Educause Security Discussion mailing list archives
Re: Pre Production System Accreditation
From: Dan Johnson <djj4 () UWM EDU>
Date: Wed, 5 Sep 2007 15:40:12 -0500
Hi Valdis, You are correct, there is no such thing as a 'perfectly' secure system and eventually, (here comes that ROI that Jim mentioned...) the return does not match the cost. As well, there has been a lot of FUD going around about security. Unfortunately, in my haste, I have added to the FUD with 'perfect' security! As to the level of security needed... um, does that mean I have to take my home computer down a few levels from the top level DoD specifications as outlined by NIST? Man, all that work... ;o) (In all, very valid points!) Dan Johnson IS Comprehensive Services Senior University of Wisconsin-Milwaukee PO Box 469 Mellencamp Hall, Room B60 Milwaukee, WI 53201 (414)229-2911 "The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget." Thomas Szasz, The Second Sin (1973) "Personal Conduct" -----Original Message----- From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] Sent: Wednesday, September 05, 2007 1:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Pre Production System Accreditation On Wed, 05 Sep 2007 12:35:14 CDT, Dan Johnson said:
Instead of adding more to the long message that this has become... the axiom provided is completely true. As security professionals, we all need to strive for the perfection of secure systems.
Erm. No. We don't want a perfectly secure system. We want an *appropriately* secure system. At some point, the costs of better security outweigh the benefits. And the sysadmins actually realize it at a gut level, even if they can't spell it out - that's why they tend to say "here comes the security geek with a bunch of silly rules and dumb restrictions". Because quite often, they *know* that some of the requirements don't make much difference in *real* security. Of course, deciding what a "sufficiently high" level of security should be for a given system is a whole *different* can of worms.. ;)
Current thread:
- Re: Pre Production System Accreditation, (continued)
- Re: Pre Production System Accreditation St Clair, Jim (Sep 04)
- Re: Pre Production System Accreditation Shane Bishop (Sep 04)
- Re: Pre Production System Accreditation Jones, Dan (Sep 04)
- Re: Pre Production System Accreditation Jim Dillon (Sep 04)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Jim Dillon (Sep 05)
- Re: Pre Production System Accreditation Chad McDonald (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 05)
- Re: Pre Production System Accreditation Valdis Kletnieks (Sep 05)
- Re: Pre Production System Accreditation Dan Johnson (Sep 06)
- Re: Pre Production System Accreditation Ken Hanna (Sep 06)