Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RAID 5 drive replacement schedule

From: Adriel Desautels <adriel () netragard com>
Date: Wed, 25 Jun 2008 13:25:20 -0400
Philippe,
I think that this conversation has become too philosophical (mental masturbation even). The roles of an IT department depend on the entity in which the IT department exists. What people should do, and what people are actually responsible for are usually two different things.
With respect to CIA, it is not the end-all be-all definition to Information Security, IT Security, or any other form of security. It is a good acronym to help people remember important aspects of security, but in my opinion thats about it. (and no I don't want to get into another CIA discussion.) 

        

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Rivest, Philippe wrote:

The purpose of IT is to abide by the rules and decision made by the data
owner (be it system or entity owner). No design should be done, before you
know the classification of the data simply because they may be no need for
redundancy or they may be specific needs.

You stated it back wards when you said:
- My thought is that at some point it comes down to system design and basic
IT considerations.

Also you are incorrect with this statement:
-Simplified it seems to me that the entire purpose of IT is to ensure
availability.

The purpose of IT is to respect the CIA in regards to the need of the company
or data owner, no more or no less. IT is only an organization that services
the needs of the data/system owner in a technological manner.


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest () transforce ca
Téléphone: (514) 331-4417
www.transforce.ca


-----Message d'origine-----
De : Nick Vaernhoej [mailto:nick.vaernhoej () capitalcardservices com] Envoyé : 25 juin 2008 10:16 
À : Rivest, Philippe; security-basics () securityfocus com
Objet : RE: RAID 5 drive replacement schedule

Philippe,

I have been sitting here typing up one response after another, each time
ending up deleting the whole thing and starting over in an attempt to make
cases illustrating how availability is not always a security concern.

My thought is that at some point it comes down to system design and basic IT
considerations.
But this argument is inadequate. Just because it is within IT to design
redundancy it doesn't mean that it isn't a security concern.

My issue with this criteria is then, that it now sounds like IT is a subset
of security. Not an equal or the other way around.
Simplified it seems to me that the entire purpose of IT is to ensure
availability.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."

-  -----Original Message-----
-  From: Rivest, Philippe [mailto:PRivest () transforce ca]
-  Sent: Wednesday, June 25, 2008 8:26 AM
-  To: Nick Vaernhoej; security-basics () securityfocus com
-  Subject: RE: RAID 5 drive replacement schedule
- - Im not to sure about which part of my previous post you think is up to 
-  interpretation, if you could clarify that would help.
- - But for your scenario: - - If I understand correctly your scenario, I know it's a resume, but it 
-  is
-  flawed in the basic concept of availability.
- - If you have a safe box, with a door and a lock on it. No body can 
-  access the
-  box and it is only available to the key holder (hence confidentiality
-  and
-  integrity could be assumed to be good). If this is the situation you
-  stated
-  then here is the concern for availability. What if the key is lost?
-  What if
-  the door lock is damage and can no longer open?
- - If you go about to keep a second (back up) key pair, you would 
-  consider this
-  availability safeguard. If you had another way to get in the room with
-  the
-  box, that would also be considered a backup safeguard for
-  availability.
- - - Hope this helped. - - Merci / Thanks 
-  Philippe Rivest, CEH
-  Vérificateur interne en sécurité de l'information
-  Courriel: Privest () transforce ca
-  Téléphone: (514) 331-4417
-  www.transforce.ca

This electronic transmission is intended for the addressee (s) named above.
It contains information that is privileged, confidential, or otherwise
protected from use and disclosure. If you are not the intended recipient you
are hereby notified that any review, disclosure, copy, or dissemination of
this transmission or the taking of any action in reliance on its contents, or
other use is strictly prohibited. If you have received this transmission in
error, please notify the sender that this message was received in error and
then delete this message.
Thank you.
Previous By Date Next
Previous By Thread Next

Current thread: