your 
enterprise with BigFix, the single converged IT security and operations 
engine. BigFix enables continuous discovery, assessment, remediation, 
and enforcement for complex and distributed IT environments in real-time 
from a single console.
Think what's next. Think BigFix. 

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------

Current thread:

Security Simplification oligarchicalrule (Feb 21)
- Re: Security Simplification Tyler Krpata (Feb 22)
- RE: Security Simplification David Gillett (Feb 22)
- RE: Security Simplification Donald N. Kenepp (Feb 22)
- Re: Security Simplification Stan (Feb 22)
- Re: Security Simplification Matt Moore (Feb 22)
- Re: Security Simplification Paul daSilva (Feb 22)
- Re: Security Simplification Matt Moore (Feb 22)
- Re: Security Simplification Isaac Perez Moncho (Feb 23)
- <Possible follow-ups>
- RE: Security Simplification Nhon Yeung (Feb 22)
- Re: Security Simplification Christian Kopacsi (Feb 22)
- Re: Security Simplification simonis (Feb 22)
- Re: Re: Security Simplification aaarugrat (Feb 23)

(Thread continues...)