Educause Security Discussion mailing list archives
Re: Standards (was Re: SECURITY Listserv Instructions and ParticipationGu idelines)
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Mon, 8 Jul 2002 07:37:01 -0500
At 7:32 -0400 7/08/02, Laurie Zirkle wrote:
I don't believe that they would be mandated as "this or nothing else".
That is what a standard is. Standards are to be met, and metrics are available to measure compliance. Non-compliance, in the case of the proposed legislation, would be funding freezes or cuts. "Guidelines" give suggested practice for a particular application area. Unfortunately, I have not been successful in getting either SANS or CIS (actually, Alan) to accept that standards in the hands of the uninformed can do damage. Clueless managers (we all know 'em) will see a "standard" and mandate that it be followed.
It would have been the MINUMUM that needed to be done. If your site/machine/ router was more tightened down, wonderful.
Yes, in conjunction with an IDS and some other things. However, it meant that we needed to "loosen" some elements that were in the "security standard" that CIS issued. If I was reporting on the MIS side of the house, I would have had to adhere to the "standard" and we would have a weaker position!
There were some of us here that had already went above and beyond those guidelines before they were ever published. Did that mean we should undo what we had done? I think not.
Precisely what I meant by the problem of "standards." ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/cg.html.
Current thread:
- Re: Standards (was Re: SECURITY Listserv Instructions and ParticipationGu idelines) Gene Spafford (Jul 08)